Millions At Risk From Critical Vulnerabilities From WordPress Plugins

← Back to Stories (view on slashdot.org)

Millions At Risk From Critical Vulnerabilities From WordPress Plugins

Posted by Unknown on Wednesday June 19, 2013 @05:42AM from the just-use-ur-web dept.

First time accepted submitter dougkfresh writes "Checkmarx's research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection. Furthermore, a concentrated research into e-commerce plugins revealed that 7 out of the 10 most popular e-commerce plugins contain vulnerabilities. This is the first time that such a comprehensive survey was prepared to test the state of security of the leading plugins." It does seem that Wordpress continues to be a particularly perilous piece of software to run. When popularity and unsafe languages collide.

145 comments

Min score:

Reason:

Sort:

Not an unsafe language... by dclozier · 2013-06-19 05:49 · Score: 5, Insightful

Just bad coding. Any language can be coded with badly. (some more easily or accidentally than others)
1. Re:Not an unsafe language... by Anonymous Coward · 2013-06-19 05:54 · Score: 4, Funny
  
  It's not bad coding, those are just misunderstood features. SQL Injection? - That's just a back door we left in for convenience.
2. Re:Not an unsafe language... by Anonymous Coward · 2013-06-19 05:56 · Score: 1
  
  Just bad coding. Any language can be coded with badly. (some more easily or accidentally than others)
  Well, yeah, other than [INSERT FAVORITE LANGUAGE HERE]. Any programmer worth his or her salt knows that language has all sorts of obvious safeguards against this sort of thing if you have even the vaguest clue what you're doing, which makes it that much more betterer and you should all use it right now and hire me for lots of money.
3. Re:Not an unsafe language... by Anonymous Coward · 2013-06-19 06:03 · Score: 5, Funny
  
  I personally only use HTML9 Responsive Boilerstrap JS. If you're using any other framework then you're just wasting your time.
  Here's a link for you poor slobs that haven't jumped on the bandwagon.
  http://html9responsiveboilerstrapjs.com/
4. Re:Not an unsafe language... by ackthpt · 2013-06-19 06:08 · Score: 4, Insightful
  
  Just bad coding. Any language can be coded with badly. (some more easily or accidentally than others)
  Well, yeah, other than [INSERT FAVORITE LANGUAGE HERE]. Any programmer worth his or her salt knows that language has all sorts of obvious safeguards against this sort of thing if you have even the vaguest clue what you're doing, which makes it that much more betterer and you should all use it right now and hire me for lots of money.
  Assuming management or the analyst who specs the code gives the coder sufficient time to do it right.
  Something I continue to observe in outsourced code is an incredible sense of optimism regarding security. Not because the coder is a fool (well, he/she might be) but because security and good practices are not emphasised, time and cost of up front development are too often the deciding factors.
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
5. Re:Not an unsafe language... by Hognoxious · 2013-06-19 06:09 · Score: 2
  
  Is it webscale, or does it use joins?
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
6. Re:Not an unsafe language... by Giant+Electronic+Bra · 2013-06-19 06:11 · Score: 4, Insightful
  
  Some encourage it more than others, and some provide security-oriented features. For instance perl's taint mode is a great security feature. Truthfully strong typing and mature frameworks go a long ways, IF you know how to use them.
  HOWEVER all this is secondary. The appalling thing is THAT NONE OF THESE PLUGINS WERE EVER AUDITED. Any webapp is almost sure to have some sort of hole in it. You can plug them but its tricky and no team will find them all. The question then is how on God's Green Earth have so many people deployed this stuff and not audited it thoroughly (or at all)? I taught web-app security and was one of the earliest people in the business, I'd never in a million years deploy one of these plugins for a client and not beat it to death with a fuzzer and 10 other things. This is just basic crap I was teaching in my college courses 8 years ago (and it wasn't exactly revolutionary then). Hell, I don't consider myself any sort of security genius by a long shot, but all I can say is that there are a lot of scarily ignorant fools out there...
  
  --
  "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
7. Re:Not an unsafe language... by webnut77 · 2013-06-19 07:19 · Score: 1
  
  Wish I had mod points.
8. Re:Not an unsafe language... by chuckinator · 2013-06-19 07:20 · Score: 5, Insightful
  
  Auditing isn't cool and takes time that could be better spent posting pictures of food with a sepia filter on Instagram.
9. Re:Not an unsafe language... by Larryish · 2013-06-19 07:25 · Score: 2
  
  My marketing department uses it because the rubygems facepalm API really lets us utilize turn-key e-tailers in order to better monetize one-to-one vortals.
10. Re:Not an unsafe language... by ArcadeMan · 2013-06-19 07:32 · Score: 4, Funny
  
  Is that a dog?
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
11. Re:Not an unsafe language... by indeterminator · 2013-06-19 07:34 · Score: 2
  
  The question then is how on God's Green Earth have so many people deployed this stuff and not audited it thoroughly (or at all)?
  Because your client will want new plugins every week, gets tired of asking you everytime, and wants you to set up the permissions so that the GUI plugin installer works ("what do you mean not a good idea? the last site I had worked that way and I never had any problems with it"), then proceeds to install all the plugins he needs to make his blog on cats and other larger-than-life stuff buzzword compatible.
12. Re:Not an unsafe language... by ArcadeMan · 2013-06-19 07:42 · Score: 1
  
  There's so many aspects to everything, you cannot assume everyone is an expert on all areas required. You focus a lot on the security but I can bet your plugins would probably be extremely hard to integrate and use, look like crap and be a usability nightmare.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
13. Re:Not an unsafe language... by Anonymous Coward · 2013-06-19 07:56 · Score: 0
  
  Pfft. If it were really cool it would use the .io domain. It's all the rage these days.
14. Re:Not an unsafe language... by Anonymous Coward · 2013-06-19 08:02 · Score: 0
  
  WordPress was written in PHP. As a PHP coder I can testify that the language does nothing to prevent SQL injection or even to make it hard. Some languages or frameworks forcibly separate the query string from the parameters or use different types for the string parameters and the query object or have a unified way to perform queries that makes it easier to do it right than wrong. In PHP it's the opposite way around - it's much easier to it wrong than to get it right. SQL injection still isn't on the radar of many junior coders and since PHP is - wrongly in this case - perceived as an easy starter language, so you can see the problem. Of course PHP has an excuse, of a sort: when it was first designed SQL injection as on nobody's radar. But it's 2013 now and in my opinion the language should have long been fixed.
15. Re:Not an unsafe language... by Giant+Electronic+Bra · 2013-06-19 08:11 · Score: 1
  
  Indeed, deserves a +1 (for either obvious or funny, but you know, really obvious things can be pretty funny ;)
  
  --
  "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
16. Re:Not an unsafe language... by Giant+Electronic+Bra · 2013-06-19 08:18 · Score: 1
  
  No, I wouldn't write them, I'd just security audit the ones I use. Its just insane to drop in an untested configuration of a webapp doing e-commerce. I don't care that someone else wrote it, I ASSUME they are security-incompetent and test.
  Granted, other people's responses to my post definitely explain why this crap happens, but it doesn't make it any less scary or eye-rolling. The real problem is people just don't have any idea how bad the stuff they can install free on their servers really is, unless they've had some education on it. Most people never get that (and how would they know they want it). So you have this kind of yuck. What we need are some webapps written with the mindset of FreeBSD, totally audited and known good code supplied from a single auditor. In fact the webapp world needs this MUCH MORE than OSes do.
  
  --
  "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
17. Re:Not an unsafe language... by dgatwood · 2013-06-19 08:22 · Score: 2
  The appalling thing is THAT NONE OF THESE PLUGINS WERE EVER AUDITED.
  Does this surprise anyone? There's a good reason why WordPress systems are popular targets for hacking....
  That said, to some degree, I blame the language designers for not being more aggressive at forcing people to upgrade their old-style SQL queries to use a more modern, parameterized syntax.
  If you really want the web to be more secure, we should:
  
  Eliminate the PHP/Perl/Python mysql extensions. Force everyone to rewrite their software with either mysqli or PDO. Period.
  
