Joomla SQL-Injection Flaw Affects Millions of Websites

An anonymous reader writes: Joomla has just issued a patch that fixes a SQL-injection vulnerability discovered by a researcher at Trustwave SpiderLabs. The flaw allowed malicious users to extract a browser cookie assigned to a site's administrator, giving them access to restricted parts of the server. The flaw first appeared in Joomla 3.2, released in November, 2013. An estimated 2.8 million websites rely on Joomla. The Joomla team and the researcher who found the flaw recommend an immediate update to version 3.4.5.

php frameworks

If your still using php coupled with a framework or not, you should probably check out nodejs and nedb or mongo db. This would be impossible with a proper database, sql is decades old and should be retired at this point, php as well.

Re: php frameworks

Hey Apple fanboi. I'm hardly a fan of PHP but if you think node is the solution to all hacks you're in serious need of an education.

Re: php frameworks

Lol! Nothing leads to exploits like an untyped language.

Re:php frameworks

Preventing SQL injection attacks is trivially easy with very modest understanding of what you're doing.

Suggesting that they ditch one technology for another as a cure-all makes you part of the problem. Rather than try and understand what is going on, you'd rather have a language and/or framework handed to you that promises to solve everything. It is this mindset that results in pants-on-head stupid bugs to reach production.

Re: php frameworks

educate me as to how an object database is easier to compromise than an sql.

Because as far as I can see, you are speaking from your derriere sir

Re:php frameworks

What is going on is that when the language was created they didn't think of this scenario hard enough and it's architecture allows injection.

I think a proper cure all would be to drop the old vulnerable language and use one which is not vulnerable. I am apparently an alien for having such logic. strange.

Re: php frameworks

[behrooz0az]

It's not easier.
But objectively speaking, bad coders write bad code no matter what kind of database or programming language you give them. They mess up

Re: php frameworks

[behrooz0az]

nice, encoding fail. There is a trade-mark character at the end of that post.

Re: php frameworks

So even though I came up with the correct solution, you did not, and you have no idea how an object database would be compromised your still trying to stand by your point instead of just saying 'yes, you are correct i should be using better technology to do a better job'

and your implying I am a poor coder? I believe the opposite is true.

I can grow and change with new code, ideas, and methods, your stuck in what you know and don't want to ever leave even if it doesn't work very well.

Re: php frameworks

do you commit code to production as thoughtlessly as you skip over the 'preview' when answering comments on Schlitzpunkt?

Re:php frameworks

[JustAnotherOldGuy]

Lol, I just love sweeping statements like this, made under "Anonymous Coward", of course.

Re: php frameworks

Schlitzpunkt

I think you mean Solidusfullstop.

Re: php frameworks

The 'kill it with fire' approach my be appropriate for a personal website or a small corporate 'brochureware' site, but in the real world people need to support production code without rebuilding it based on whims of the latest 'architect'. However, those that would put in place new 'PHP solutions' should be hunted for sport.

Re: php frameworks

Lol! Is your first name "Tard"?

Re: php frameworks

[U2xhc2hkb3QgU3Vja3M]

Watch out, maybe his last name is "is".

Re:php frameworks

[Aethedor]

PHP has nothing to do with it. PHP is just as secure / insecure as any other language. It's the fact that PHP is easy to learn, easy to use and easy to deploy that attracts many people, including noobs. It's the noobs that cause the problems.

To prove that PHP can be used to create a rock solid and secure website, take a look at the Banshee PHP Content Management Framework. I dare you to try it. You will be suprised by its security, flexibility, easiness and speed.

Re: php frameworks

I struggle to believe this, because your grasp of grammar and punctuation is poor. I have met many competent people who write like you, and I am not suggesting you aren't highly intelligent, but what I will say is, I've never met a great developer who writes like you. (I'm going to guess that english is your first language, too, because most non-native-speaking developers I have encountered can write better than this.)

Re: php frameworks

Typing style has nothing to do with SQL injection, since it's how the query is passed to the parser. PHP also has ways of checking type, but you shouldn't use them to write queries--use the mechanism supplied by the database instead.

Re: php frameworks

Except in PHP even good coders are prone to bad practices. Because PHP is not a programming language, it's a disease. I am a professional senior software engineer with 25+ years of experience and I am not touching anything that has PHP on it, inside it, near it or is however related to it. In fact I am aggressively declining work offers that involve PHP (so as not to be contacted again). It is like being asked to work with cancer cells without proper protection gear. Any professional with a bit of pride will do the same. Eventually we will rid the planet of anything PHP, including Facebook.

Re: php frameworks

I applaude the thought and intention. Just a correction though, PHP is not a language. Even the thing's creator says so. Let's stop calling it what it is not and instead call it for what it is: the web's disease. In fact we should have it legally banned, and put people who use it in jail for good for they are a threat to humanity.

