Slashdot Mirror
Millions At Risk From Critical Vulnerabilities From WordPress Plugins
First time accepted submitter dougkfresh writes "Checkmarx's research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection. Furthermore, a concentrated research into e-commerce plugins revealed that 7 out of the 10 most popular e-commerce plugins contain vulnerabilities. This is the first time that such a comprehensive survey was prepared to test the state of security of the leading plugins."
It does seem that Wordpress continues to be a particularly perilous piece of software to run. When popularity and unsafe languages collide.
Just bad coding. Any language can be coded with badly. (some more easily or accidentally than others)
It's just that PHP has managed to attract a huge number of absolute retards who do things like evaluate image files (it WAS an image file you uploaded, right? It ended in .gif, right? So it's totally an image file and I shouldn't even be bothered to verify the contents because nobody would ever upload php code ending in .gif) in order to dump the contents out to the browser instead of using ANY of the multiple functions or methods to do just that securely.
If I have been able to see further than others, it is because I bought a pair of binoculars.
According to the PDF, e-commerce plugins are in the list. I'm a bit surprised to see that, as I assumed developers would be thinking about security first with e-commerce.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
The solution is easy: hosting providers should be required to continuously run vulnerability scanners, and instantly take down any sites which have known vulnerabilities. As a bonus, it would clear out a lot of crap sites.
and anyone who uses it is seen as a complete joke by actual web developers like me.
So just like how you web monkeys... err... "developers" appear to programmers.
I'm sure they notified the plugin authors, just keep your plugins updated. Their PDF report has a description of the plugins (including lines of code and downloads), but blacks out the title.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
...morons who don't know HTML or CSS even though I could teach both to a moderately intelligent monkey... ...actual web developers like me... ...beyond all hope. / . I think...
br
Yes, your mastery of HTML and websites is truly something to behold.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
ohhhhh that's right, my second degree is in software programming with .NET and ASP
Read the reply right above you. Spoiler alert, I'm also an offline software programmer.
I used to be of the same opinion, but... I've been working in the hosting business for 10 years now, and that kind of attitude doesn't really work in real life.
It's 2013, most people (at least in developed countries with high IT penetration) have their own domain and website nowadays. Do you really think it's fair to call a 50 year old woman who wants a nice website for her cat-blog a moron? Or the coin collector who don't care about computing but just want to write about English hammered coins? Or the fishing club whose members wants a nice looking site with a gallery and perhaps a public calendar? Or the girlfriend who wants to blog about cooking? Are they all morons?
Websites are not just for companies or IT-people anymore.
Also, Wordpress is way way better than it used to be a few years ago (unlike Joomla which is a total fail in every version). Since 3.5.1 was released, I've seen more customers hacked due to brute force logins than security exploits in outdated themes or plugins.
From where does one get a degree in .NET?
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
ohhhhh that's right, my second degree is in software programming with .NET and ASP
I believe the GP rests his/her case.
Great, Dice posts story from a corporate-software-industrial-complex advertorial mag, with a link to their so-called blog. Which ironically is running WordPress, along with a bunch of common plugins like "Yoast WordPress SEO plugin v1.4.7" and "All in One SEO Pack 1.6.14.6". Right there tells me how clueless they are about WordPress, because unless you have a damn good special reason, you do not want to be running two separate SEO plugins. LeadGen contact form plugin, a bunch of ad and analytics beyond the usual, and no apparent caching plugin. Oh, and no Google Authorship id done the correct way, despite both of those SEO plugins having "fill in the blank" prompting for it (they do have an XFN tag on their contact info but don't do the full Google social.)
For more laughs, their verison of All-In-One SEO is downlevel. Exactly what Checkmarx themselfes warn agansit. They are on 1.6.14.6, current version is 2.0.2.
Yeah, I'm gonna listen to them about WordPress security.
When you click through their blog to the actual PDF report, guess what? They redacted the names of all those "at-risk" plugins, noting only 6 by name. Four of which they claim took their advice and fixed the problem, and two (WP Super Cache and W3 Total Cache) which I recall getting fixes for months ago. Hot news. I guess that even though their supposed expertise is in scanning for vulnerabilities, they are not going to tell you which are at risk in the current environment, because you didn't pay them. Classic dipstick move. Total and utter unawareness of the karmic and $$ benefits of internet "gift culture", such as, the whole damn open source movement and the specific WordPress ecosystem in which they are supposedly expert.