  Add tainted data tracking into the language runtime for PHP, Perl, Python, etc. This means:
  
  All data coming from outside the code itself (from all files, from GET/POST request fields, etc.) is marked as tainted.
  String concatenation of tainted data with untainted data results in tainted data.
  Variable substitution of tainted data inside a string results in a tainted string.
  Taint is preserved across function calls, such as explode/implode.
  Data can only become untainted by casting it to a numeric type. (No, mysql_real_escape_string should not untaint anything. That function is a hack. You shouldn't be using it in production code.)
  All mysqli and PDO functions/methods should throws an exception if a tainted string is passed as a format argument.
  When the language is running in a web server, all output to stdout (to a browser) should similarly throw an error unless the taint type matches the current Content-Type value. For example, if the headers say Content-Type: text/html, then input from an HTML file is not tainted. Input from a database or text file should have to be either quoted for output or sanitized through your choice of sanitizer functions, tailored for various purposes (e.g. an anti-XSS sanitizer).
  And so on. These changes would go very, very far towards eliminating SQL injection attacks and XSS. The fact that such protection schemes are both incomplete and disabled by default in most programming languages suggests to me that security is not a high enough priority.
  IMO taint protection should be part of the default configuration when running in a web server environment. If there are bugs that make that impossible, then those should be the absolute highest priority bugs on the plates of the language engineers.
  In the meantime, everyone should add taint_error_level = E_ERROR to your php.ini file, etc.
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
18. Re:Not an unsafe language... by Giant+Electronic+Bra · 2013-06-19 08:37 · Score: 1
  
  Agreed. At least with Perl there IS a taint mechanism and it generally works as you describe (IE you can only untaint data by explicitly calling 'untaint()' or running it through a regex). If you properly use layers like Class::DBA you should never need to compose SQL or have SQL generated in-app, you should be entirely in bind-parameter land (and even that is normally hidden from view). I wrote an entire CMS/e-commerce platform in Perl 15 years ago using those tools. AFAIK no security holes were ever uncovered once we had finished our developer audits, and it was considerably more capable than Wordpress (though there are some nice tools available today like wiki-syntax parsers and XSLT that we didn't have in 1999) with fully apartment hosting and role separation and a bunch of other features that were totally unknown back in those days. Ironic how our thoroughly tested platform is dust now and a giant PoS like Wordpress lingers on. I told them to go open source... ah well.
  
  --
  "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
19. Re:Not an unsafe language... by dgatwood · 2013-06-19 08:51 · Score: 1
  
  IMO, running it through a regular expression shouldn't untaint it, either, unless that happens to be a regular expression specifically designed to quote strings properly for output. But yes.
  The biggest problem is that young white hat hackers are few and far between. We don't spend nearly enough time in college courses learning about proper security, and as a result, folks come out of school not knowing it. By the time they actually "get" security, most of them are well on their way to retirement, and they aren't always keeping up with the latest programming languages. Unfortunately, most web technology development tends to be done by people straight out of school, because it is a cutting-edge field that is constantly evolving. The result is that the people who understand security often don't understand the web tech, and the people who understand the web tech often don't understand security.
  IMO, any college that does not require at least a semester of computer security (ideally, two) for a BS degree is doing their students a disservice. It is a crucial subject for anyone who has any interest in writing software, and it is an area where competent engineers are seriously in demand.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
20. Re:Not an unsafe language... by ArcadeMan · 2013-06-19 09:17 · Score: 1
  
  So what we need is a new language targeted at the Web with security being the first design rule.
  The language has to do everything to protect itself and the server, the programmer only calls dark boxes to do what he wants, i.e. no direct access to databases and similar insecure things.
  Why is it the programmers who are supposed to never trust their input data? Shouldn't that be the job of the language itself? I bet the language designers, who would only need to do it once and make it built-in, would do a much better job than ten million programmers of various degrees of competency around the world.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
21. Re:Not an unsafe language... by The+Cat · 2013-06-19 09:29 · Score: 1
  
  aren't always keeping up with the latest programming languages
  This is the problem right here. The "latest programming language" is buggy crap.
22. Re:Not an unsafe language... by Hewligan · 2013-06-19 10:18 · Score: 1
  
  But it's 2013 now and in my opinion the language should have long been fixed.
  You should probably read this, then
  
  --
  "If God created us in his own image, we have more than reciprocated"
23. Re:Not an unsafe language... by dgatwood · 2013-06-19 10:31 · Score: 1
  
  Ah, but the latest programming language is buggy crap because the senior people aren't pushing to improve it and the junior people lack the skills. It's a Catch-22/chicken-and-egg sort of problem.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
24. Re:Not an unsafe language... by ttucker · 2013-06-19 10:56 · Score: 1
  
  So the code passes every audit in the book with a hacked together solution to each detected problem, do you really fee any safer? Auditing tools are fine, but certainly provide some false sense of security.
25. Re:Not an unsafe language... by ttucker · 2013-06-19 10:59 · Score: 1
  
  The world needs the next programming language like I need to have 12 more anuses on my body.
26. Re:Not an unsafe language... by real-modo · 2013-06-19 15:11 · Score: 1
  
  SQL Injection
  What we need is for MySQL/MariaDB, PostgreSQL, FireBird, etc., to come configured so that database updates can only take place in stored procedures in which statement building isn't present; and that they also come configured so that when you create a database, two users/roles are created: a role with stored procedure execute privileges only, and the owner, and the database owner can only access the database through the command-line interface.
  In other words, what we need is for web programmers to be forced to learn something about the tools they're using.
  You might get that effect by inventing a suitable replacement for SQL and forcing people to use it. But I think they'd just use text files for backing storage.
  Cross-site Scripting
  I can't see how a new language stops this.
27. Re:Not an unsafe language... by arglebargle_xiv · 2013-06-19 15:13 · Score: 1
  
  Well, yeah, other than [INSERT FAVORITE LANGUAGE HERE]
  
  ORA-00930: Unknown keyword FAVORITE following INSERT.
28. Re:Not an unsafe language... by dgatwood · 2013-06-19 15:19 · Score: 1
  
  <sarcasm>But you'd be a superhero. We could call you Rectum Man. "My plants were all dying for lack of fertilizer, and I didn't know what to do. But then Rectum Man came to help. Thank you, Rectum Man!" Everyone needs 12 more anuses. Everyone.</sarcasm>
  What it comes down to is best summarized by this obligatory XKCD. Just s/standards/programming languages/g. Alternatively, s/standards/web frameworks/g. And so on. This is why we have Perl, PHP, Python, Ruby, and whatever else has come out since I stopped bothering to pay attention. Instead of improving what's out there, everybody wants to create the cool new thing. This inevitably results in lots of low-quality code.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
29. Re:Not an unsafe language... by Giant+Electronic+Bra · 2013-06-20 03:28 · Score: 1
  
  Yeah, I was sorely disappointed when we went from a concentration on Perl/CPAN as the main resource for building web apps to 32 different interchangeable scripting languages which require the same libraries to be written over and over again and each has its own bugs. I mean, sure, perhaps its arguable that Ruby is a better language than Perl, for example, but its not that big a difference and clearly far too little focus has remained on actually writing and maintaining secure webapp code.
  But, nobody is in charge of the world. We get ridiculous perverse results in some cases. There's nothing for it but to keep trying. Meanwhile the redundant scripting language treadmill continues with Go, Dart, Processing, blah blah blah blah (and who can forget Perl 6!). No doubt some of them are modest improvements, but we tend to get set back to zero every time we have to adopt a new set of core tools.
  Frankly I drew the line at Perl. I can build anything any client ever needs in it and it works fine. All that extra time my competition spent migrating to some newfangled thing was just gravy for me. All I can say is I'm glad I don't deal directly in retail webapps anymore. The whole market is shit.
  
  --
  "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
30. Re:Not an unsafe language... by The+Cat · 2013-06-20 04:09 · Score: 1
  
  The software market needs a return to basics.
  There's a reason we still use grep. Because it was engineered properly.
31. Re:Not an unsafe language... by Giant+Electronic+Bra · 2013-06-20 05:06 · Score: 1
  
  Yeah, agreed. I'm an old FORTH programmer, talk about basics. We got more done with that tool at a faster rate BY FAR than any other tool chain in the past 30 years.
  
