Compromised WordPress Blogs Poison Google Image Searches

Orome1 writes "Google Image Search has for some time been littered with images that lure users to compromised sites that serve as doorway pages to other malicious sites. Part of the problem is that these compromised sites often use the WordPress publishing platform, which is infamous for the great number of security bugs that make it such a preferred target. This fact has been proven once again by security researcher Denis Sinegubko, who has pinpointed 4,358 WordPress blogs hijacked by unknown attackers and pumped full of popular search keywords and images, which redirect users to sites that try to scare them into buying a fake AV solution."

Blame PHP. Blame JavaScript.

PHP does everything in its power to make safe and secure software development damn near impossible. Add in some JavaScript, and an already bad situation gets much worse. It, too, is a horrible language for writing safe, secure software.

Everything about both of those languages is horrible. The syntax is a shitty imitation of C. The semantics, even for basic things like boolean values and comparisons, are extremely fucked up. Worst of all, they somehow are irresistible to the most awful "programmers" around. Both draw in idiocy, probably because anyone who knows anything about programming sees both as the crap that they are.

Ruby on Rails isn't much better, by the way. Its community is merely more ego-centric, rather than stupidity-centric like the PHP and JavaScript communities.

Re:Blame PHP. Blame JavaScript.

[t27duck]

Or, you know... don't use Wordpress...

Re:Blame PHP. Blame JavaScript.

[Lord+Crc]

Or, you know... don't use Wordpress...

Is there a free CMS which offers the same balance of simplicity, usability and extensibility, and that can run on most shared hosts? I'm genuinely curious.

Re:Blame PHP. Blame JavaScript.

But WP isn't the issue here. Basically every web app implemented using PHP and JS will be full of security holes. The GP is right; the problems are PHP and JS. Sure, you can use some other blog system written in PHP, but it'll have all sorts of security holes, too! You'll be just as likely to be exploited!

At least languages like Perl, Python, Java, and C#, along with the web app frameworks built around them, promote good programming practices that make it a lot more difficult for developers to write insecure code. No, it won't be bulletproof, but it won't be riddled with the obvious and easily-exploited bugs that basically all PHP web apps suffer from, either.

Re:Blame PHP. Blame JavaScript.

[n5vb]

You *can* code reasonably secure web apps in PHP, however. It just takes a certain amount of diligence to making sure that user input never gets through to your backend without going through at least one layer of regex filtering to strip out or outright ignore crafted SQL (and other query) exploits, and paying careful attention to which route information is taking to get into your code. (There are separate pseudo-arrays for GET, POST, COOKIE, SESSION, and SERVER. I use those to prevent malicious injection through GET into parameters I'm expecting to come in through POST, etc, as well as to handle flow control through what may be a remote throw/catch into a subpage that needs some initialization parameters of its own, for example. There's also a pseudo-array that gathers all of these into one big list so it's not possible to tell which one came in where. I don't use that one at all.)

I'm not as comfortable with JavaScript because I've had to deal with too many broken JS engine implementations in too many browsers.

Not saying either of them doesn't utterly nauseate me, but it's possible to do things well in both, and when you're stuck with whatever your hosting provider decided to implement (which you pretty much are, if you're not running your own colo server and dealing with a whole *different* range of security vulnerabilities), you know they're there and can be made to work ..

Re:Blame PHP. Blame JavaScript.

[t27duck]

"Basically every web app implemented using any server side language programmed by someone who doesn't know what they're doing will be full of security holes." Fixed that for you.

Re:Blame PHP. Blame JavaScript.

Yeah, it's called "write the website your goddamn self", and the only dependencies are an httpd and a text editor.

Re:Blame PHP. Blame JavaScript.

[ilsaloving]

The weakness of the languages is also touted as a strength. Both PHP and Javascript are very easy to pick up by newbies and start dishing out code.