Re: php frameworks

Blah blah blah. I've been writing software for over 30 years. Yes PHP is garbage just as JavaScript is garbage. SQL is not the issue bad programmers like the poster who suggested node as a solution are the problem.

Re: php frameworks

Sorry but you are wrong. I bet you $10000 that this very content management system has a securty whole somewhere as large as anything which is due to some behavior of PHP. PHP is inherently unsecure and it should be legally banned from being used in anything software. As for languages & frameworks that are inherently secure and still easy to pick up, try RoR, Python/Flask or Django.

Re: php frameworks

I'm in a similar position to you in terms of my experience and while I fully (or at least mostly) understand the flaws in PHP I don't expect very much from a scripting language to begin with. I believe that when it's done properly it's an adequate solution for many situations. There are certainly better tools from a programming perspective but from a product production perspective PHP is just one tool available in the box. I know mission critical projects that rely exclusively on VBA for instance. It's not elegant or even good but it works as required. PHP is not my first choice for ground-up projects (far from it) but I find it to be a very rapid tool to use to create a front-end for a distributed database for example. If I'm creating something from the ground up then I'll avoid it but that's not always the position I'm in. I fundamentally don't understand hatred of a single language or approach, I feel like I've got better things to get my knickers in a knot over. If I'm asked to work on a project that I feel is fundamentally flawed (which is quite a few to date) then I'll state my concerns and see how they're interpreted. If I'm ignored then I'll pass up the project, if not then I can find better approaches if necessary, this seems to me to be the most pragmatic method of selection.

Also: cancer isn't contagious.

Re: php frameworks

Parameterized queries do since SQL problems and only idiots use strong concatenation for queries.

$A = "PHP";
$B = 5;
$C = " is garbage ";

$result = $B + $C;
$result = $A + $result;

Let's face it... It's just error prone junk! And yes, I've worked with PHP a very long time. Thank god those days are over.

Re: php frameworks

[Aethedor]

The bet is on! Bring it on. I double dare you!! And if you're as tough as you sound, in time you will admit you are wrong.

Re:php frameworks

Oh, you need to replace this with a real_escape, because some moron thought it was a good idea to keep this trash instead of actually designing a consistent language.

Re: php frameworks

It is not the SQL databases that are a security issue.

It is the use of substandard languages like PHP to create statements and a whole lot of stupidity.

NoSQL has its place and when I use it, I just use Postgres because it is much faster than mongodb. The only NoSQL type I probably wouldn't use it for are for graph databases, which are fairly esoteric.

PHP is shit, but server-side JS is not that much better.

Re:php frameworks

I've just had a quick look at this. I really don't think this is a silver bullet. It's probably better than Joomla (not exactly setting the bar high here though) and the code is fairly clean to look at from my quick poking through on their github. The documentation is very scarce, so this spiel is from me skimming through their source code. I may have gotten some of this wrong; please rebut me if so.

Apologies for anon, I've been lurking on slashdot for years and really can't be bothered to make an account. I've been writing PHP and Javascript for money for about 10 years now along with smidgens of C, C#, Erlang, Ruby/Rails and Actionscript here and there.

The only real security advantages over any other PHP framework I can see is that it has been audited by a "Dutch IT security company" and that it prevents cross site request forgery (and to be honest, I'm just going on the fact that it calls a prevent_csrf function in the index.php entry point on that one).

The front page also claims to also prevent XSS and SQL injection, but from glancing through the code, I really can't see anything that actually does that. The only things I've seen that are even vaguely to do with this are that the views are rendered with XML and XSLT instead of raw HTML littered with <?= $somevar; ?> and the fact that they use mysqli->bind and mysqli->execute throughout their code.

Saying this up front; I've never used XSLT. I've sure read a fair amount about it and had to use various XML libraries and technologies built on top of XML. I've never heard of XSLT somehow magically preventing XSS - although to be fair ANYTHING is better than using core PHP. I'm not even sure how the heck you WOULD 100% guarantee that there's can never be XSS short of parsing your own views and working out what (potentially nested) context you're in when doing your string replacements and using the appropriate escaping. One thing I do know though; anytime you involve XML in ANYTHING you're opening yourself up to a new pantheon of weird and wonderful security vulnerabilities (xpath injection, external DTDs etc., etc.) that you need to take into account. I'd imagine XSLT is no exception. Someone PLEASE correct me if I'm wrong here, like I said, XSLT noob and genuinely interested in how the hell you would completely eliminate XSS without dragging your performance into the gutter.

As for the SQL Injection prevention; the framework uses parametised queries. Good Job! It also doesn't do any of the SELECT ... WHERE IN binding shenanigans that most frameworks do either*. This is also good. What is this framework doing to stop developers from shooting themselves in the foot when they're writing THEIR queries? Most frameworks handle this by discouraging their users from having to write SQL queries in the first place with some kind of ORM or something similar. It still has the problem of making the developer have to remember to bind parameters from I can see. Anytime a programming environment makes the developer have to be vigilant of something, it's guaranteed that someone, somewhere is going to screw it up.