  --
  "Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
32. Re:Not an unsafe language... by Warbothong · 2013-06-20 05:30 · Score: 1
  
  Not an unsafe language...
  Just bad coding. Any language can be coded with badly. (some more easily or accidentally than others)
  "Bad coding" is similar to "no true Scotsman"; the goalposts are movable in hindsight. What really matters is how easily we can spot potentially-insecure code when we're browsing a codebase *before* it is exploited.
  Let's say our codebase contains, somewhere deep inside, a C function which tramples over unallocated memory. How likely are we to spot this bug as a maintainer, who may occasionally open the file for unrelated purposes? Not very, since unsafe C code looks pretty-much the same as safe C code.
  Likewise our codebase could contain a PHP function with an XSS vulnerability. How likely are we to spot that? Again, not very.
  Now let's say our codebase contains a PHP function which tramples over unallocated memory (via PHP, not due to some buggy C library). How likely are we to spot that? Very likely, since it would appear pretty bizarre, even if it weren't buggy. This makes PHP more memory-safe than C.
  The underlying reason PHP is unsafe when it comes to Web programming is that it treats everything as strings. User input, SQL queries, HTTP headers, HTML, regular expressions, filenames, code, variable/class/method/constant/function names and so on. Implicit conversion even allows non-strings to be treated as strings. With everything implemented as a strings, programmers think of their data as strings instead of what they actually are (HTML attributes, unsafe external input, etc.). This leads to string-based interfaces, which beget more string-based interfaces in the name of compatibility, and any non-string interfaces (eg. SimpleXML) end up with string-based escape hatches which force us to carry on thinking in terms of strings. When everything is a string, nobody knows what their data actually *is*. Has this SQL query come from the outside world? You'd better hope not, since you've just sent it to the database!
  The really twisted part is that, in a world of strings, the "solution" to security is escaping. Actually escaping is just a symptom; escaping a string just gives us another string! We gain no information by escaping; we go from data that's potentially unsafe to data that's potentially garbage (double-escaped). What's the solution to the double-escaping problem? Remove some escaping! Escaping must be done exactly once, but good programming practice makes us split up our applications into many small, reusable pieces. This means that the vast majority of any codebase *cannot* escape its data, for fear of double-escaping. Thus the majority of our code must either trust that its input is safe, or trust that someone else will escape its output for us. This is the case no matter how security-minded we are.
  However, the nature of programming is to plug other people's things together in ways they didn't anticipate. Doing otherwise would just be reinventing the wheel. No wonder that form inputs get plugged straight into databases! The input-reading functions are compatible with the database-querying functions! Why should I worry about security when the functions I'm using have been written by the world's foremost security-minded PHP programmers? They know more about this stuff than I do, so I'd rather plug their stuff together than put my own naive code in between!
  This ecosystem is why PHP is more-unsafe than, for example, Java (which is less-unsafe), Haskell (which is even-less-unsafe) and Agda (which is much-less-unsafe).
  In a system where different languages have their own specific types, we can't just plug a form input into a database. We need to convert an "UnsafeInput" into an "SQL"; the path of least resistance would be to use an escape function. There's also no danger of double-escaping, since an escaping function can't consume its own output without it getting converted back first. Such undesirable outcomes are still *possible*, but require manually working-around the provided mechanisms. Such co
Every language is unsafe. by Qzukk · 2013-06-19 05:49 · Score: 4, Insightful

It's just that PHP has managed to attract a huge number of absolute retards who do things like evaluate image files (it WAS an image file you uploaded, right? It ended in .gif, right? So it's totally an image file and I shouldn't even be bothered to verify the contents because nobody would ever upload php code ending in .gif) in order to dump the contents out to the browser instead of using ANY of the multiple functions or methods to do just that securely.

--
If I have been able to see further than others, it is because I bought a pair of binoculars.
1. Re:Every language is unsafe. by Anonymous Coward · 2013-06-19 05:59 · Score: 0
  
  http://php.net/manual/en/function.mysql-real-escape-string.php
  http://php.net/manual/en/function.eval.php
  extract($_REQUEST)
  I don't even.
2. Re:Every language is unsafe. by Anonymous Coward · 2013-06-19 06:00 · Score: 0
  
  This goes for web languages in general.
  Pointers are too hard :(
3. Re:Every language is unsafe. by cold+fjord · 2013-06-19 06:03 · Score: 4, Insightful
  
  More like every language can be used unsafely, and some have built-in weakness in addition. The C language and many of its derivatives have a number of issues that are well known and documented. In that regard both Unix and C are like chainsaws - in skilled hands they make short work of difficult problems that might be far harder or impossible with other tools, but let your attention wander for a moment and you are missing a leg.
  
  --
  much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
4. Re:Every language is unsafe. by ackthpt · 2013-06-19 06:18 · Score: 1
  
  This goes for web languages in general.
  Pointers are too hard :(
  Drop-through logic made easy:
  if (x < 100) { do_stuff(); } elseif (x > 100) {do_other_stuff();}
  mind the gap
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
5. Re:Every language is unsafe. by tepples · 2013-06-19 06:19 · Score: 1
  
  it WAS an image file you uploaded, right? It ended in .gif, right?
  I want to become something other than one of these "absolute retards" you mentioned. If GD returns sane values for the image's width, height, and MIME type, what dangers should I still be aware of?
6. Re:Every language is unsafe. by Anonymous Coward · 2013-06-19 06:31 · Score: 0
  
  The problem you describe typically arises from a badly configured HTTP server together with dumping uploads in a publicly accessible directory. The user uploads a file and accesses it, the server sees that it's a PHP file, and executes it. The solution is to disable automatic running of PHP files, at the very least in directories with user content. You don't need to "verify the contents".
  It's not like people are actively running eval() on GIF images. That doesn't even make sense.
7. Re:Every language is unsafe. by MtHuurne · 2013-06-19 06:40 · Score: 3, Informative
  
  That's the wrong question: instead of performing a dangerous operation only if the input doesn't look suspicious, you should not perform the dangerous operation at all. So if the input data is supposed to be an image, pass it to a function that can only process images. That way, if an attacker does manage to sneak in PHP code disguised as an image, it will just trigger an error condition instead of being executed.
8. Re:Every language is unsafe. by Anonymous Coward · 2013-06-19 06:41 · Score: 4, Funny
  
  They could exploit GD.
  The only solution is to have the user base64 encode the binary GIF data, print it and then snail mail it to you.
  You can then build a dedicated PC that's not on the network, type out the base64 data, decode it and confirm it's a valid GIF. Then connect that PC to the network and upload the GIF on behalf of the user.
  If the GIF was malicious you simply set that dedicated PC on fire, inform the user (via snail mail) "INVALID GIF IMAGE, PLEASE TRY AGAIN" and then buy another dedicated PC for the next GIF you receive.
  It's the only way to be safe. I do this with my site and so far so good: I launched one year ago and I've received 1 GIF so far 3 months ago and I'm about 75% done typing all the base64 data. I hope to confirm his avatar picture by July 1st!
9. Re:Every language is unsafe. by Anonymous Coward · 2013-06-19 06:46 · Score: 0
  
  In fact, it's the retards that "designed" the language in the first place.
10. Re:Every language is unsafe. by dkleinsc · 2013-06-19 06:50 · Score: 4, Insightful
  
  Every language is unsafe, but some almost try to be as unsafe as possible.
  For example, the oldest (and until fairly recently, only) way of handling database queries in PHP pretty much asks for you to be vulnerable to SQL injection attacks, because there's no parameterization so all you can do is awkwardly run a hodgepodge of escaping functions and hope they work. By contrast, Perl, Java, Python, and C# all provide support for parameterizing queries in their standard approaches to handling database queries about 10 years before PHP did. That's the kind of thing that gives PHP its bad reputation.
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
11. Re:Every language is unsafe. by SirGarlon · 2013-06-19 06:51 · Score: 1
  
  I can't answer your specific question (I am mostly ignorant of PHP), but perhaps I can be of help with the broader issue of helping people learn about secure coding practices.
  One of the basic principles of secure coding is to validate user input to ensure it is what you expect. If you are checking the image size and MIME type you are headed in the right direction. Whether you've gone sufficiently far, I'll leave to PHP experts.
  To get started learning more, you can do worse than the OWASP Top 10 (PDF) -- skip to page 5 to bypass a thicket of jargon that may confuse you at first. Probably other readers can suggest other, gentler, starting points. I am suggesting the OWASP Top 10 because it's commonly cited and because it discusses how to prevent each of the major classes of application vulnerabilities. It's not perfect. It will take some time and thought for a newcomer to digest, but for me the effort was worth it.
  You can also go to OWASP meetings if there is a chapter near you, or maybe find a local PHP user's group and ask about security.
  
  --
  [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
12. Re:Every language is unsafe. by cjjjer · 2013-06-19 06:52 · Score: 1
  
  I hate to say it but it sounds like PHP is the new classic ASP with regards to exploits...
  