The problem with this is that you have newbies with minimal computer knowledge slapping together lousy code. Years ago, people had the exact same gripes about Visual Basic and the laughably crappy applications put out by people who called themselves 'programmers'. This is the exact same thing, with the difference being the crappy results are exposed to the world to see, and are directly accessible to those with the knowledge and motive to cause havok.

There is only one way to fix this, and that is to raise the bar so that an aspiring programmer is required to obtain an industry certificate akin to an engineering degree. It's not perfect of course, but it would at least weed out the people who copy and paste sample code from some random website, and think that's enough to put "experienced programmer" on their resume.

Re:Blame PHP. Blame JavaScript.

[rootatwc]

Um, no its not php's fault. But the framework.You see wp doesnt force you to follow best practices... But it actually is cms.CMS'es are designed for people that dont know to code. Unfortunately though a lot of them think that they can code.. you see the results There are many PHP frameworks that force you to write quality code but unfortunately not famous. in php world everyone knows the cms'es not frameworks

Re:Blame PHP. Blame JavaScript.

[The+Dawn+Of+Time]

So like... a web license? Totally not retarded at all.

Re:Blame PHP. Blame JavaScript.

[t27duck]

I'm not saying there is. I was just replying to the blanket statement by the parent that all PHP sites are crap. If you keep your freaking WP and PHP install up to date and practice due diligence with standard security practices there's not that much to really worry about.

Re:Blame PHP. Blame JavaScript.

[Oxford_Comma_Lover]

Let's assume we're programmers, not graphic designers.

Re:Blame PHP. Blame JavaScript.

[CannonballHead]

In that case, you have to write your own http server, too.

And text editor.

And compiler.

Re:Blame PHP. Blame JavaScript.

No, it's the opposite. PHP doesn't do enough to ensure safety. It expects programmers to perform all the required security checks. This is normally fine but....

When you get an easy to use language that expects programmers to follow good security habits, you have issues with all the "html programmers" getting into php due to the ease of use.

Could php do better to reduce the load on programmers to do security checks? Probably but in security, there is no magic bullet and one size fits all programs can actually be a bad thing (see magic quotes).

Stop blaming the language so much and blame the programmers.

Re:Blame PHP. Blame JavaScript.

[Derek+Pomery]

While sanitising inputs is laudable, PHP programmers should be using bind variables.

PHP, MySQL and PostGreSQL all support them, now.

Prevents most SQL injection, improves performance, results in cleaner and more readable queries.

Re:Blame PHP. Blame JavaScript.

Try Drupal

Re:Blame PHP. Blame JavaScript.

[PCM2]

Not always. This guy is talking specifically about self-hosted WordPress sites, as opposed to the ones on WordPress.com. The vulnerabilities exist mainly in sites that don't keep up with the latest bugfixes, or potentially, sites that are hosted by shared hosting providers who leave stupid PHP options enabled, leading to the vulnerability. There are various reasons why any site might be compromised. There are plenty of sites running technologies other than PHP that have been compromised. The bottom line is that it does actually take a little bit of diligence to operate your own Web site. Even if you aren't a PHP programmer, you should understand the correct operation and maintenance procedures for your PHP-based software, or else you risk being compromised.

Re:Blame PHP. Blame JavaScript.

[Oxford_Comma_Lover]

Fail to see how that helps, although it would be more fun. :)

Wordpress lets you slap together a site that looks nice and is functional, and do it very quickly and without (or with little) graphic design skill, and is open source. If you write the site from scratch, it is substantially harder to have a site that looks nice and is functional.

Re:Blame PHP. Blame JavaScript.

Fuck "looks nice" as long as it works and is secure.

Re:Blame PHP. Blame JavaScript.

[xevioso]

Doesn't run seamlessley on most shared servers. Serious permissions issues.

Re:Blame PHP. Blame JavaScript.

[rudy_wayne]

Or, you know... don't use Wordpress...