Aside from the security side of things, there's also some major problems with this framework in terms of actually using it in a large/constantly evolving project that would put me off using it.

Firstly, from what I can tell, you WILL have to fork this framework eventually if you use it. There is no separation going on between the various page/cms/whatever models/views/controllers and the core system. They're in the same repository and there's no kind of module system that allows you to override them. You want to change any of them? You now get to choose between maintaining your own fork of the files changed (which won't do any kind of automatic merging of updates from upstream) or maintaining your own fork of the whole framework (which will periodically require you to deal with merge conflicts). Surely these should be split up into different repositories that would let you mix and match which ones you

Re: php frameworks

I am a professional

Not based on the above post of yours, you aren't. While you make several good points, your method of doing so is not professional at all.

(Note that I do agree with several things you said, but not all, and certainly not with your way of saying it. And, after all, how you conduct yourself is an important part of being professional, so it is relevant.)

Re: php frameworks

[KGIII]

This folks is why, just the other day, I decided to create my magnum opus. I will write, and give away, a CMS - free for the taking, truly libre in every sense of the word. I'm going to do it in uncommented Perl with as few lines as possible.

I expect to be a few months brushing up my skills but, damn it, it's going to be flat text file databases - everywhere. Imma store plain text passwords in plain text files. And I'm going to give it away.

You may think I'm kidding. I'm not. I just really, really, don't like you that much.

Re: php frameworks

Oh I have been writing code for 30 years, on platforms embedded to large-scale mainframes, if a pissing contest is what you are after. See, SQL injections are not something any sane programmer wants to deal with on a daily basis. And no sane manager wants his coders to do that either because it is entirely unproductive work and above all risky to the point of risking your business at large. What you want is the ensuring trust in your tools that they handle all edge cases well as long as you stay in the standard. The trouble with PHP is that there is no standard: it all depends on a meriad of settings, compiler flags and circumstances. Hence a disease, not a tool. It's people like you who try to deflect the problem by claiming to be know-it-all-geniuses, giving management the false sense of grandess by employing the likes of you.

Re: php frameworks

What does nodeJs have to do with apple?

I run nodeJs on a proper linux system, though it runs on windows and apple. I've never actually used a Mac computer before.

I'm running ubuntu at the moment.

Re:php frameworks

All your fancy nosql databases are only useful once you pay another company hundreds of thousands of dollars to convert them in to SQL databases to run your queries against.

Re:php frameworks

[Aethedor]

Take a look at the security_audit script. Run it and it will tell you what needs your attention with respect to SQL injection and cross-site scripting.

XSLT prevents XSS, because every output will be escaped by default. Printing output as it is (printing HTML tags unescaped) requires adding the XML parameter 'disable-output-escaping="yes"'. By doing so, you are clearly warned. Fuck it up and it is clearly your own stupid mistake.

SQL injection is prevented the same way. The SQL library won't accept queries with quotes. The security_audit script sees when variables (possible user-input) is used to create a query string. Yes, SQL injection can be done by doing so, but if you chose to ignore the warnings, it's your own fault.

Banshee also has a good session library. Unlike the session handling in many other frameworks, this one works transparent with $_SESSION and stops session hijkacing.

No, there is no reason for me to fork it. The approach is simply different from many other frameworks. Others require to update/patch of a regular basis. In Banshee, the core libraries don't change much. They're safe and good. Just unzip the tarball, remove the default modules you don't need, add your own custom modules and the website is done. Many other frameworks allow you to run many websites with just one CMS installation. That's insane. With Banshee, every website has its own separate codebase. Who cares about a few MB's of harddisk space these days. It's harddisk space vs the certainty that my website remains stable. Updating the core CMS code because one website requires it might break others. Because of that, I happily waste a few MB's on my terrabyte harddisk to gain a lot of certainty and stability.

No, Banshee is not the ultimate solution or the silver bullet. But it is rock solid, fast and proven secure. I've built many websites with it, never needed to update / patch any of them and they all run or ran for many years without any trouble or any hack. And yes, many of them have seen a lot of hack attempts. And that's worth a lot to me. No Wordpress, Drupal or Joomla user can say the same thing.

Re: php frameworks

Which part of my above comment did you consider not to be of a professional nature? Calling PHP for what it is? Clearly stating reality as I see it? Distancing myself from technology that I consider not fit for purpose? The use of language that any non-techie understands, as opposed to those that claim "it's not the language it's the people", which does nothing but to cause further investment into non-viable technology? I fully stand by my statements. You may disagree with my arguments, or the use of language, or the overall position I take. However, this is certainly no basis for you to argue on moral grounds.

Re:php frameworks

Yeah because injection exploits are impossible with javascript and CRUD?