  Not that I am saying classic ASP devs got any smarter they just moved from ASP to other forms of server scripting/languages.
13. Re:Every language is unsafe. by Anonymous Coward · 2013-06-19 07:02 · Score: 0
  
  Even though I agree that user input validation is paramount, calling someone an `absolute retard' for not doing so is not done.
14. Re:Every language is unsafe. by ewanm89 · 2013-06-19 07:22 · Score: 1
  
  Strictly speaking, it can't be impossible in any Turing complete language if you can do it in another Turing complete language. But the main point stands, the language doesn't matter, one can do bad things in any language.
15. Re:Every language is unsafe. by hairyfeet · 2013-06-19 07:56 · Score: 1
  
  That is why I never understood the hatred for this or that language, i have seen some solid as hell programs in just about any language and I have seen absolute dogshit, again in just about every language.
  You can hand a scalpel to a skilled surgeon and he can save your life, you hand that same tool to an enraged chimp you are gonna get nothing but a mess. At the end of the day a tool will only be as good as its user, and a bad coder will make bad code i don't care what language they choose. While some here may argue that this or that language has more safeguards all that is doing is trying to idiot proof the language and as we have seen time and time again the world can always come up with a bigger idiot.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
16. Re:Every language is unsafe. by Anonymous Coward · 2013-06-19 08:10 · Score: 0
  
  This is generally good enough, but might still return true for images that have extra data contained within, which may include PHP code. Like how you can include .rar files at the end of JPG images.
  Whenever you let users upload images, store them somewhere outside the web root and use readfile('../path/to/file.png') to display them such that no extra code or contents in them has any chance of being ran by the webserver.
17. Re:Every language is unsafe. by Anonymous Coward · 2013-06-19 08:12 · Score: 0
  
  In that regard both Unix and C are like chainsaws - in skilled hands they make short work of difficult problems that might be far harder or impossible with other tools, but let your attention wander for a moment and you are missing a leg.
  The problem with PHP is that the function to trim a tree is "cut_off_limb" while the function to amputate something is "cutofflimb".
18. Re:Every language is unsafe. by Anonymous Coward · 2013-06-19 08:18 · Score: 0
  
  How to Shoot Yourself In the Foot Using Any Programming Language
19. Re:Every language is unsafe. by tepples · 2013-06-19 08:34 · Score: 1
  
  So if the input data is supposed to be an image, pass it to a function that can only process images.
  I was under the impression that getimagesize() (the linked function) is "a function that can only process images."
20. Re:Every language is unsafe. by Qzukk · 2013-06-19 08:40 · Score: 1
  
  For gods sake, don't include() it to send it to the browser, because it could be a valid image with in an EXIF tag.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
21. Re:Every language is unsafe. by Dragonslicer · 2013-06-19 08:50 · Score: 3, Informative
  
  For example, the oldest (and until fairly recently, only) way of handling database queries in PHP pretty much asks for you to be vulnerable to SQL injection attacks, because there's no parameterization so all you can do is awkwardly run a hodgepodge of escaping functions and hope they work. By contrast, Perl, Java, Python, and C# all provide support for parameterizing queries in their standard approaches to handling database queries about 10 years before PHP did. That's the kind of thing that gives PHP its bad reputation.
  Depends on your definition of "fairly recently." PDO was available as an extension for PHP 5.0 (2004) and was included in the standard installation for PHP 5.1 (2005). There hasn't been any excuse not to be using it for at least 5 years.
22. Re:Every language is unsafe. by tepples · 2013-06-19 09:32 · Score: 1
  
  store them somewhere outside the web root and use readfile('../path/to/file.png') to display them
  If one's budget shared hosting plan forbids writing outside the web root, is it generally safe to store them in a .htaccess-restricted folder provided that the filename has been cleansed of path separators?
23. Re:Every language is unsafe. by The+Cat · 2013-06-19 09:34 · Score: 1
  
  The moral of this humor is that only one language works: C
24. Re:Every language is unsafe. by Qzukk · 2013-06-19 13:00 · Score: 2
  
  is it generally safe to store them in a .htaccess-restricted folder provided that the filename has been cleansed of path separators
  The htaccess restriction is important to prevent one of the other leading causes of PHP vulnerability: Allowing someone to upload a valid jpeg with a .php file extension in an image field and not checking the file extension before putting it somewhere someone can request <img src="profilepics/pwnme.php"> from the server. In fact, don't try to cleanse the filename. Just assign it one yourself. Keep the original filename in a database (aware of SQL injection) if you think someone will completely flip out if they can't find out what the file was named, and keep userpic12345.[extension as determined from content]
  Part of the reason why PHP is such a large gun for shooting yourself in the foot is that it mixes content and code by design, so you have to have a few extra precautions when accepting content from somewhere else that it doesn't have unwanted code mixed in. Some of the precautions are basic PHP (like "include() is not how you read a file"), others take a little more awareness of the entire environment (like "the webserver will happily execute anything anyone uploads with a php extension in a folder accessible from the web").
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
25. Re:Every language is unsafe. by Anonymous Coward · 2013-06-19 13:16 · Score: 0
  
  calling someone an `absolute retard' for not doing so is not done.
  You're right, it'd hurt the feelings of the developmentally challenged if they were compared to people who display images with:
  
  Header("mime-type:image/gif"); include($filename);
26. Re:Every language is unsafe. by Anonymous Coward · 2013-06-19 13:24 · Score: 0
  
  mysql_real_escape_string()
  That one's MySQL's fault.
27. Re:Every language is unsafe. by Anonymous Coward · 2013-06-19 14:24 · Score: 0
  
  You can hand a scalpel to a skilled surgeon and he can save your life, you hand that same tool to an enraged chimp you are gonna get nothing but a mess.
  But a scalpel is a precision tool designed for use by experts. Much like a straight razor for shaving. We make safety blades because most people aren't experts.
28. Re:Every language is unsafe. by Anonymous Coward · 2013-06-19 14:42 · Score: 0
  
  There hasn't been any excuse not to be using it for at least 5 years.
  Except that bindParam/bindValue should have been stabbed in the spleen and left to bleed out slowly DECADES ago when Perl got hashes. Thank god PDO lets us use an associative array to execute statements but... lolz:
  
  5.2.0 The keys from input_parameters must match the ones declared in the SQL. Before PHP 5.2.0 this was silently ignored.
  How did that even WORK for two versions? Did they just assume that since :size was the first field in the query, "banana"=>"foo" must go in :size if it's the first key in the array?
  Also, not accepting extra parameters doubles the work to generate dynamic queries. It's bad enough that
  
  $sql="select * from tshirts"; $where=array(); if ($size) { $where[]="size='$size'"; } if ($color) { $where[]="color='$color'"; } if ($where) { $sql.=" where ".join(" and ",$where); } $results=do($sql); // database specific
  
  is easy, making it impossible to do
  
  $sql="select * from tshirts"; $where=array(); if ($size) { $where[]="size=:size"; } if ($color) { $where[]="color=:color"; } if ($where) { $sql.=" where ".join(" and ",$where); } $query=$dbh->prepare($sql); $query->execute(array(":size"=>$size,":color"=>$color));
  
  is just begging for someone to go back to the first way. Penalty points for having to deal with handling queries for NULL (not entirely PDO's fault, but the fact that I have to have to exclude the key from the array when I write IS NULL instead of =:key, is.)
  It only gets worse from there (especially when you need filters for any arbitrary combination of a dozen+ fields). PDO can't reuse labels. No amount of karnaugh mapping will fix (A and B) or (not A and C) so you'll just have to know when you get to "not A" you're going to have to call it A2. In real use: name=:name or nickname=:name2 (though I recently discovered that :name in (name,nickname) is both valid and awesome in PostgreSQL). If you were going to suggest I could fix the above code with merely one more LOC (per filter) eg $params[":size"]=$size; .. ->execute($params), you can now hang your head in shame.
  PDO is the CRUD framework of database connections, and should be treated as such when you get to something more complex than the usual crud. It could easily be improved, but that would require abandoning its deathgrip on how Perl DBI did it wrong way back when.
29. Re:Every language is unsafe. by real-modo · 2013-06-19 15:42 · Score: 1
  
  How about "incompetent"?
  If programming were a profession, or even a trade--in other words, required registration with a standards and ethics focused organization--not validating user input in production code would be grounds for a professional misconduct charge and/or dismissal.
30. Re:Every language is unsafe. by greg1104 · 2013-06-19 16:10 · Score: 1
  
  Here's a fun one: search for PHP mysql_query code and glory at all of the input sanitizing they do.
31. Re:Every language is unsafe. by V+for+Vendetta · 2013-06-20 04:15 · Score: 1
  
  So, you're saying that idiots that couldn't code ASP can't code PHP. Color me suprised then.
  ASP (or better ADO) has provided prepared statements for a long time. Not using them is not ASP's fault.
  Create a stored procedure and swap
  
  cmdPrep1.CommandText = "UPDATE titles SET type=? WHERE title_id =?" cmdPrep1.CommandType = adCmdText
  
  in that snippet for
  
  cmdPrep1.CommandText = "name of stored procedure here" cmdPrep1.CommandType = adStoredProc
  
  and you're even better.
32. Re:Every language is unsafe. by hairyfeet · 2013-06-20 05:29 · Score: 1
  