But we should listen to them, because: Checkmarx was recognized by Gartner as sole visionary in their latest SAST magic quadrant and as
Cool vendor in application security.
ASP is "offline" programming? Since when?
Well, the problem is some of the more intelligent crackers out there have been upping their game recently...they have, if memory serves me correctly, found ways of getting websites to arbitrarily become a part of botnets. That's right, it's no longer just a matter of your website's database being compromised, with your liability ending with a broadcasted message to everyone telling them to change their passwords / check their credit cards...now your website, or rather the host machine that the website is running on, can be hijacked into DDOS'ing the DHS's main servers, or something equally tasteful. If repeated phone calls from the bank telling you to fix your website's code was enough motivation, then possibly a heart to heart talk with Agent Bob and Agent Rob will. And I'm sure the part where you tell them that you hired the lowest bidder to build the site (or just used the built-in), use a Mac because you're super-bad with computers (but still have a blog, because of that advertising money, amiright?), and that you have no idea how to fix it, and thus can't be held accountable for whatever has happened, will go over well with them. It'll be a real knee-slapper, you'll be laughing, they'll be laughing, and the whole thing will be cleaned right up inside of a week.
In other news, the DoJ may have found a use for all those crackers they plan on catching -> early-release program, clean-slate, provided they fix WordPress and help hunt down the old installs. Should keep them busy for the next several eons...
I am John Hurt.
People complain about IE6 or Flash or Java, but every web developer I know ABHORS WordPress.
The moment a company decides to use Wordpress as their underlying site "technology", its game over. This was supposed to be a product that allowed people at home to set up a content site quickly, not an enterprise level technology.
So if this thing is causing significant security issues, it should be placed at the top of the Internet's most hated and avoided like the plague.
If you want to blog online, use Facebook or Twitter or any other established social platform, nobody sets up their own blog anymore, that is so early 21st century.
I haven't thought of anything clever to put here, but then again most of you haven't either.
Never use a module if you can possibly avoid it, and keep everything you use patched up to date.
That way you'll be as safe as you can be - because you'll only be using modules you aren't actually capable of writing yourself.
Pulling in a dozen wordpress plugins (or a dozen CPAN modules, or the Ruby or Python equivalents) so you can avoid learning how to unpack a trivial format is the road to software maintenance hell...
What an absolutely useless article and report. Scaremongering at its best, with no actionable content. Which plugins have vulnerabilities? Can they be mitigated through configuration changes or do they need to be disabled/uninstalled? What is the potential exposure? Those are the sort of things a computer professional needs. Where are the damned CVEs?
the growth in cynicism and rebellion has not been without cause
He won that degree from a claw game.
Welcome to reality. Some people believe that the best way to 'get through life' is by being at the top of things...you may not know how to do anything, but you know how to pull the cord that does something. Some people believe that the best way to 'get through life' is by being the best you can be at something, even if you are terri-bad at everything else. Some people believe that the best way to 'get through life' is by being the best you can be at several somethings, even if you are not the absolute best. And so on.
The problem with small business owners is that they, in this instance, are running on the basis of some dime-store logic, and not the full diamond. "You need to look to cut costs everywhere" which has a corollary in the form of "You need to understand your art / business / science well enough to know when you are cutting costs, and when you are screwing yourself long-term." Unfortunately, this is typically lost on small-business owners, since they think that in order to get ahead of the game, they need to rush people / everything, because "time is money"; what is actually happening here is a programmer is trying to explain to them why what they are thinking about doing is going to cost them tens to hundreds of thousands of dollars, but their attention span won't allow them to spend five minutes to save themselves that money. Being the head of a small-business somehow leads one to believe that you need to act like every bad CEO / president / actor on TV you've ever seen, which means asking for bullet points and never seeming interested in the details.
WordPress is fine if you are running a blog. It's fine if you have a dedicated programmer on staff, and you are running a company that sells t-shirts with funny slogans over the internet. It can't be hacked into a better product...it doesn't work like that. If you aren't selling t-shirts, consider something else. Everyone will offer their favorite flavor of the month CMS (which, in common parlance, can be seen as a website that lets you add most new products / adjust prices without needing to hassle a programmer); many of them suck, and popular does not mean good. Do some research, see how much it would cost for a mid-range developer (look at the high-end of the reported salaries...those sites tend to lie) to know what it will look like if your website needs to be pulled out of the fire (manually); hopefully that will never happen...you'll open up a decent relationship with a good firm, choose the right CMS, and never have to worry about Plan B. Plan B, in case you are unawares, is when that firm disappears for whatever reason, and leaves you with a website that you need updated, but no one else is familiar with, but you absolutely, positively need someone to fix it, because otherwise your business is sunk.
