Compromised WordPress Blogs Poison Google Image Searches

Orome1 writes "Google Image Search has for some time been littered with images that lure users to compromised sites that serve as doorway pages to other malicious sites. Part of the problem is that these compromised sites often use the WordPress publishing platform, which is infamous for the great number of security bugs that make it such a preferred target. This fact has been proven once again by security researcher Denis Sinegubko, who has pinpointed 4,358 WordPress blogs hijacked by unknown attackers and pumped full of popular search keywords and images, which redirect users to sites that try to scare them into buying a fake AV solution."

Fake AVs?

[Nidi62]

pumped full of popular search keywords and images, which redirect users to sites that try to scare them into buying a fake AV solution

It takes them to McAfee's website?

Re:Blame PHP. Blame JavaScript.

[amicusNYCL]

PHP does everything in its power to make safe and secure software development damn near impossible.

There's a saying about whether good craftsmen blame their tools...

It's not PHP's fault that the designers of WordPress are about as competent as I was a year out of college. Everything is global, global functions, global variables, all over the place. If it was possible to use a global variable or a global function instead of something sane like a class, then by god they're going global. WordPress altogether just reeks of amateurish practices. Hell, in order to embed the thing on an existing page you include a file called "wp_blog_header" or something. But, it's not a header, and may not even result in a "header" being printed, it's basically all of WordPress. There's another include file called "wp_settings", which is great except it doesn't contain a single setting, it contains only function definitions. There are exit and die statements all over the include files, so if you pull up the page and it's blank, good luck finding out which condition in which include file got triggered to make the thing bail.

The global nature of everything makes it nearly impossible to embed in various template engines, and I hope your own applications aren't defining global functions with the same generic names that WordPress uses. One of PHP's more insecure options, register_globals, is also implemented in WordPress. No idea why they think they need that option, but if it's disabled in PHP then they go through and define all of those global variables anyway. The entire application looks like it was conceived by a fresh college graduate who recruited his younger brothers to actually build it. It's like the MySpace of CMS applications, the only reason it got big was because it filled a need when the need was there. Not because it's good, but because it was available. If there was ever an application in need of a ground-up, compatibility-smashing re-write, this is it.

What did you mean by basically?

[tepples]

Basically every web app implemented using PHP and JS will be full of security holes.

Wikipedia is implemented in PHP and JavaScript. If it's been compromised, I haven't heard about it. So I must have misunderstood what you meant by "basically".

+1 on /.

[tepples]

As I understand it, the +1 button on Slashdot has a very complicated unlock procedure. First, you have to create an account and log in. Second, you have to post 25 excellent comments early in a discussion that get noticed while you are logged in. Third, you have to wait a year or two for your account to be old enough. Fourth, you have to read Slashdot on this account just enough (not too much, not too little). Then you're supposed to get the +1 button. Unfortunately, I can't help you further because I haven't figured out how to qualify under the fourth step.

Re:Blame PHP. Blame JavaScript.

[petermgreen]

IMO a good language makes the safe tools painless and the unsafe ones painful. A poor language makes the safe tools painful and the unsafe ones painless.

A web orientated language designed for security for example could have multiple string types and make it easier to apply appropriate conversion processing than to convert between them without doing the processing.