  And you hand that Bic to an enraged chimp he will STILL make a mess, thus proving my point that its NOT the tool, its the user. And when you are talking about writing programs that could potentially end up on thousands or even millions of PCs and possibly open the system up to malware? Then yes i would argue that you should be a hell of a lot closer to a surgeon than an enraged chimp to be a programmer.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
Do not panic by Anonymous Coward · 2013-06-19 05:51 · Score: 0

It is only millions of bloggors that are at risk, not millions of dollors.
1. Re:Do not panic by lightknight · 2013-06-19 06:28 · Score: 2
  
  Well, the problem is some of the more intelligent crackers out there have been upping their game recently...they have, if memory serves me correctly, found ways of getting websites to arbitrarily become a part of botnets. That's right, it's no longer just a matter of your website's database being compromised, with your liability ending with a broadcasted message to everyone telling them to change their passwords / check their credit cards...now your website, or rather the host machine that the website is running on, can be hijacked into DDOS'ing the DHS's main servers, or something equally tasteful. If repeated phone calls from the bank telling you to fix your website's code was enough motivation, then possibly a heart to heart talk with Agent Bob and Agent Rob will. And I'm sure the part where you tell them that you hired the lowest bidder to build the site (or just used the built-in), use a Mac because you're super-bad with computers (but still have a blog, because of that advertising money, amiright?), and that you have no idea how to fix it, and thus can't be held accountable for whatever has happened, will go over well with them. It'll be a real knee-slapper, you'll be laughing, they'll be laughing, and the whole thing will be cleaned right up inside of a week.
  In other news, the DoJ may have found a use for all those crackers they plan on catching -> early-release program, clean-slate, provided they fix WordPress and help hunt down the old installs. Should keep them busy for the next several eons...
  
  --
  I am John Hurt.
which plugins? by Anonymous Coward · 2013-06-19 05:51 · Score: 0

It would be helpful to know which plugins are vulnerable.
1. Re:which plugins? by amicusNYCL · 2013-06-19 06:08 · Score: 1
  
  I'm sure they notified the plugin authors, just keep your plugins updated. Their PDF report has a description of the plugins (including lines of code and downloads), but blacks out the title.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
The issue that I've noticed is with small busi... by Anonymous Coward · 2013-06-19 05:53 · Score: 0

I really like Wordpress, but the issue that I've noticed is with some small business owners. They want a web site, but they are not willing to spend the money to keep it updated. They are often not savvy enough to run the update themselves. They want to be on the Internet, but they have absolutely no understanding of what this involves. It's the equivalent of the home user that is not willing to do his homework about computer security, and ends up contributing their PC to a botnet. They have someone install Wordpress, pay scraps to have a template they like, and then they never maintain it.
Wordpress! by Anonymous Coward · 2013-06-19 05:55 · Score: 0

The industry leading backdoor with blog functionality.
e-commerce plugins vulnerable by schneidafunk · 2013-06-19 05:55 · Score: 3, Interesting

According to the PDF, e-commerce plugins are in the list. I'm a bit surprised to see that, as I assumed developers would be thinking about security first with e-commerce.

--
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
1. Re:e-commerce plugins vulnerable by Vanderhoth · 2013-06-19 06:01 · Score: 3, Interesting
  
  I agree it should be the first consideration, but the people who want the implementation are MBAs that care more about getting people's money, return on investments and how something looks rather than how secure it is.
  
  <sarcasm>Why pay money up front for security you might never need? It's better to wait until something does happen, like millions of credit card nubmers are stolen, and give the money to the PR people to clean up the mess. It's way cheaper if the gamble pays off.</sarcasm>
2. Re:e-commerce plugins vulnerable by Anonymous Coward · 2013-06-19 06:03 · Score: 0
  
  "" everyone knows, when you make an assumption, you make an ass out of "u" and "umption" ""
3. Re:e-commerce plugins vulnerable by Anonymous Coward · 2013-06-19 06:05 · Score: 0
  
  Does anyone else find it kind of funny that they are serving their download from a WordPress site?
4. Re:e-commerce plugins vulnerable by Algae_94 · 2013-06-19 06:12 · Score: 2
  
  They only did a study on plugins. They must be assuming that WordPress itself is super secure. Bad assumption.
5. Re:e-commerce plugins vulnerable by Anonymous Coward · 2013-06-19 06:18 · Score: 0
  
  They didn't want to pay for hosting a Slashdoted article, but they had a large list of wordpress vulnerabilities that can take root. How would you have solved that situation?
6. Re:e-commerce plugins vulnerable by Anonymous Coward · 2013-06-19 06:31 · Score: 0
  
  HA HA HA! Security is the last thing that people developing WordPress plugins would be thinking about. Of course there's still people doing e-commerce that don't hash passwords, too (costcentral.com, I'm pointing at you).
7. Re:e-commerce plugins vulnerable by Bogtha · 2013-06-20 06:33 · Score: 1
  
  I assumed developers would be thinking about security first with e-commerce.
  
  These are developers who, when faced with the problem of how to build an e-commerce site, think "I know, I'll use my favourite blogging software". Assuming they can tie their shoelaces is a stretch, let alone thinking about security.
  Right about now, somebody is champing at the bit to reply saying that Wordpress has outgrown its blogging roots and is now a proper CMS. I invite anybody tempted to believe that nonsense to look at Wordpress' database schema and make their own mind up.
  
  --
  Bogtha Bogtha Bogtha
Let's keep the tree green by dkegel · 2013-06-19 05:57 · Score: 2

The solution is easy: hosting providers should be required to continuously run vulnerability scanners, and instantly take down any sites which have known vulnerabilities. As a bonus, it would clear out a lot of crap sites.
1. Re:Let's keep the tree green by Spy+Handler · 2013-06-19 06:09 · Score: 2
  
  I don't know about "should be required", who's going to require them, Congress? DOJ?
  However the smarter ones do just what you described, out of their own self interest. My hosting company contacted me once about a vulnerable Mambo extension they found.
2. Re:Let's keep the tree green by amicusNYCL · 2013-06-19 06:10 · Score: 1, Insightful
  
  The solution is easy: hosting providers should be required
  The solution is authoritarian.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
3. Re:Let's keep the tree green by dkegel · 2013-06-19 06:24 · Score: 2
  
  Congress, say.
  And of course 'instantly' would be too gestapo for real life. We'd really want a grace period with escalating warnings, followed by fines, followed by pulling-the-plug.
  And it'd be much better if industry came up with this on its own first. What's the state of the art?
  Rackspace talks about security,
  http://www.rackspace.com/managed_hosting/services/security/
  but doesn't seem to offer proactive vulnerability scanning, and if they did, they would charge for it instead of just doing it.
  Godaddy seems to offer this as an extra cost
  service instead of just doing it:
  http://www.godaddy.com/security/website-security.aspx
  Here's one wordpress hosting provider that promises to install all security updates within one hour (wow):
  https://wpengine.com/security/
  So, industry guys, can we get our act together and offer security scans and upgrades as part of the basic service plan?
4. Re:Let's keep the tree green by Anonymous Coward · 2013-06-19 12:31 · Score: 0
  
  Given the recent bit with the NSA I'd really prefer Congress not have powers to take people's sites down for "security violations".
In case you were wondering... by slashmydots · 2013-06-19 05:59 · Score: 0, Flamebait

Like I need another reason to hate Wordpress. In case you're not familiar, it's basically a website design suite for morons who don't know HTML or CSS even though I could teach both to a moderately intelligent monkey. It got so popular that it's the biggest hacking target on the entire internet and anyone who uses it is seen as a complete joke by actual web developers like me. If you see "wordpress experience" on a job listing, run! That company is beyond all hope.
br /. I think I can break down how this came about. People who aren't qualified to make a website hopped on, added a bunch of code that someone else wrote via a plugin, they have NO IDEA what it does or how it really works or that it should be updated, and then they send it out to the public internet on a cheapo host with little to no security. What could possibly go wrong there?
1. Re:In case you were wondering... by Anonymous Coward · 2013-06-19 06:02 · Score: 1
  
  and anyone who uses it is seen as a complete joke by actual web developers like me.
  So just like how you web monkeys... err... "developers" appear to programmers.
2. Re:In case you were wondering... by Anonymous Coward · 2013-06-19 06:09 · Score: 0
  
  No one cares what you think. If you don't have something insightful to add to the conversation that hasn't been addressed in the blurb then you're just wasting people's time trying to make yourself look like a hard nose professional. Real professionals are out there doing it, you're just talking about doing it.
  