Re: php frameworks

[epyT-R]

any side JS is not much better.

Re: php frameworks

Maybe we should just stop trying to build 'web apps' and kill off all these 'languages'.

Re: php frameworks

Ruby? Python? gak. Slow as molasses.

Re:php frameworks

Take a look at the security_audit script. Run it and it will tell you what needs your attention with respect to SQL injection and cross-site scripting.

Why isn't the static analysis tools not mentioned in the documentation? I completely missed out on this because literally the only thing on the site that mentions it is the homepage which says "Since version 1.7, a security auditing script is included to verify that changes made to the framework have not introduced a security bug.". To me, that suggests that they run their own auditing script on their framework rather than it being a static analysis tool for the user.

Anyway, I've looked at it. It does three things:

• Warn on use of mysql_* functions and friends (does this correctly)
• Warn on use of the "don't escape me" clause in the xml+xslt (does this correctly)
• Warn on use of variables in mysql queries (fucks this up horribly)

There is so much wrong with how its doing the last part I'm amazed it works at all.

The core problem with it is that it's parsing PHP with regular expressions. This doesn't work. Regular expressions are for parsing regular grammars. PHP is not a regular grammar, it is a context sensitive grammar. You can do things like write recursive clauses in PHP which cannot be expressed in a regular expression (please don't mention perl extensions like lookarounds, you can handle a lot of non-regular cases with these but they're really ugly and really slow).

Here's some examples which will break this static analysis tool:

$ab2 = 'select * from ...'; //it assumes variable names cannot contain numbers when searching for variable declerations
$query .= " WHERE foo = $foo"; //it only looks for variable declerations, not modifications in the regex it uses... it looks for .s that the regex can never match for some reason
$this->db->query("Select all from table where name IN (\"foo\", \"bar\") AND foo = $bar"); //It can't handle nested ")s because regexes

It really needs to be using this for its parsing: https://github.com/nikic/PHP-Parser and working off the abstract syntax tree it spits out. Rather than regexes.

XSLT prevents XSS, because every output will be escaped by default. Printing output as it is (printing HTML tags unescaped) requires adding the XML parameter 'disable-output-escaping="yes"'. By doing so, you are clearly warned. Fuck it up and it is clearly your own stupid mistake.

Does this include if it is used to spit out tainted data inside of contexts besides html text nodes/element attributes? The problem with XSS is that different contexts have different escaping rules. How would it cope with this example (convert from html)?

<a onclick="alert("<?= $foo ?>");">Say $foo</a>

(Yes, I know its a horrible example, but its something that nests contexts)

Most non-PHP frameworks I've worked with (such as rails) do the correct thing of defaulting to the secure behaviour (escaping all values as they're passed into the view) instead of the insecure behaviour PHP does (spit out the value as is). The problem is that they all assume they're inside a html text node, as they only see a string, instead of some kind of abstract syntax tree that can be used to work out the current context and apply the correct escaping behaviour.

SQL injection is prevented the same way. The SQL library won't accept queries with quotes. The security_audit script sees when variables (possible user-input) is used to create a query string. Yes, SQL injection can be done by doing so, but if you chose to ignore the warnings, it's your own fault.

See above.

Banshee also has a good session library. Unlike the session handling in many other frameworks, this one works transparent with $_SESSION and stop

Re: php frameworks

PHP & PDO much? If you fail with that, it's not about the language.

Re: php frameworks

Not quite. Cancer is (very) rarely contagious. But there are contagious cancers in animals and records of cancers being transmitted in humans.

Everything else you said... yep.

Re: php frameworks

Rails is not inherently secure, and insecure Rails apps have definitely been written. Early on, though they professed their expertise, they had to be schooled on the difference between GET and POST and why one should never use GET if the action was not idempotent.

Security can be a function of a language but it doesn't end with the language. Rails has no inherent security, just libraries built with good practice.

Re: php frameworks

Your true colors are showing now. You must realize, as soon as you mention RoR, any real programmer will fall over laughing at you. Nice try kiddo, pretty good troll.

Re: php frameworks

PHP is inherently unsecure and it should be legally banned from being used in anything software. As for languages & frameworks that are inherently secure and still easy to pick up, try RoR, Python/Flask or Django.

It's obvious that you're being a troll here, but I've got five minutes to spare, so what the heck, I'll bite.

This whole "PHP is inherently unsecure" thing is a pile of steaming bulls**t.

PHP *used to be* inherently insecure. It used to have features like "register globals" and you used to have to use the addslashes() function for SQL escaping. and.. and.. and.. And it's all been removed. The genuinely insecure stuff that created this reputation is no longer a part of the language.

Yes people do still mock it for some of the remaining quirks, and I'm with them on that. But you gotta get off that wagon of mocking its security because it really is a non-issue now. The PHP language today is barely recognisable from the PHP of a decade ago.