Is there a free CMS which offers the same balance of simplicity, usability and extensibility, and that can run on most shared hosts? I'm genuinely curious.

Let's say, just for the sake of argument that the answer is "no". The solution is still the same -- use a different CMS. If you have to use something that isn't free or that doesn't offer the same features, that's the price you pay for not having a website full of security holes that is used to pollute the Internet with shit.

Re:Blame PHP. Blame JavaScript.

[PCM2]

PHP does everything in its power to make safe and secure software development damn near impossible. Add in some JavaScript, and an already bad situation gets much worse. It, too, is a horrible language for writing safe, secure software.

It seems to me you've just made the case for not writing your own Web software at all, but instead choosing a well-established, well-maintained open source project -- such as WordPress. TFA is surprisingly short on what versions of WordPress are vulnerable to the exploit (and there are many versions). I'm willing to bet, however, that people running the most up-to-date version are not vulnerable.

I don't think JavaScript is as shitty as you claim, but I'm no fan of PHP. Still, A.) It is very easy to find cheap shared hosting that supports PHP; less so for any other language; and B.) Name me a language that I could write a CMS in right now that makes it easy for me to write safe and secure database-backed Web applications. (The answer is there is none; no matter what my personal language preferences, my best bet is to use someone else's mature, open source codebase -- such as WordPress).

Re:Blame PHP. Blame JavaScript.

[PCM2]

Yeah, it's called "write the website your goddamn self", and the only dependencies are an httpd and a text editor.

That obviously becomes untenable once you accumulate more than a page or two worth of content. Or do you fancy updating all your index pages manually every time content rolls off the homepage? Also, how does your 1995-model Web page support visitor comments?

Re:Blame PHP. Blame JavaScript.

[rootatwc]

and performance..especially with drupal 7. but yeah it beats WP to secuirity hands down

Re:Blame PHP. Blame JavaScript.

[Oxford_Comma_Lover]

Yes, that obviously would be one solution. It would not be appropriate if you want something to look nice, however.

The question which the poster asked, and which people have just bashed rather than answering, is what good alternative solutions are out there? Specifically, "Is there a free CMS which offers the same balance of simplicity, usability and extensibility, and that can run on most shared hosts? I'm genuinely curious."

Re:Blame PHP. Blame JavaScript.

Also, how does your 1995-model Web page support visitor comments?

Thanks, but I'll post the link on Usenet and we can comment it there...

Re:Blame PHP. Blame JavaScript.

IRC channel on self-hosted IRCd, with permanent logging

Re:Blame PHP. Blame JavaScript.

[51M02]

The syntax is a shitty imitation of C. The semantics, even for basic things like boolean values and comparisons, are extremely fucked up.

And yet you are posting on a website coded in Perl which, no one will argue with, is a pretty f**ked up language but a powerful one. And Slashdot even use Javascript. Is this site insecure?

A language, in itself is just an abstraction for machine code. Assembler code is just a literal version of machine code. C is a the closest language to machine code and the primary one used everywhere like core OS components to video game. A language in never secure or unsecure, it's its interpretation in machine code that may be more secure with additional code to prevent hazardous events. PHP is just a script engine that use similar semantics to C and is mostly a big wrapper around some well known C libraries like PCRE and cURL. It is open-source and its community is regularly releasing maintenance releases to fix any security flaws, which is a must. On itself it is pretty secure.

That being said and with the majority of computer issues, the problem is most often found between the chair and the keyboard. If developers don't check users input and send that directly to a SQL backend, in any language it will result in a security flaw. Its developers practices that are to blame, not language semantics.

Re:Blame PHP. Blame JavaScript.

[Fallingcow]

Prevents most SQL injection, improves performance, results in cleaner and more readable queries.

The widely-lauded readability of bound-variable SQL queries prompted me to write a Perl script that moves every other noun in my e-books to the footnotes. Much more readable now :)

Re:Blame PHP. Blame JavaScript.