  I guess if you need to do that to pad your ego enough to make yourself feel better then it is what it is. Sad that we can't have people who can stand on their merits instead of their oversized egos.
3. Re:In case you were wondering... by Anonymous Coward · 2013-06-19 06:12 · Score: 0
  
  it's basically a website design suite for morons who don't know HTML or CSS even though I could teach both to a moderately intelligent monkey.
  
  br /. I think I can break down how this came about.
  Your failure to properly use HTML in your comment is rather humorous. :)
4. Re:In case you were wondering... by amicusNYCL · 2013-06-19 06:14 · Score: 1, Funny
  
  ...morons who don't know HTML or CSS even though I could teach both to a moderately intelligent monkey... ...actual web developers like me... ...beyond all hope.
  br / . I think...
  Yes, your mastery of HTML and websites is truly something to behold.
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
5. Re:In case you were wondering... by slashmydots · 2013-06-19 06:17 · Score: 3, Funny
  
  ohhhhh that's right, my second degree is in software programming with .NET and ASP
6. Re:In case you were wondering... by slashmydots · 2013-06-19 06:19 · Score: 2
  
  Read the reply right above you. Spoiler alert, I'm also an offline software programmer.
7. Re:In case you were wondering... by Zedrick · 2013-06-19 06:23 · Score: 5, Insightful
  
  I used to be of the same opinion, but... I've been working in the hosting business for 10 years now, and that kind of attitude doesn't really work in real life.
  
  It's 2013, most people (at least in developed countries with high IT penetration) have their own domain and website nowadays. Do you really think it's fair to call a 50 year old woman who wants a nice website for her cat-blog a moron? Or the coin collector who don't care about computing but just want to write about English hammered coins? Or the fishing club whose members wants a nice looking site with a gallery and perhaps a public calendar? Or the girlfriend who wants to blog about cooking? Are they all morons?
  
  Websites are not just for companies or IT-people anymore.
  
  Also, Wordpress is way way better than it used to be a few years ago (unlike Joomla which is a total fail in every version). Since 3.5.1 was released, I've seen more customers hacked due to brute force logins than security exploits in outdated themes or plugins.
8. Re:In case you were wondering... by Anonymous Coward · 2013-06-19 06:23 · Score: 0
  
  Are you an "offline software programmer" because your mom doesn't have the internets in her basement?
9. Re:In case you were wondering... by amicusNYCL · 2013-06-19 06:23 · Score: 2
  
  From where does one get a degree in .NET?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
10. Re:In case you were wondering... by Anonymous Coward · 2013-06-19 06:24 · Score: 1
  
  ohhhhh that's right, my second degree is in software programming with .NET and ASP
  
  I believe the GP rests his/her case.
11. Re:In case you were wondering... by Anonymous Coward · 2013-06-19 06:26 · Score: 0
  
  Digging your hole deeper, web monkey?
12. Re:In case you were wondering... by Lunix+Nutcase · 2013-06-19 06:28 · Score: 1
  
  ASP is "offline" programming? Since when?
13. Re:In case you were wondering... by Anonymous Coward · 2013-06-19 06:42 · Score: 0
  
  Then those people should be using hosted sites managed by a service like: wordpress.com blogger, facebook, google plus, etc.
  The moment those technically retarded people choose to take on the responsibility of managing their own website, shit like this happens.
14. Re:In case you were wondering... by Anonymous Coward · 2013-06-19 06:49 · Score: 0
  
  So you have an actual degree in "software programming with .NET and ASP"? Like, from a university, or a cereal box?
  I just assumed that was a joke...
15. Re:In case you were wondering... by Lunix+Nutcase · 2013-06-19 06:52 · Score: 1
  
  He won that degree from a claw game.
16. Re:In case you were wondering... by Anonymous Coward · 2013-06-19 07:00 · Score: 0
  
  I think you mean scripting, web monkey.
17. Re:In case you were wondering... by Anonymous Coward · 2013-06-19 07:05 · Score: 0
  
  For he's a wanker, he's a wanker, tra la la la la. Sod off you cunt.
18. Re:In case you were wondering... by Anonymous Coward · 2013-06-19 08:17 · Score: 0
  
  Read the reply right above you.
  Hmm... mmm hmm, yes, yes, I see now! Someone else agrees that such a showcase of your evidently inept abilities to write HTML where you don't need to write it (Slashdot will add line breaks for you) is hilariously ironic when presented with the rest of your post! Good, glad we're all on the same page here.
  
  Spoiler alert, I'm also an offline software programmer.
  Oh, good. I mean, you can't be much worse at that than you are at HTML, which CAN, by someone's assertion, I forget whose, be taught to a moderately intelligent monkey, so there's some hope for you.
19. Re:In case you were wondering... by ducomputergeek · 2013-06-19 08:53 · Score: 1
  
  A few years ago I hated Wordpress. At that time the project I was on chose MovableType for the basis of its CMS/blogging platform. Well recently I was asked to put the backend into place for another company that was producing content. We looked at several options, but Wordpress was the one that as we checked off the list of required features had basically what we were looking for item for item. And frankly I've been rather impressed with Wordpress this go around. Many of the complaints I had from a few years ago have been addressed. After all, the content is what is driving sales and revenue for this project, not the technology platform.
  
  --
  "The problem with socialism is eventually you run out of other people's money" - Thatcher.
20. Re:In case you were wondering... by The+Cat · 2013-06-19 09:39 · Score: 2
  
  HTML is dogshit. CSS is catshit. Together they make two-tone shitty shit with a shit chaser.
21. Re:In case you were wondering... by slashmydots · 2013-06-19 10:35 · Score: 1
  
  I won the US national AITP programming competition in college. I also was the only person to get a 105% perfect score on the advanced VB programming 9-week project. Keep em coming you condescending asshole. You're only getting more wrong.
22. Re:In case you were wondering... by slashmydots · 2013-06-19 10:36 · Score: 1
  
  and C# and C++
23. Re:In case you were wondering... by slashmydots · 2013-06-19 11:07 · Score: 1
  
  I was actually a C# tutor on the college's payroll since I got a perfect grade in the class too by the way.
24. Re:In case you were wondering... by Anonymous Coward · 2013-06-19 12:04 · Score: 0
  
  And we totally believe. *chuckles* No, really. *bursts out laughing*
25. Re:In case you were wondering... by real-modo · 2013-06-19 16:01 · Score: 1
  
  ... of javashit ... er, I mean, javascript.
26. Re:In case you were wondering... by Anonymous Coward · 2013-06-20 03:55 · Score: 0
  
  Are they all morons?
  Yes! Absolutely! You have stated it as such that it is crystal clear that the people you described are complete morons.
27. Re:In case you were wondering... by Geeky · 2013-06-20 04:02 · Score: 1
  
  Do these unqualified people know how to use line break tag?
  
  --
  Sigs are so 1990s. No way would I be seen dead with one.
28. Re:In case you were wondering... by sound+vision · 2013-06-20 09:19 · Score: 1
  
  I haven't been working in web hosting quite as long as you, but I do have some thoughts on the matter, from dealing with these individuals on a daily basis.
  
  Do you really think it's fair to call a 50 year old woman who wants a nice website for her cat-blog a moron?
  Yes, if she expects to take on the role of webmaster and developer, with zero technical experience. I absolutely call that a moron. It's the equivalent of that same lady trying to build a kit car, which then loses a wheel and explodes rolling out of the driveway.
  The right thing for her to do is find a qualified individual or company to create the site for her, if she wants that level of customization and control. Otherwise, she belongs on Blogger or Facebook, where she can post her cat pictures, but doesn't need technical skills beyond manipulating a GUI.
Developers don't care by Anonymous Coward · 2013-06-19 06:25 · Score: 0

Instead of focusing on languages or management, why don't we admit that for the overwhelming majority of programmers, especially those who give away their code, security isn't even an afterthought, it's a neverthought. They're so intent on making a plugin or Android app or Windows application that Does Something Cool that they don't even think about security. And I would bet that better than 80% of them don't have anywhere near the expertise to properly evaluate their own code to look for security flaws.
This isn't just a FOSS issue -- although the habit of saying, "the source code is available and it's free, so fix it if you want" certainly feeds the situation -- look at the security train wreck that Windows and other high-profile pieces of code have been for years.
Ooh, scary Open Source, look at the nasties by xenoc_1 · 2013-06-19 06:27 · Score: 5, Insightful

