Slashdot Mirror
Millions At Risk From Critical Vulnerabilities From WordPress Plugins
First time accepted submitter dougkfresh writes "Checkmarx's research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection. Furthermore, a concentrated research into e-commerce plugins revealed that 7 out of the 10 most popular e-commerce plugins contain vulnerabilities. This is the first time that such a comprehensive survey was prepared to test the state of security of the leading plugins."
It does seem that Wordpress continues to be a particularly perilous piece of software to run. When popularity and unsafe languages collide.
Just bad coding. Any language can be coded with badly. (some more easily or accidentally than others)
It's just that PHP has managed to attract a huge number of absolute retards who do things like evaluate image files (it WAS an image file you uploaded, right? It ended in .gif, right? So it's totally an image file and I shouldn't even be bothered to verify the contents because nobody would ever upload php code ending in .gif) in order to dump the contents out to the browser instead of using ANY of the multiple functions or methods to do just that securely.
If I have been able to see further than others, it is because I bought a pair of binoculars.
According to the PDF, e-commerce plugins are in the list. I'm a bit surprised to see that, as I assumed developers would be thinking about security first with e-commerce.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
The solution is easy: hosting providers should be required to continuously run vulnerability scanners, and instantly take down any sites which have known vulnerabilities. As a bonus, it would clear out a lot of crap sites.
ohhhhh that's right, my second degree is in software programming with .NET and ASP
Read the reply right above you. Spoiler alert, I'm also an offline software programmer.
I used to be of the same opinion, but... I've been working in the hosting business for 10 years now, and that kind of attitude doesn't really work in real life.
It's 2013, most people (at least in developed countries with high IT penetration) have their own domain and website nowadays. Do you really think it's fair to call a 50 year old woman who wants a nice website for her cat-blog a moron? Or the coin collector who don't care about computing but just want to write about English hammered coins? Or the fishing club whose members wants a nice looking site with a gallery and perhaps a public calendar? Or the girlfriend who wants to blog about cooking? Are they all morons?
Websites are not just for companies or IT-people anymore.
Also, Wordpress is way way better than it used to be a few years ago (unlike Joomla which is a total fail in every version). Since 3.5.1 was released, I've seen more customers hacked due to brute force logins than security exploits in outdated themes or plugins.
From where does one get a degree in .NET?
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Great, Dice posts story from a corporate-software-industrial-complex advertorial mag, with a link to their so-called blog. Which ironically is running WordPress, along with a bunch of common plugins like "Yoast WordPress SEO plugin v1.4.7" and "All in One SEO Pack 1.6.14.6". Right there tells me how clueless they are about WordPress, because unless you have a damn good special reason, you do not want to be running two separate SEO plugins. LeadGen contact form plugin, a bunch of ad and analytics beyond the usual, and no apparent caching plugin. Oh, and no Google Authorship id done the correct way, despite both of those SEO plugins having "fill in the blank" prompting for it (they do have an XFN tag on their contact info but don't do the full Google social.)
For more laughs, their verison of All-In-One SEO is downlevel. Exactly what Checkmarx themselfes warn agansit. They are on 1.6.14.6, current version is 2.0.2.
Yeah, I'm gonna listen to them about WordPress security.
When you click through their blog to the actual PDF report, guess what? They redacted the names of all those "at-risk" plugins, noting only 6 by name. Four of which they claim took their advice and fixed the problem, and two (WP Super Cache and W3 Total Cache) which I recall getting fixes for months ago. Hot news. I guess that even though their supposed expertise is in scanning for vulnerabilities, they are not going to tell you which are at risk in the current environment, because you didn't pay them. Classic dipstick move. Total and utter unawareness of the karmic and $$ benefits of internet "gift culture", such as, the whole damn open source movement and the specific WordPress ecosystem in which they are supposedly expert.
But we should listen to them, because: Checkmarx was recognized by Gartner as sole visionary in their latest SAST magic quadrant and as
Cool vendor in application security.
Well, the problem is some of the more intelligent crackers out there have been upping their game recently...they have, if memory serves me correctly, found ways of getting websites to arbitrarily become a part of botnets. That's right, it's no longer just a matter of your website's database being compromised, with your liability ending with a broadcasted message to everyone telling them to change their passwords / check their credit cards...now your website, or rather the host machine that the website is running on, can be hijacked into DDOS'ing the DHS's main servers, or something equally tasteful. If repeated phone calls from the bank telling you to fix your website's code was enough motivation, then possibly a heart to heart talk with Agent Bob and Agent Rob will. And I'm sure the part where you tell them that you hired the lowest bidder to build the site (or just used the built-in), use a Mac because you're super-bad with computers (but still have a blog, because of that advertising money, amiright?), and that you have no idea how to fix it, and thus can't be held accountable for whatever has happened, will go over well with them. It'll be a real knee-slapper, you'll be laughing, they'll be laughing, and the whole thing will be cleaned right up inside of a week.
In other news, the DoJ may have found a use for all those crackers they plan on catching -> early-release program, clean-slate, provided they fix WordPress and help hunt down the old installs. Should keep them busy for the next several eons...
I am John Hurt.
What an absolutely useless article and report. Scaremongering at its best, with no actionable content. Which plugins have vulnerabilities? Can they be mitigated through configuration changes or do they need to be disabled/uninstalled? What is the potential exposure? Those are the sort of things a computer professional needs. Where are the damned CVEs?
the growth in cynicism and rebellion has not been without cause
Welcome to reality. Some people believe that the best way to 'get through life' is by being at the top of things...you may not know how to do anything, but you know how to pull the cord that does something. Some people believe that the best way to 'get through life' is by being the best you can be at something, even if you are terri-bad at everything else. Some people believe that the best way to 'get through life' is by being the best you can be at several somethings, even if you are not the absolute best. And so on.
The problem with small business owners is that they, in this instance, are running on the basis of some dime-store logic, and not the full diamond. "You need to look to cut costs everywhere" which has a corollary in the form of "You need to understand your art / business / science well enough to know when you are cutting costs, and when you are screwing yourself long-term." Unfortunately, this is typically lost on small-business owners, since they think that in order to get ahead of the game, they need to rush people / everything, because "time is money"; what is actually happening here is a programmer is trying to explain to them why what they are thinking about doing is going to cost them tens to hundreds of thousands of dollars, but their attention span won't allow them to spend five minutes to save themselves that money. Being the head of a small-business somehow leads one to believe that you need to act like every bad CEO / president / actor on TV you've ever seen, which means asking for bullet points and never seeming interested in the details.
WordPress is fine if you are running a blog. It's fine if you have a dedicated programmer on staff, and you are running a company that sells t-shirts with funny slogans over the internet. It can't be hacked into a better product...it doesn't work like that. If you aren't selling t-shirts, consider something else. Everyone will offer their favorite flavor of the month CMS (which, in common parlance, can be seen as a website that lets you add most new products / adjust prices without needing to hassle a programmer); many of them suck, and popular does not mean good. Do some research, see how much it would cost for a mid-range developer (look at the high-end of the reported salaries...those sites tend to lie) to know what it will look like if your website needs to be pulled out of the fire (manually); hopefully that will never happen...you'll open up a decent relationship with a good firm, choose the right CMS, and never have to worry about Plan B. Plan B, in case you are unawares, is when that firm disappears for whatever reason, and leaves you with a website that you need updated, but no one else is familiar with, but you absolutely, positively need someone to fix it, because otherwise your business is sunk.
I am John Hurt.
HTML is dogshit. CSS is catshit. Together they make two-tone shitty shit with a shit chaser.