If people are still writing poor quality code in PHP, it can no longer be labelled as PHP's fault. Those kind of people would (and do!) write crap code in every language. PHP gets more than its share of those people because of its low barriers to entry, but that in itself isn't a problem with the language.

Re: php frameworks

Except when you Google PHP and how to access databases, nothing about PDO comes up. All of the example code and tutorials are SQL injection friendly. The community around PHP is toxic.

Re: php frameworks

> no longer part of the language

Nice try (language? Mess!).
This top answer on quora explains it nicely,
https://www.quora.com/Why-is-PHP-hated-by-so-many-developers

Re: php frameworks

In fact, within a system cancer is highly contagious. The web is a system, clearly, and it is ill with the likes of Joomla or generally with PHP, in large parts.

Re: php frameworks

[behrooz0az]

You would get an object oriented database (not a particularly good one) if you googled my name with 'database'. but 'no', you had to assume I have no idea.

Re: php frameworks

The community on average is far less knowledgeable than e.g. that of C or derivatives. However, does that make the language *itself* bad? No. If you don't know how to use it properly, it's not the language to blame.

That being said, I do my best to move out of PHP, but I still find it the fastest choice in prototyping new things and creating fast internal tools for testing etc.

Re: php frameworks

Unlike PHP, there is a very powerful and sane subset of Javascript and the rest can be ignored.

People who say JS sucks, usually mean the DOM sucks, which is independent of JS. Those folks also struggle understanding JS's object model. It really isn't that hard.

I would never use JS server-side but used properly it is very powerful client-side.

Re: php frameworks

The official docs still recommend functions that are magnets for SQL injection and XSS.

The community is rotten from Lerdorf down to the dumbest little PHP dipshit.

Re:php frameworks

Too bad PHP docs still recommend unfair functions for accessing the database and other things.

PHP: by amateurs, for amateurs.

Re:php frameworks

Retard alert!

Both SQL and NoSQL DB have their time and place. There are many cases where the data hierarchy is unknown before runtime and this is where SQL databases fall down.

In fact, real databases like Postgres support several types of NoSQL.

I bet you didn't even know there are different types, key-value, document, graph, etc.

Re: php frameworks

The fact that bullshit even exists is proof enough that PHP is for retards.

To this day the PHP docs recommend a ton of insecure functions and practices.

It is still shit.

Re: php frameworks

Both are much faster than PHP.

Re: php frameworks

Bullshit.

Rails never, ever had an issue between GET and POST.

They supported both correctly.

There has been plenty of valid criticisms of Rails over the years, how about choosing one of those?

PHP frameworks like joomla

Hello, php and sql are both very old technologies, and generally unsatisfactory for security and function reasons. PHP is unable to broadcast data between clients or to specific clients from another client. Sql fusing operation and data into one string is madness in modern setups.

If you want a proper setup it should be nodejs with a websocket handling data flow and an object database like nedb or mongo db.

Object oriented databases are immune to string based attacks because their function and data are seperated.
ex SQL:
$qeury= 'SELECT user FROM table_name WHERE userID=1'; //This can be broken by injecting data that isn't supposed to be there into the string //for instance it could be changed to 'SELECT user FROM table_name WHERE userID=1 AND 1=1' //the 1=1 makes the statment true, and all users are returned
vs
ex NEDB:
database.find({},function(error,results){ //The parameters of the find are {}, but the operation find is outside of this area, making injection or altering the operation taking place impossible.
});

Re:PHP frameworks like joomla

[One+With+Whisp]

If you want a proper setup it should be nodejs with a websocket handling data flow

A websocket to whom, the client? The client surely is not a javascript-enabled browser, since everyone with a brain in their heads disables that shit on day one.

PHP is unable to broadcast data between clients or to specific clients from another client

??????????????

Do you actually have any idea what you're talking about? This sounds completely out of touch with the web.

Re: PHP frameworks like joomla

Oh wow! If only you could somehow filter out injection attacks!

Oh wait, you can.

Re:PHP frameworks like joomla

I'm guessing you don't understand websockets very well.

Bob hits 'send message' to his buddy Dale

In sql you write to the database, timestamp, loop read, and if new message, display, but it goes to everyone, bob cannot target dale effectively without pulling rabbits out of his colon.

In a websocket
client side:
$('sendButton').on('click',function(){ socket.emit('send message',msg,Dale) });
server side:
socket.on('send message',function(msg,targetUser){
  for(var i in sockets){
  if(socket.thisuser==targetUser){socket.emit('sent msg',msg);}
}
});

Re: PHP frameworks like joomla

[JustAnotherOldGuy]

Oh wow! If only you could somehow filter out injection attacks!

I know...if only there was a way. But we all know it's totally impossible to do, so we might as well get used to it.

Re:PHP frameworks like joomla

[RyuuzakiTetsuya]

You do know the reasons why PHP CMSes like Wordpress are ridiculously popular is that it is dead easy to find a host that already runs PHP and MySQL right? Most of those installs aren't owned by developers. They're owns by regular people.