Great, Dice posts story from a corporate-software-industrial-complex advertorial mag, with a link to their so-called blog. Which ironically is running WordPress, along with a bunch of common plugins like "Yoast WordPress SEO plugin v1.4.7" and "All in One SEO Pack 1.6.14.6". Right there tells me how clueless they are about WordPress, because unless you have a damn good special reason, you do not want to be running two separate SEO plugins. LeadGen contact form plugin, a bunch of ad and analytics beyond the usual, and no apparent caching plugin. Oh, and no Google Authorship id done the correct way, despite both of those SEO plugins having "fill in the blank" prompting for it (they do have an XFN tag on their contact info but don't do the full Google social.)
For more laughs, their verison of All-In-One SEO is downlevel. Exactly what Checkmarx themselfes warn agansit. They are on 1.6.14.6, current version is 2.0.2.
Yeah, I'm gonna listen to them about WordPress security.
When you click through their blog to the actual PDF report, guess what? They redacted the names of all those "at-risk" plugins, noting only 6 by name. Four of which they claim took their advice and fixed the problem, and two (WP Super Cache and W3 Total Cache) which I recall getting fixes for months ago. Hot news. I guess that even though their supposed expertise is in scanning for vulnerabilities, they are not going to tell you which are at risk in the current environment, because you didn't pay them. Classic dipstick move. Total and utter unawareness of the karmic and $$ benefits of internet "gift culture", such as, the whole damn open source movement and the specific WordPress ecosystem in which they are supposedly expert.
But we should listen to them, because: Checkmarx was recognized by Gartner as sole visionary in their latest SAST magic quadrant and as
Cool vendor in application security.
1. Re:Ooh, scary Open Source, look at the nasties by Anonymous Coward · 2013-06-19 07:04 · Score: 0
  
  Not to mention their recommendation: use static code analysis.
  By the way, we sell that.
2. Re:Ooh, scary Open Source, look at the nasties by St.Creed · 2013-06-19 07:43 · Score: 1
  
  But we should listen to them, because: Checkmarx was recognized by Gartner as sole visionary in their latest SAST magic quadrant and as
  Cool vendor in application security.
  Visionary just means they paid Gartner. The Cool vendor means they took 'em to a brothel as well.
  Okay I'm joking. Still... the fact they were whoring out "pattern based stragegy" (you had to pay to use the term) not long ago leaves me wondering.
  
  --
  Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
Wordpress should die by TheSkepticalOptimist · 2013-06-19 06:30 · Score: 1

People complain about IE6 or Flash or Java, but every web developer I know ABHORS WordPress.
The moment a company decides to use Wordpress as their underlying site "technology", its game over. This was supposed to be a product that allowed people at home to set up a content site quickly, not an enterprise level technology.
So if this thing is causing significant security issues, it should be placed at the top of the Internet's most hated and avoided like the plague.
If you want to blog online, use Facebook or Twitter or any other established social platform, nobody sets up their own blog anymore, that is so early 21st century.

--
I haven't thought of anything clever to put here, but then again most of you haven't either.
1. Re:Wordpress should die by amicusNYCL · 2013-06-19 06:53 · Score: 1
  
  nobody sets up their own blog anymore, that is so early 21st century.
  Shit, is it mid-century already? Where the hell does the time go?
  
  --
  "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
2. Re:Wordpress should die by Anonymous Coward · 2013-06-19 06:53 · Score: 0
  
  I literally know THOUSANDS of Web Developers (I been doing this since 1994) and I don't know a single one who ABHORS WordPress and at least a third of them have moved to exclusively providing solutions via WordPress. Maybe your high school could do a work shop on it and explain the benefits, then those "developers" you know will be able to embrace it by the end of their sophomore year.
3. Re:Wordpress should die by Anonymous Coward · 2013-06-19 07:02 · Score: 0
  
  Prove it.
4. Re:Wordpress should die by realityimpaired · 2013-06-19 07:21 · Score: 1
  
  If you want to blog online, use Facebook or Twitter or any other established social platform
  Maybe I don't want the advertising that goes with a platform like that, or the space limitations, or the way they assert copyright on the stuff I create, or maybe the WP blog is just a front-end for a domain name that's primarily there for e-mail, or...? There's a lot of reasons to run something like WordPress, and social media as you suggest is not a fix-all substitution.
  Besides, it's not like Facebook and Twitter have never been hacked... they're big juicy targets with the number of users they have and the amount of information they're collecting about their users.
5. Re:Wordpress should die by LordThyGod · 2013-06-19 07:25 · Score: 1
  
  The moment a company decides to use Wordpress as their underlying site "technology", its game over.
  Like CNN, NYTimes ... ?
  
  This was supposed to be a product that allowed people at home to set up a content site quickly, not an enterprise level technology.
  Actually originally and for a long time, it was a blogging platform ... for people who write blogs. Not really for housewifes and the like.
  
  So if this thing is causing significant security issues, it should be placed at the top of the Internet's most hated and avoided like the plague.
  "if" ? If your aunt had a dick she'd be your uncle.
6. Re:Wordpress should die by Jason+Levine · 2013-06-21 06:00 · Score: 1
  
  People complain about IE6 or Flash or Java, but every web developer I know ABHORS WordPress.
  Hi there. I'm a web developer. Nice to meet you. There, now you know a web developer who likes (and extensively uses) WordPress
  
  The moment a company decides to use Wordpress as their underlying site "technology", its game over. This was supposed to be a product that allowed people at home to set up a content site quickly, not an enterprise level technology.
  WordPress was originally designed as a blogging platform for people to set up blogs easily, but has grown over the years to be a major CMS tool.
  
  So if this thing is causing significant security issues, it should be placed at the top of the Internet's most hated and avoided like the plague.
  To be fair, the article is saying that WordPress PLUGINS were to blame, not WordPress itself. Plugins can come from anyone and aren't audited by Wordpress at for things like SQL Injection attack risk. Whether they should be or not is another conversation. Of course, there are many security-related plugins for WordPress so I'd love to see a "SQL Injection Attack Detector" plugin that would scan other plugins and report to the admin/webmaster/whoever when it finds something. (Whoever wants to develop this, you can use my idea for just a lifetime license to your plugin.)
  
  If you want to blog online, use Facebook or Twitter or any other established social platform,
  Facebook and Twitter aren't really blogging platforms. Facebook comes close, but I stay off of it because I don't like many of their privacy (and other) actions. At best, Facebook is an add-on to a blog.
  Twitter is micro-blogging, not blogging. You can't post an in-depth article about your favorite subject on Twitter. Not, at least, without breaking it into a hundred consecutive tweets which would just be annoying.
  
  nobody sets up their own blog anymore, that is so early 21st century.
  I'm sorry, but I have to disagree. I use WordPress for my blogging activities because I can be guaranteed that my WordPress blog will be around 10 years from now (assuming I want to continue it). I can't guarantee that Facebook won't collapse in a few years or modify things to such a degree that my blog is unusable. Besides, if my blog was hosted by a third party service, they could disappear at any moment and I'd lose everything. My WordPress blog is backed up to my computer every night. If my hosting provider disappeared, I'd be momentarily inconvenienced (as I found a new provider and set everything back up), but I'd lose at most a day's worth of content.
  Whenever anyone comes to me looking to set up a site, I always recommend getting a hosting account and setting up their site, not sticking their site on some third party service. (A client of mine recently had one of their staff redesign their site without consulting me. It went from a WordPress site which did need some visual work done to a cookie cutter "webs.com" site with such brilliant ideas as having credit card information submitted on a HTTP form via e-mail. The guy who did it insisted he was a "web developer." Sadly, to him, this means "I can open this account and click where they tell me to click in the template.")
  
  --
  My sci-fi novel, Ghost Thief, is now available from Amazon.com.
7. Re:Wordpress should die by Jason+Levine · 2013-06-21 06:13 · Score: 1
  
  Of course, there are many security-related plugins for WordPress so I'd love to see a "SQL Injection Attack Detector" plugin that would scan other plugins and report to the admin/webmaster/whoever when it finds something. (Whoever wants to develop this, you can use my idea for just a lifetime license to your plugin.)
  Replying to my own comment, but after writing that, I did a quick search and found this plugin: BulletProof Security
  http://wordpress.org/plugins/bulletproof-security/
  It claims to protect against SQL Injection attacks. I can't vouch for it personally, but it did get 448 five star reviews out of 507 reviews. That's got to count for something. In any event, it goes to show that, while some plugins can cause trouble (via SQL injection openings and other bad coding), there are other plugins on the market designed to protect your WordPress website. No WordPress site should be set up without appropriate protections (the same as any non-WordPress site). In this case, "appropriate protections" might include some security plugins.
  