[amicusNYCL]

PHP does everything in its power to make safe and secure software development damn near impossible.

There's a saying about whether good craftsmen blame their tools...

It's not PHP's fault that the designers of WordPress are about as competent as I was a year out of college. Everything is global, global functions, global variables, all over the place. If it was possible to use a global variable or a global function instead of something sane like a class, then by god they're going global. WordPress altogether just reeks of amateurish practices. Hell, in order to embed the thing on an existing page you include a file called "wp_blog_header" or something. But, it's not a header, and may not even result in a "header" being printed, it's basically all of WordPress. There's another include file called "wp_settings", which is great except it doesn't contain a single setting, it contains only function definitions. There are exit and die statements all over the include files, so if you pull up the page and it's blank, good luck finding out which condition in which include file got triggered to make the thing bail.

The global nature of everything makes it nearly impossible to embed in various template engines, and I hope your own applications aren't defining global functions with the same generic names that WordPress uses. One of PHP's more insecure options, register_globals, is also implemented in WordPress. No idea why they think they need that option, but if it's disabled in PHP then they go through and define all of those global variables anyway. The entire application looks like it was conceived by a fresh college graduate who recruited his younger brothers to actually build it. It's like the MySpace of CMS applications, the only reason it got big was because it filled a need when the need was there. Not because it's good, but because it was available. If there was ever an application in need of a ground-up, compatibility-smashing re-write, this is it.

Re:Blame PHP. Blame JavaScript.

thank you!

Re:Blame PHP. Blame JavaScript.

Where is the +1 button when you need it? Come on google!

Re:Blame PHP. Blame JavaScript.

[vlueboy]

So like... a web license? Totally not retarded at all.

Though I agree with GP that IT employment would be a lot more rewarding for "the few" that would qualify in a world were medicine and IT were equally licensed, web licenses pose a huge problem for the hobbyist.

I spent a couple hours desiging and posting 30 lines of shell code online for unknown guy on a public forum the other day. It's probably someone incompetent at his job who will never learn about shell scripting, loops and anything as long as they're a websearch or forum question away from the answer thanks to "guys like me."

How many laws would I be breaking if my "advice" were as "career confidential" and "lawsuit-prone" as a lawyer's or doctor's advice are? We all know the lines on /. "IANAL", but what if coders were forced to say the same thing? We would be charged with negligence for failing to consider all the possible uses AND misuses of our code (just like medicines have lots of warnings and scenarios similar to "do not iron shirt when being worn.")

How would a web coder hobbyist or beginner learn by example, if all "code" advise potentially a liability? It would be a blessing and a curse if copy-and-paste IT work were so much more respected by the IT community. And hindsight shows that there would still be the same anonymity-promoted "gray areas" and "black markets" of data that the web itself has enabled; I kinda shudder to think about how you'd need to be swear secrecy in some way and be as liable as the builders of bridges and buildings are. But it's a good utopia if we only think about someone else being accountable for the failure, huh?

Re:Blame PHP. Blame JavaScript.

[tepples]

PHP programmers should be using bind variables.

I use bind variables in my PHP code in all but two cases that MySQLi's $stmt->bind_param() makes overly cumbersome. To handle these, should I be switching from MySQLi to PDO already?

Re:Blame PHP. Blame JavaScript.

[kelemvor4]

In that case, you have to write your own http server, too.

And text editor.

And compiler.

Those first two usually come right after hello world in programming books... ok.. maybe not RIGHT after, but I've definitely gone through both scenarios in several languages while running through a programming manual.

Re:Blame PHP. Blame JavaScript.

Wordpress lets you slap together a site that..

Hold it right there. The desire to do that is the problem, because it implies you want fire-and-forget (the project is over quickly) yet you're relying on a platform that needs ongoing security maintenance, especially thanks to its higher-than-average bug rate.