Re:PHP frameworks like joomla

Coming from a tin foil hat crazy that disables JavaScript?? You have nothing to say here regardless of what you Googled. No matter how stupid the post you are responding to.

Re:PHP frameworks like joomla

$qeury= 'SELECT user FROM table_name WHERE userID=1'; //This can be broken by injecting data that isn't supposed to be there into the string //for instance it could be changed to 'SELECT user FROM table_name WHERE userID=1 AND 1=1' //the 1=1 makes the statment true, and all users are returned

A.) You apparently don't understand boolean logic. An OR is what would cause your scenario, not an AND.
B.) Most competent folks will be using stored procs/parameters to run queries, not a dynamically generated string.

Re: PHP frameworks like joomla

Now if we can only filter out the idiots who don't have a clue about security.

Re:PHP frameworks like joomla

Fine, but in the real world, more often than not you inherit large SQL databases, and programs that are written to use these databases.

Now, are you telling me that you'd want to undo an entire company's database structure over a problem that can be prevented with proper filtering? Note that you're not getting paid any extra to do this, hardly anyone is going to appreciate your effort, and if ANYTHING goes wrong it's YOUR fault.

If you get a chance to build something from scratch, I'm all for a current setup...but in the real world that I live in, you still have to work with SQL databases, and they're perfect;y capable, provided you access them correctly.

Re: PHP frameworks like joomla

We were all a newbie at one point

http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html

Re: PHP frameworks like joomla

Get educated

https://thecodebarbarian.wordpress.com/2014/09/04/defending-against-query-selector-injection-attacks/

Re:PHP frameworks like joomla

Not to mention that WordPress is by now probably the most widely-deployed self-updating system short of windows.

Serious security vulnerabilities in core like this (which with WP are now very rare indeed, because WP core developers are competent and serious) get fixed on most users' machines within hours of the fix being published.

There are many, many problems with plugins and themes still, but for the most part these issues would exist with any system architected and developed with community code; WP developers are bearing the brunt of the idea of community code, and doing quite a lot to improve.

Joomla, on the other hand, I have only ever had negative experiences with.

Re:PHP frameworks like joomla

[One+With+Whisp]

client side:
$('sendButton').on('click',function(){ socket.emit('send message',msg,Dale) });
server side:
socket.on('send message',function(msg,targetUser){
    for(var i in sockets){
    if(socket.thisuser==targetUser){socket.emit('sent msg',msg);}
}
});

This is all javascript, all of which will not execute because most users do not have such a thing enabled in their browsers. Did you even read my post before you started shooting raw liquid feces all over your screen?

Re:PHP frameworks like joomla

Joomla is written by some very poor developers or at least once was. I had to maintain over 100 Joomla installs and write plugins for it about 5 years ago. It was the single worst piece of crap I've seen. Let me give an example:

Joomla had a feature to sort entries. Their solution was to include an int value on every record with a number representing a position. The way it was designed, every time a new entry was done, it had to update every other record! This caused a lot of churn. To make matters worse, my employer had a plugin that was adding entries from RSS feeds for clients. Each rss entry generated hundreds of UPDATE statements.

Eventually MySQL crashed and we had a 31GB innodb file that was corrupted.

Then there's the fact that most of the people writing joomla code don't even know what MVC really is. They put everything in the view like idiots.

Re:PHP frameworks like joomla

Most users have javascript enabled. A small fraction do not. That includes corporate setups.

Re:PHP frameworks like joomla

[KGIII]

"...most users do not have such a thing enabled in their browsers."

[[Citation Needed]]

Seriously, back that shit up. You made the claim, show me some evidence. A quick Google (sorry, not my job to prove you right) says that you're full of shit and trying to weasel your way out of being incorrect by telling straight up lies. Pretty much every site that attempts to quantify this seems to indicate you're completely retarded. Try 2-4% of web users browse with JS disabled.

Re:PHP frameworks like joomla

Hi! I wrote the code out trying to explain my position.

Actually I made a few errors, the and/or being just one
I also forgot to do
for(var i in sockets){
  if(sockets[i].thisuser==targetuser){ //do something
  }
}

I know about stored procedures and I used to run them all the time when I was using PHP and MySql but it gets very exhausting writing them, if you go with a noSql object database you really do save yourself a significant amount of time. Another poster pointed out to me though that object databases can be vulnerable which I did not realize.

I switched over because I really wanted to get operations performed under a tighter schedule. The start ups lately have been trying to go with the LAMP stack and the time it takes bleeds them, it's been going on for years and in this area it is becoming increasingly hard to find good paying work because nobody wants to invest if their just going to exsanguinate all their cash and end up with product that may or may not work.

Re:PHP frameworks like joomla

I do academia research on NoSQL Databases and have quite a few papers published. You are full of shit and understand nothing about it. Most people don't, so don't feel that bad.