  --
  My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Anybody audit CPAN lately? by Medievalist · 2013-06-19 06:38 · Score: 1

Never use a module if you can possibly avoid it, and keep everything you use patched up to date.
That way you'll be as safe as you can be - because you'll only be using modules you aren't actually capable of writing yourself.
Pulling in a dozen wordpress plugins (or a dozen CPAN modules, or the Ruby or Python equivalents) so you can avoid learning how to unpack a trivial format is the road to software maintenance hell...
1. Re:Anybody audit CPAN lately? by bill_mcgonigle · 2013-06-19 09:09 · Score: 1
  
  That way you'll be as safe as you can be - because you'll only be using modules you aren't actually capable of writing yourself.
  Because one set of eyes always catches more bugs than thousands?
  Just use Foo:Bar qw(enBlob unBlob) to limit your surface.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Which Ones?!?! by Rob+Riggs · 2013-06-19 06:44 · Score: 5, Insightful

What an absolutely useless article and report. Scaremongering at its best, with no actionable content. Which plugins have vulnerabilities? Can they be mitigated through configuration changes or do they need to be disabled/uninstalled? What is the potential exposure? Those are the sort of things a computer professional needs. Where are the damned CVEs?

--
the growth in cynicism and rebellion has not been without cause
1. Re:Which Ones?!?! by kermidge · 2013-06-19 07:52 · Score: 1
  
  Giving useful infos would require having useful info, giving a shit, and having a mind to do it with. This way, the author gets web views, gets rep, gives a company name or two to establish bona fides, without really having to do anything. I might presume that asking the people who did the study might get you useful infos - perhaps even at a discount. Or maybe the relevant info is only for those in the know, not just casually anyone with a Word-Press powered site.
  Further if one is getting these plugins from "a reputable source" then why can't one have some assurance that said plugins have already been tested and vetted?
  Zedrick had some good points above about end-users. Expecting everyone on the bloddy web who puts up a site to be some elite webby pro is simply arrogant and unsupportable.
2. Re:Which Ones?!?! by Anonymous Coward · 2013-06-19 08:08 · Score: 0
  
  Finally someone said this. I'm not trying to troll and say Slashdot has lost this or that.. but look at the last of the post... one blanket statement and incomplete sentence that barely makes sense. I just get how they can post this crap, it was never this bad.
3. Re:Which Ones?!?! by Anonymous Coward · 2013-06-19 09:30 · Score: 0
  
  Unfortunately, the original report on which this story is based has all of the names redacted. However, it has descriptions, download count, and lines of code listed in a neat table. It's fairly easy to figure out which ones based on that info.
  http://www.checkmarx.com/wp-content/uploads/2013/06/The-Security-State-of-WordPress-Top-50-Plugins.pdf
4. Re:Which Ones?!?! by dkre · 2013-06-19 21:32 · Score: 1
  
  The full report is here: http://www.checkmarx.com/wp-content/uploads/2013/06/The-Security-State-of-WordPress-Top-50-Plugins.pdf Posted above by xenoc_1
5. Re:Which Ones?!?! by Anonymous Coward · 2013-06-20 01:15 · Score: 0
  
  The report is incomplete, no names or versions are listed.
Re:The issue that I've noticed is with small busi. by Anonymous Coward · 2013-06-19 06:55 · Score: 0

Your first clue that they aren't serious about making money with the internet is that they wanted to use Wordpress. What a shame. No self respecting developer offers Wordpress as a solution unless they think the site is not going anywhere.
Re:The issue that I've noticed is with small busi. by lightknight · 2013-06-19 06:59 · Score: 2

Welcome to reality. Some people believe that the best way to 'get through life' is by being at the top of things...you may not know how to do anything, but you know how to pull the cord that does something. Some people believe that the best way to 'get through life' is by being the best you can be at something, even if you are terri-bad at everything else. Some people believe that the best way to 'get through life' is by being the best you can be at several somethings, even if you are not the absolute best. And so on.
The problem with small business owners is that they, in this instance, are running on the basis of some dime-store logic, and not the full diamond. "You need to look to cut costs everywhere" which has a corollary in the form of "You need to understand your art / business / science well enough to know when you are cutting costs, and when you are screwing yourself long-term." Unfortunately, this is typically lost on small-business owners, since they think that in order to get ahead of the game, they need to rush people / everything, because "time is money"; what is actually happening here is a programmer is trying to explain to them why what they are thinking about doing is going to cost them tens to hundreds of thousands of dollars, but their attention span won't allow them to spend five minutes to save themselves that money. Being the head of a small-business somehow leads one to believe that you need to act like every bad CEO / president / actor on TV you've ever seen, which means asking for bullet points and never seeming interested in the details.
WordPress is fine if you are running a blog. It's fine if you have a dedicated programmer on staff, and you are running a company that sells t-shirts with funny slogans over the internet. It can't be hacked into a better product...it doesn't work like that. If you aren't selling t-shirts, consider something else. Everyone will offer their favorite flavor of the month CMS (which, in common parlance, can be seen as a website that lets you add most new products / adjust prices without needing to hassle a programmer); many of them suck, and popular does not mean good. Do some research, see how much it would cost for a mid-range developer (look at the high-end of the reported salaries...those sites tend to lie) to know what it will look like if your website needs to be pulled out of the fire (manually); hopefully that will never happen...you'll open up a decent relationship with a good firm, choose the right CMS, and never have to worry about Plan B. Plan B, in case you are unawares, is when that firm disappears for whatever reason, and leaves you with a website that you need updated, but no one else is familiar with, but you absolutely, positively need someone to fix it, because otherwise your business is sunk.

--
I am John Hurt.
Oh no! by interval1066 · 2013-06-19 07:11 · Score: 1

My wordpress blog might get comprimised. Let me jump right on that little emergency...

--
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
THIS! by Chirs · 2013-06-19 07:16 · Score: 1

Otherwise, it might be possible to create something that is simultaneously a valid image file *and* valid PHP (or SQL, or whatever) code and bypass any checks that you add to validate the file.
+1 Insightful by mccrew · 2013-06-19 07:36 · Score: 1

Wish I had some mod points for you today.

--
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
Is this news, or just the general state of things? by water-and-sewer · 2013-06-19 07:56 · Score: 1

It seems like I read a version of this article about once a month. Seems like Wordpress is always not-too-far-away from some amazing catastrophe that will cause Western civilization to collapse.
I have been looking around for a new blog platform in order to redo my personal website, which is an aging Joomla 1.x system (and actually works fine, thank you very much, I just wish the URLs weren't so awkward). As far as I can tell, the entire rest of the world abandoned everything other than Wordpress, but actually I'd prefer something that didn't seem to be semi-permanently at risk of critical vulnerabilities due to crap plug-ins or whatever.
Right now, I'm looking favorably at serendipity, which seems simple and relatively safe. Joomla 2 isn't better in ways that interest me and worse in ways that do. I want no part of Drupal, and a lot of other stuff out there just isn't right for me. So, still looking actively at everything other than the blogging platform that is apparently in continous state of near catastophe.

--
If this were Usenet, I'd killfile the lot of you.
All except for Perl by Anonymous Coward · 2013-06-19 08:03 · Score: 0

Anything using that language will be coded with badly.
Wordpress is crap by pinkeen · 2013-06-19 09:42 · Score: 1

Wordpress is the most popular web publishing platform and, IMHO one of the worst implemented pieces software. Last time I looked their coding practices were ancient (even by PHP standards). I know that popular stuff attracts crappy coders, but it's so crappy that it either will force you to write crap or frustrate you so much that you don't even care.

The wordpress phenomenon never ceases to amaze me. I know it's nothing special, cause there's probably tons of crap in proprietary closed-source software that's even more popular - but then at least you can't see it.

The only fix is a rewrite and they won't do it because it would break compatibility. (Or something?)

DISCLAIMER: This post may be based on outdated knowledge. Maybe wordpress is state-of-the-art now with their shiny, perfect codebase.
Re:The issue that I've noticed is with small busi. by Geeky · 2013-06-20 03:46 · Score: 1

No, they're probably not serious about making money with the internet. They want to make money doing their core business and feel they need an internet presence to market it. I'd agree if selling online is a priority, Wordpress is not the way to go, but for a mostly brochure style site with a blog, it's fine.
I know someone who makes good money building Wordpress sites for small customers, and I've used it for a couple of personal sites and a small business site for a friend. It's not ideal, but it's relatively easy to hack (in the good sense of getting up to speed on customising it).

--
Sigs are so 1990s. No way would I be seen dead with one.
Re:Is this news, or just the general state of thin by Geeky · 2013-06-20 04:07 · Score: 1

I had a look at Concrete, but to be honest it's the ubiquity of Wordpress that appeals to me. I avoid plugins wherever possible, and the ones I do use are mainly on the admin and content creation side rather than presentation of content.
The popularity of it means that I can quickly find answers and code snippets when I want to do something, and I feel I have the experience to sort good suggestions from bad.

--
Sigs are so 1990s. No way would I be seen dead with one.