I am John Hurt.
My wordpress blog might get comprimised. Let me jump right on that little emergency...
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
Otherwise, it might be possible to create something that is simultaneously a valid image file *and* valid PHP (or SQL, or whatever) code and bypass any checks that you add to validate the file.
Wish I had some mod points for you today.
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
It seems like I read a version of this article about once a month. Seems like Wordpress is always not-too-far-away from some amazing catastrophe that will cause Western civilization to collapse.
I have been looking around for a new blog platform in order to redo my personal website, which is an aging Joomla 1.x system (and actually works fine, thank you very much, I just wish the URLs weren't so awkward). As far as I can tell, the entire rest of the world abandoned everything other than Wordpress, but actually I'd prefer something that didn't seem to be semi-permanently at risk of critical vulnerabilities due to crap plug-ins or whatever.
Right now, I'm looking favorably at serendipity, which seems simple and relatively safe. Joomla 2 isn't better in ways that interest me and worse in ways that do. I want no part of Drupal, and a lot of other stuff out there just isn't right for me. So, still looking actively at everything other than the blogging platform that is apparently in continous state of near catastophe.
If this were Usenet, I'd killfile the lot of you.
A few years ago I hated Wordpress. At that time the project I was on chose MovableType for the basis of its CMS/blogging platform. Well recently I was asked to put the backend into place for another company that was producing content. We looked at several options, but Wordpress was the one that as we checked off the list of required features had basically what we were looking for item for item. And frankly I've been rather impressed with Wordpress this go around. Many of the complaints I had from a few years ago have been addressed. After all, the content is what is driving sales and revenue for this project, not the technology platform.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
HTML is dogshit. CSS is catshit. Together they make two-tone shitty shit with a shit chaser.
Wordpress is the most popular web publishing platform and, IMHO one of the worst implemented pieces software. Last time I looked their coding practices were ancient (even by PHP standards). I know that popular stuff attracts crappy coders, but it's so crappy that it either will force you to write crap or frustrate you so much that you don't even care.
The wordpress phenomenon never ceases to amaze me. I know it's nothing special, cause there's probably tons of crap in proprietary closed-source software that's even more popular - but then at least you can't see it.
The only fix is a rewrite and they won't do it because it would break compatibility. (Or something?)
DISCLAIMER: This post may be based on outdated knowledge. Maybe wordpress is state-of-the-art now with their shiny, perfect codebase.
I won the US national AITP programming competition in college. I also was the only person to get a 105% perfect score on the advanced VB programming 9-week project. Keep em coming you condescending asshole. You're only getting more wrong.
and C# and C++
I was actually a C# tutor on the college's payroll since I got a perfect grade in the class too by the way.
... of javashit ... er, I mean, javascript.
No, they're probably not serious about making money with the internet. They want to make money doing their core business and feel they need an internet presence to market it. I'd agree if selling online is a priority, Wordpress is not the way to go, but for a mostly brochure style site with a blog, it's fine.
I know someone who makes good money building Wordpress sites for small customers, and I've used it for a couple of personal sites and a small business site for a friend. It's not ideal, but it's relatively easy to hack (in the good sense of getting up to speed on customising it).
Sigs are so 1990s. No way would I be seen dead with one.
Do these unqualified people know how to use line break tag?
Sigs are so 1990s. No way would I be seen dead with one.
I had a look at Concrete, but to be honest it's the ubiquity of Wordpress that appeals to me. I avoid plugins wherever possible, and the ones I do use are mainly on the admin and content creation side rather than presentation of content.
The popularity of it means that I can quickly find answers and code snippets when I want to do something, and I feel I have the experience to sort good suggestions from bad.
Sigs are so 1990s. No way would I be seen dead with one.
Do you really think it's fair to call a 50 year old woman who wants a nice website for her cat-blog a moron?
Yes, if she expects to take on the role of webmaster and developer, with zero technical experience. I absolutely call that a moron. It's the equivalent of that same lady trying to build a kit car, which then loses a wheel and explodes rolling out of the driveway.
The right thing for her to do is find a qualified individual or company to create the site for her, if she wants that level of customization and control. Otherwise, she belongs on Blogger or Facebook, where she can post her cat pictures, but doesn't need technical skills beyond manipulating a GUI.