Re:PHP frameworks like joomla

[Cramer]

Using a datastore with ZERO recovery logic (innodb) wasn't your first mistake?

So just now...

Means three days ago. Neat

I don't get it...

.... big open source projects with lots of developers and they STILL have SQL injection attacks?

Call me lucky as hell, but I've yet to run into ONE SQL injection attack on anything I've written. Is ti really that difficult for people to write quality, secure code? =\

Re: I don't get it...

You most likely don't have the same user base as joints or Wordpress. I'm sure someone would find holes in your code givin enough attention.

Yeah, that metasploit plugin is neat.

If you can't upgrade at this moment, consider disabling the website immediately. You've got a nice shell to the hosting server, and depending on how ancient that is you're a privilege escalation exploit away from damnation.

Today I Learned

[JustAnotherOldGuy]

Today I learned that I write more secure code than all of the fucking coders at Joomla put together.

A decent sized company with loads of resources, lots of code reviews, using Agile, Scrum, Waterfall, SuckMyPecker, and (supposedly) staffed with experienced programmers, and they STILL fuck it up.

Re:Today I Learned

Oh well with all of that, they were only nearly 100% certain to make a mind blowing mistake.. Scrum my scrotal sack baby.

Re:Today I Learned

Joomla is not a company. The people developing it are volunteers.

Re:Today I Learned

[danhuby]

Well said. And it only takes one mistake by one person to introduce a vulnerability. In hundreds of thousands of lines of code.

Re:Today I Learned

Agile, scrum, waterfall? All in one?

Re:Today I Learned

Hell, Microsoft writes more secure code than these ass wipes.

Just switch to Plone

[HammerToe]

Just switch to Plone and sleep easier at night. A little out of date figures, but in the time Joomla had 441 exploits, Plone had 9.

https://plone.org/products/plo...

-Matt

Re:Just switch to Plone

[danhuby]

Has it improved much since 2006? When I used it back then it was awful. Slow, terrible UI, over engineered.

Re: Just switch to Plone

[HammerToe]

Has it changed in 9 years? Yes of course. Several major versions since then. There is a new content-type system, new theming system, and new UI.

Check out the recently released Plone 5 which has lots of great stuff in it.

https://plone.com/5

-Matt

Re:Just switch to Plone

That's a terrible measure of software quality. Maybe just nobody cared about plone?

Re: Just switch to Plone

Really? I think it DOES run some major NASA and/or ESA sites, probably the Hubble site.

Re: Just switch to Plone

I said maybe. And it's still a terrible measure for software quality.

Re:Just switch to Plone

[Tablizer]

Indeed. Hackers tend to target more popular tools over the less popular. It doesn't even seem to be linear such that a tool that's twice as popular gets hacked roughly 4 times as much. That's because they want the biggest bang (most "customers") for their buck.

This is why

I don't trust CMSes and frameworks over my own ability to code.

use open source

... because shallow bugs are always found so quickly.

Ugh, need a clue-bat for commenters

[Tool+Man]

What's with all the anonymous wankers beaking off about PHP vs Node, or JavaScript in general, when it's a server-side parsing of input that leads to the vulnerability? WebGoat was written as an on-purpose vulnerable web app for learning on, maybe some of you should download it and Burp or ZAP and do some self-education. OTOH, I'm sure someone would look at WebGoat, and respond with, "OMG, Java is teh suckz!"

Re:Ugh, need a clue-bat for commenters

It does suck though, at least a bit.

Re:Ugh, need a clue-bat for commenters

Haven't you heard? nodejs is serverside. Now we can have yet another shitty scripting language on the server too!

Let's Be Real

I'm sure someone would look at WebGoat, and respond with, "OMG, Java is teh suckz!"

Well, they wouldn't be wrong, even if they were clueless.

Re:Let's Be Real

I'm sure someone would look at WebGoat, and respond with, "OMG, Java is teh suckz!"

Well, they wouldn't be wrong, even if they were clueless.

It's not my fave language, but the run-time is fine for server use. Browser applets were too slow, and the sandbox too leaky, but that's not the language's fault.
I'd be more inclined to use Clojure though, and just take advantage of the ecosystem.

Re:Let's Be Real

[Tool+Man]

Whoops, that was me. One side effect of auto-clearing cookies. Anyway.

Re:Let's Be Real

[KGIII]

These appear to be the types of people who have just a hammer in their toolbox and insist they're able to fix anything with it. They could at least get some duct tape.

If it moves, and it shouldn't, duct tape. If it doesn't move, and it should, hammer. They'd at least broaden their horizons. Me? I can code poorly in a whole bunch of languages.

so, does this only work ...

[cascadingstylesheet]

So, does this only work if errors are output to the screen?

Trying to assess the impact to our client sites. We always write errors to file and not to screen.

No surprise...