If you want to use WordPress, that's ok, but "slap together a site" is something the tool is not well-suited for. That's analogous to using Microsoft Windows because "you just want to quickly get on the Internet." Your WP site -- your Windows machine -- is likely to get compromised. These aren't platforms suitable for beginners or people who don't want to to spend all their time keeping things running.

That doesn't make them bad; what makes them bad is that they are introduced to people as though they are suitable for use by people who aren't fulltime and expert.

I can't honestly recommend an alternative (in fact I do happen to use a custom CMS), but if you are "slapping together websites" with WordPress, you're doing the web wrong. You're drinking the koolaide when you should be continuing to look for the alternative to suicide-by-koolaide. And if you don't find what you're looking for, then write-it-yourself really is the best answer. At least then, unlike WordPress, you might actually finish the job some day.

Re:Blame PHP. Blame JavaScript.

[LordThyGod]

To quote Bill Gates, "that's the stupidest fucking thing I ever heard". If they are so obvious where are the exploits in Facebook and Wikipedia? You are just spreading the same FUD that MS started when trying to promote their "more secure" apps. What drivel. There are 53 million sites running Wordpress, and what fraction have a problem?

Re:Blame PHP. Blame JavaScript.

A good craftsman knows to use good tools, and to avoid bad ones. PHP is not a good tool. PHP is a bad tool. It's a very, very terrible tool. That's why all good software developers refuse to use PHP. That's why all PHP code is written by people who are not good software developers. That's why all PHP code is shitty. All of it.

Re:Blame PHP. Blame JavaScript.

[Ariven]

The hosting company I use supports Joomla, Drupal, Concrete5 and GetSimple as one click installs..

If you want to start with a framework and add your own CMS on top of that I am liking CodeIgniter.

Re:Blame PHP. Blame JavaScript.

[petermgreen]

IMO a good language makes the safe tools painless and the unsafe ones painful. A poor language makes the safe tools painful and the unsafe ones painless.

A web orientated language designed for security for example could have multiple string types and make it easier to apply appropriate conversion processing than to convert between them without doing the processing.

Re:Blame PHP. Blame JavaScript.

[Oxford_Comma_Lover]

Or maybe having the internet full of websites full of security holes that is used to pollute the Internet is the price of not having such a CMS.

Re:Blame PHP. Blame JavaScript.

[Oxford_Comma_Lover]

Should *also* be using bind variables. Bind variables alone don't protect you or your visitors from XSS attacks from user content, for example.

Re:Blame PHP. Blame JavaScript.

[Lord+Crc]

The hosting company I use supports Joomla, Drupal, Concrete5 and GetSimple as one click installs..

Thanks for the pointers! Concrete5 looks nice, gonna try taking it for a spin.

Re:Blame PHP. Blame JavaScript.

[Derek+Pomery]

Absolutely, or other exploits of your framework. All inputs are evil.
I wasn't saying to ignore those, was just that many PHP developers seem to think that sanitising inputs is the way to write safe queries.
Escaping isn't that easy, especially with unicode.
Heck. Escaping is non-trivial with javascript too. Many common escape routines will be helpless if you're writing directly into JSON for use by JSON.parse (much less eval).
And then there's silly code that tries to strip out tags, and forgets about

Re:Blame PHP. Blame JavaScript.

[Derek+Pomery]

Personally, when it comes to long lists, I tend to push them in a temp table.
But then, the two times I've needed to do that, I needed to run a series of queries on them anyway, so a temp table was an easy choice.

Re:Blame PHP. Blame JavaScript.

[Derek+Pomery]

More readable than the string concatenation (especially if escapes and other functions are embedded). And much less painful if you need to copy the query out and run it elsewhere.
Less to clean up.

And if the query is so long (like more than a half dozen bind variables) that you are seriously going to have trouble remembering that user_name = ? is matched to the variable user, then maybe you should add a few comments inside the query near those binds.
Hopefully you are doing that long query on multiple lines anyway, and without line wrappers to complicate aforementioned copy n paste.