[__aaclcg7560]

I switched away from Joomla to WordPress several years ago because hackers kept banging on my virtual doors. I'm looking into switching from WordPress to a static file generator. Can't hack what doesn't have any vulnerabilities.

Re:No surprise...

[Tablizer]

Wordpress has had plenty of vulnerabilities also. You just got to patch quickly when vulnerabilities are found.

Re:No surprise...

[__aaclcg7560]

My problem with WordPress is the constant need to login and update the plugins. Not a big problem for an active site, but a pain for non-active websites. That's why I'm looking into static files for the older websites.

Re:No surprise...

It becomes easier if you've got shell access to the hosting server, or the hoster has WP-CLI available. I wrote a bash script around that to automatically update all themes, plugins, wp installs on my server.

A major problem is still paid for themes and plugins, which require you to go to the reseller website, login and download the update and manually keep an eye out. Before long, you forget to check a plugin one day and it might be the end.

Re:No surprise...

[Tablizer]

Do you know any good static-based systems?

Re:No surprise...

InfiniteWP and MainWP offer solutions to this.

As does iThemes somethingorother... and for that matter I think Jetpack can do this.

Basically you get a control panel where you can remote-manage a whole bunch of wordpress sites in one go. InfiniteWP and MainWP are things you install on your own server (with client plugins in the sites you install).

Which is not to say that the InfiniteWP client hasn't had its vulnerabilities, but it does seem to be pretty good now (and is audited by Sucuri).

By and large I would bet on the Jetpack solution, too.

Re:No surprise...

Nanoc is reliable and easy to use.

Re:No surprise...

[Tablizer]

Ruby? Our shop would rather go with a Php-based one.

A PHP app is a security nightmare?

How is this news?

PHP: by amateurs, for amateurs.

Only self-trained monkeys use PHP.

It is great for one thing: If PHP shows up on a resume it gets deleted on the spot.

Re:A PHP app is a security nightmare?

[Aethedor]

Woaw, you clearly know what you are talking about. Good arguments too. You must be some Code Writing Guru.

Anyway, just wanted to let you know that all my PHP based websites are running fine for many, many years. Without patching that is. And yes, they've seen a lot of hack attempts. None was successful.

Bye,
A self-trained PHP monkey

Re:A PHP app is a security nightmare?

[epyT-R]

As opposed to all the other-trained monkeys that use whatever wunderscript language their professors adored?

Re:A PHP app is a security nightmare?

[JustAnotherOldGuy]

just wanted to let you know that all my PHP based websites are running fine for many, many years. Without patching that is. And yes, they've seen a lot of hack attempts. None was successful.

Same here...like you, I'm a "self-trained PHP monkey".

I run dozens of sites, some going back ~12 years or so. Hackers throw themselves against my sites constantly and none of them have managed to get in or run a successful exploit. Careful coding and rigorous sanitizing of incoming data is really all it takes.

Cheers!

Re:A PHP app is a security nightmare?

I think the oldest PHP site I have in production is nine years old... followed by another which is seven. But both of them are based ultimately on code I wrote about ten years ago.

No hacks. Because I'm not an idiot. OK so PHP in the past wasn't really a proper programming language and over time has had some insane ideas (register_globals, magic_quotes and safe_mode, I am looking at you). And there are still some pretty saddening bits of API inconsistency left over. Syntactically it's taken a long time to settle. But it's a radically different language now, with most of the features you'd want from a proper programming language (closures, anonymous functions, namespacing), and a serious future due to Hack/HHVM and PHP 7.

It's worth noting, for the node.js proponent who is spewing grammar-bending nonsense all over this thread, that JavaScript has similarly ignominious roots and some crazy behaviour (optional semicolons at the end of the line leading to inconsistent parsing and minification errors still hasn't gone away, leading to a huge factional split concerning JavaScript's automatic semicolon insertion that will one day flare up into a religious schism the like of the Sunni/Shia disagreement). He says PHP isn't a language -- well, JS wasn't really a single language until ECMAScript. And even now, there are disagreements.

Self-trained PHP monkey who self-trained in the web because he graduated with a CS degree before most people had even looked at it.

Re:A PHP app is a security nightmare?

just wanted to let you know that all my PHP based websites are running botnet code just fine for many, many years

FTFY

Anyone using PHP is a clueless dumbfuck, by definition.

Unlike Javascript, the is no powerful and sane subset.

It is pure shit from top to bottom.

Re:A PHP app is a security nightmare?

I love the smell of butthurt PHP dipshits in the morning.

Re:A PHP app is a security nightmare?

WTF?

Spoken like an uneducated dipshit.

Besides the intro freshman courses, the student is allowed to use whatever they want in class work.

In a single course, I have used C, Java, Ruby, Python and Ocaml for various assignments.

CS education is about learning concepts not programming language end-user training.

No wonder Javascript is too hard for you and love PHP.