And even if for some reason you disagree on the readability (whatever, to each his own) there's still the safety and performance aspects.

Re:Blame PHP. Blame JavaScript.

[Derek+Pomery]

Heh, amusingly relevant screwup 'cause they just stripped out the tag. I just always forget that /. strips tags instead of escaping 'em unless I change my mode.

That should have read:
forgets about <s0x00cript>

Re:Blame PHP. Blame JavaScript.

[That+Guy+From+Mrktng]

That's easy to say from your basement .. to your imaginary clients in the "tissue bucket".

Wordpress is fine if you don't install every single fucking shitty plugin that crosses your screen. Or the plugin that's too cool to be in the official repository.

By your logic all webdevs should be doing sites ala Geocities, it's record in security is what took them to this century as the leading provider of personal web publishing... Oh wait.

IANAWD but I know WP can be a pretty good platform beyond it's circlejerking blog capabilities. Shouldn't be the open source community making those "bugs" shallow?

Re:Blame PHP. Blame JavaScript.

[tepples]

And if the query is so long (like more than a half dozen bind variables)

Like any big INSERT or UPDATE.

that you are seriously going to have trouble remembering that user_name = ? is matched to the variable user, then maybe you should add a few comments inside the query near those binds.

So how do I ensure that the "few comments" next to the ? placeholders don't get out of sync with the actual variables in the bind?

Re:Blame PHP. Blame JavaScript.

Fuck "looks nice" as long as it works and is secure.

Sure for banking and financial sites. But for blogs you want looks nice and works, fuck secure.

Re:Blame PHP. Blame JavaScript.

Specifically, "Is there a free CMS which offers the same balance of simplicity, usability and extensibility, and that can run on most shared hosts? I'm genuinely curious."

The question is flamebait. A CMS is by it very nature never going to be simple. Having something simple and extensible is also working to different ends. Pick two, you can't have all three.

Re:Blame PHP. Blame JavaScript.

[DryGrian]

Concrete5 is pretty nice, used it for my one-man company website... *shameless plug alert* ADGE Parts. Putting that together took a few hours and isn't unreasonably ugly.

Fake AVs?

[Nidi62]

pumped full of popular search keywords and images, which redirect users to sites that try to scare them into buying a fake AV solution

It takes them to McAfee's website?

Re:Fake AVs?

Yeah, fake AV is a bit like fake alternative medicine. How can you tell?

Re:Fake AVs?

It takes them to McAfee's website?

No, Symantec.

Re:Fake AVs?

[dkf]

Yeah, fake AV is a bit like fake alternative medicine. How can you tell?

Fake alternative meds? Easy: they heal you for real. Fake AV? Trickier...

Microsoft

If people used open source alternatives to Microsoft WordPress, we wouldn't have this problem. More eyes on the source = less problems.

Re:Microsoft

Holy shit! I think I just caught some retardisis through the intarwebs just from reading your post...

Re:Microsoft

Holy shit, I think you had the retarditis before you read my post. Now shut up and go make me a sandwich.

The Right Wing has Taken Control

I prefer the good old days when poisoned image searches would lure old people (that is, people over 29 years of age) to goatse sites. This would really freak out the older generation and their conservative ways.

Those were the good old days. Now its all about money -:(

slander

I earned my high Google rank and it is one of my key company assets. I do not like this slander. High ranks are a self fulfilling prophecy in many respects.

FUD

[rinoid]

No data released on the actual WP installations but it does provide GREAT FODDER for haters who gotta hate here on /. whining on about designers, html coders, etc... trying to swing big wood when in fact they too are just a bag of water.

Anyway.

I'd like to see data on the WP installations. What versions, what plugins, where any of the very basic security measures taken (strong password, file level permissions, proper .htaccess).

And then I'd like to learn if they are installations which are manually installed vs. via an install manager at their ISP.
Big difference in awareness and in fairness to some of the ill-worded tripe above, this is in fact about good Design practice versus casual access.

FWIW...

Re:FUD

[nstlgc]

Aren't the measures you mention (password, permissions, .htaccess) exactly the kind of thing that your precious designers and "html coders" (whatever that's supposed to mean) would screw up?

Re:FUD

[rinoid]

More haters gotta hate with the belittling speech codes. "precious designers"

Who the frack said they were precious?
Why do you suppose they are precious?
Why do you presume they will automatically screw up?

I've known people from all stripes of ambition and career to screw up, none inherently more than another.
I'd go into stories of monumental screw ups specifically regarding networking crew, application programmers, or systems admins I've worked with but to what end?

Take your bulloney elsewhere.

What is a Recommended Alternative?

[fygment]

Google turned this up: http://www.networkworld.com/community/node/30731

What did you mean by basically?

[tepples]

Basically every web app implemented using PHP and JS will be full of security holes.

Wikipedia is implemented in PHP and JavaScript. If it's been compromised, I haven't heard about it. So I must have misunderstood what you meant by "basically".

Re:What did you mean by basically?

[fnj]

Wikipedia is compromised by DESIGN. It is a spectacularly noble effort and it is a miracle that it hasn't been rendered a shambles just by punk minded users doing what users are SUPPOSED to do - write content.

Re:What did you mean by basically?

[tepples]

Wikipedia is compromised by DESIGN.

Then why hasn't it also been compromised to redirect people to sites selling fake AV?

+1 on /.

[tepples]

As I understand it, the +1 button on Slashdot has a very complicated unlock procedure. First, you have to create an account and log in. Second, you have to post 25 excellent comments early in a discussion that get noticed while you are logged in. Third, you have to wait a year or two for your account to be old enough. Fourth, you have to read Slashdot on this account just enough (not too much, not too little). Then you're supposed to get the +1 button. Unfortunately, I can't help you further because I haven't figured out how to qualify under the fourth step.

Global

[tepples]

Everything is global, global functions, global variables, all over the place.

What is the difference among a global function, a static method of a class, and a method of a singleton object? What is the difference among a global variable, a static field of a class, and a field of a singleton object?

Re:Global

[LordThyGod]

You can tell he hasn't a clue what he's talking about by the ridiculous 'register_globals' statement.

Re:Global

[plover]

A Singleton is Global State in Sheep’s Clothing. Static methods are also as problematic as globals. It's just that some people don't see the problems with them when they're not labeled "globals".

Re:Global

[amicusNYCL]

The problem with their use of global functions is the namespace issue. The problem is because they use generic names for a lot of functions, and then expect their software to work well with other software. The problem with their use of global variables is that sometimes they're not global. They don't explicitly declare them in the global space (through $GLOBALS), they just declare them in the local scope (which they assume to be the global scope). When that code is being run in another scope then all of the sudden the global variables their functions are trying to access weren't defined in the global scope, they were defined in the scope that whatever included that code was running in. This causes it to break in things like template engines. That wouldn't be a problem if they were declaring the variables in $GLOBALS and then referring to that in their functions, or better yet, make the damn thing a class like it should be.

Re:Global

[amicusNYCL]

I misspoke about register_globals, I didn't have a copy of the source in front of me (I avoid it as much as possible). It is magic_quotes that they force on, not register_globals, in the wp_magic_quotes function in load.php. The register_global option gets "reverted" by unsetting any global variable that has a key in one of the superglobals.I also misspoke about the wp-settings file, which executes functions instead of defining them (but still doesn't define any settings). The load.php is what contains only function definitions.

Re:Global

[tepples]

Yuck. In C and PHP code, I've tried to use distinct prefixes on functions and variables in the global space, much as MediaWiki does with $wgWhatever in its LocalSettings.php. If WordPress doesn't even do that, I see what you mean. Another thing: I've been using the global statement instead of the $GLOBALS superglobal array; is that bad?

Re:Global

[amicusNYCL]

WordPress does use "wp_" as a prefix for a lot of things, but not all of them. It also uses classes for some things, but not everything. Just from looking at the code, it looks like people have been trying to improve it without breaking compatibility. It really just needs a rewrite.

Another thing: I've been using the global statement instead of the $GLOBALS superglobal array; is that bad?

It's not necessarily "bad", but it doesn't lend itself well to playing nice with other applications. Just to be clear, the problem is how the variable is originally defined, not how it's used in the function. This is the reason why WordPress didn't work for me, there was a file that had something like this, where it declared a "global" variable on one line, then was immediately followed by a function that tried to use it:

$wpdb = new wp_database();

function some_func()
{
    global $wpdb;

    $wpdb->query ...
}

The error I was seeing was basically that $wpdb was not defined. The error in that code is that it assumes that the code is actually being executed in the global scope, but that's not necessarily the case. I had WordPress embedded inside a template engine, so the code was being executed via including the file from the template engine (so the "global" scope was local to the template engine, instead of being actually global). The problem could have been solved by declaring the variable like this:

$GLOBALS['wpdb'] = new wp_database();

Then if you specify the global variable in the function like above, it will actually find the global version that the function expects.

The FAIL is strong in this thread

[Hero+Zzyzzx]

Hey dipshits - the "timthumb.php" thing TFA is talking about isn't part of the wordpress core. All the wordpress bashing is pretty much irrelevant because we're talking about vulnerabilities in third-party software.

Re:The FAIL is strong in this thread

[plover]

For exapmple, many of the hacked sites (not all though) use themes that include a timthumb.php file that is known to have a security hole that allows attackers to upload .php files to a server.

Emphasis added to make it clear: timthumb is NOT the source of the fail if it's not present on all the infected sites, or at least it's not the ONLY source.

Nastiest one I saw...

[russotto]

True story: my wife found an image when searching for "purple bedroom set" that, when you clicked on it, took you to a Bing search for same. Now that was scary!

json_encode()

[tepples]

Many common escape routines will be helpless if you're writing directly into JSON for use by JSON.parse (much less eval).

Who would generate JSON in PHP without using json_encode()?

Re:json_encode()

[Derek+Pomery]

*shrug* I don't do much in PHP so wasn't aware of the function, was just agreeing with him and noting general stuff people forget to do. Initial comment about bind params was more based on PHP I'd read/seen exploits for anyway. Is something PHP is notorious for, but is fortunately avoidable now.

maybe...

[WeeBit]

The only reason I can think of to use a redirect is for login depending on the type. I do know some use it to push a visitor to the new site. But they can click on a link on the page. So is it safe to say in our near future Google will be going after these redirect webpages? Possibly downgrading their usefulness? Just guessing here...correct me if I am wrong.

Tricking Google..

Tricking Google seems to be extremely easy these days. All the "SEO" garbage has started showing up in more and more first-page results for common terms that average people search for. I remember when I was looking for an iphone case and searching for "iphone case" used to return several malware/scareware websites in the first 10 results.

Seriously what happened to all the "genius" programmers that Google hired. Or maybe secretly google doesn't care because I guess most of those content farms run AdSense...

Wordpress infamous?

Wordpress infamous?
If you use the latest version or Wordpress.com you are safe. Are you going to say that Windows in infamous because people with unpatched versions of XP get added to botnets?

google ad a search filter for bad sites

[hesaigo999ca]

google could add search filters that excludes any site that is known to be poisoned, or maybe even a manual list edit that allows a more knowing person to filter out such sites.

Crrrrazy hacking rate

[Faffe]

So, out of a couple of million or so WordPress sites, more than 4000 are hacked?! It's madness I tell you, madness!