Slashdot Mirror
Millions of Websites Vulnerable Due To Security Bug In Popular PHP Script (bleepingcomputer.com)
An anonymous reader writes from a report via BleepingComputer: A security flaw discovered in a common PHP class allows knowledgeable attackers to execute code on a website that uses a vulnerable version of the script, which in turn can allow an attacker to take control over the underlying server. The vulnerable library is PHPMailer, a PHP script that allows developers to automate the task of sending emails using PHP code, also included with WordPress, Drupal, Joomla, and more. The vulnerability was fixed on Christmas with the release of PHPMailer version 5.2.18. Nevertheless, despite the presence of a patched version, it will take some time for the security update to propagate. Judging by past incidents, millions of sites will never be updated, leaving a large chunk of the Internet open to attacks. Even though the security researcher who discovered the flaw didn't publish any in-depth details about his findings, someone reverse-engineered the PHPMailer patch and published their own exploit code online, allowing others to automate attacks using this flaw, which is largely still unpatched due to the holiday season.
When will you logged-in fools learn that your constant ad hominem attacks on anonymous cowards do nothing to support your positions?
*super novice programmer here* Does anyone have any ideas on how WP, Drupal, etc.... can update or set a new standard of pushing our php changes? I feel like php often gets rewritten too much, when major releases come out, thus breaking existing or legacy code. Are we to continuously rewrite code to make it work with the current changes or is there a way we can push these changes without breaking old code?
I've been seeing this same headline or a paraphrasing of it for OVER A DECADE. Please stop with the duplicates!
Because your legal name is "Nogrial"?
but the issue isn't just that people use php. The default LAMP setup has PHP and Apache installed. I bet the default has PHPMailer and some example forms installed as well. So lots of people are running web servers and have this exposed but don't even realize.
The exploit is so obvious in hindsight too. The args aren't hidden in headers passed to environment variables or anything like that. It's just that you can give anything at all as a from email address, including optional arguments to the sendmail command that's run.
this is a case where the cloud and PAAS or serverless hosting is really helpful. The providers will be upgrading but the app writers don't have anything to change.
What do you have to hide? Prove to me that I my position isn't valid.
I never set a standard beyond, not being anonymous.
What do you have to hide? Post your real name and stop hiding behind a psuedonym.
I know, but I've used php mailer, it's a pain in the butt to setup, like almost all PHP based stuff. It's syntax is....wonky, like a shopping cart with that one wheel that's all screwed up and keeps smashing you into the isle racks.
If they were on nodejs they'd be using nodemailer, which is a heck of a lot easier. You don't necessarily even need to setup an MX record for your webserver though it is recommended to do so.
Swiftmailer, another popular lib, is also vulnerable.
https://github.com/swiftmailer/swiftmailer/issues/844
Looks like the core issue is with php's mail() function:
> ... due to 'mail() in PHP already escapes this argument.' However that's not the
> case - PHP passes the parameters through escapeshellcmd() but that doesn't
> prevent the appending of additional arguments, which is the issue here.
i write a lot of my own shit and use external stuff as little as possible :-) ...even in PHP
IP Freely
Perhaps this is only the beginning of the start of the self-aware wordpress botnet; but would explain the regular hacking of wordpress sites; that will probably only continue so long as people rely on other peoples' PHP code. Thats not to say that other languages aren't subject; but php is probably the worst because there is no precedence for code quality or coding standards that releases (or even most of the community) follow. Is php functional? Object oriented? Both? Its neither; I would describe it as pure 'bootstrap.' - i.e. patch ontop of patch ontop of patch to fix another patch, and most 'legacy' code bases are stark reminders of the strides node.js developers have taken in recent years to ensure best practices.
" I bet the default has PHPMailer and some example forms installed as well "
No, it doesn't.
They're too busy researching wordpress plugins.
It's also the core weakness since everyone thinks this but nobody does it.
I'm more of a VB6/ASP Classic/IIS/MSSQL kind of guy
I think you figured it out. Incentives matter.
Let the "PHP is crap" comments roll!
If you want news from today, you have to come back tomorrow.
That is is open source may be the reason the vulnerability was found?
These bugs are found and made public because the source is open and because people are actually reviewing the code.
I am baffled when people make this same obviously false assertion...every time a bug is found in open source code.
Yes, seriously, there are bugs and security issues in all code. Think that proprietary app you are using is bug free and safe? hahaha. At least in OSS someone can point to them and fix it.
Unless I'm mis-reading your post, you've brought up three different issues:
a) What is the best way to update a PHP script?
b) How do Wordpress and Drupal update by default?
c) How do you update the PHP interpreter without breaking scripts?
> a) What is the best way to update a PHP script?
Probably the best way is to use a revision control system such as "git", "cvs", "svn", or "hg". You can look at the Wordpress SVN here:
https://core.trac.wordpress.or...
The system tracks all changes:
https://core.trac.wordpress.or...
On an up-to-date server, you can run "svn update" to retrieve all of the updates that you're missing. An an older system, you can pull only the specific changes you want, such as security patches:
https://core.trac.wordpress.or...
b) How do Wordpress and Drupal update by default?
In a stupid way. The script itself downloads the new version from the Wordpress web site. For this to work, the script (and therefore all scripts on the server) needs to have permission to overwrite files on the server. That's bad because in most cases that means *any* script can change *any* file on the site. Any little security hole in any script allows the bad guy to write whatever he wants, including his own software, and run it on your server. That's a bad idea. It's *possible* to set this up to be reasonably secure, but nobody does. PHP makes the more secure configuration much more difficult than it needs to be.
> c) How do you update the PHP interpreter without breaking scripts?
Most of the time, a function will be deprecated several years before it's removed or disabled by default. Use http://php.net/manual/ to understand the PHP you're writing rather than copying and pasting shit from Stackoverflow that might have been halfway correct six years ago. The manual will let you know if a function is deprecated, and point to the newer approach you should use instead. Aside from using good documentation (not forums) as your primary learning tool and avoiding deprecated functions, you can make your software easier to update and fix later. That's mostly about modularity - keep unrelated things separate. Ideally each function you write would be no longer than about 4-12 lines. A simple, short function is easier to update later. Related functions can be group into classes ( http://php.net/manual/en/langu... ). It's much easier to fix your file uploader if it's all together in a file called "fileuploader.php" rather than being sprayed through "mega_forum_script.php" (8MB).
> *super novice programmer here* ... PHP
You have a much harder road ahead of you than us oldtimers who learned in the 1980s and 1990s. Your newbie code will be exposed in the internet, where it'll be attacked several times per hour. That's very high risk. Minimize your exposure by trying to avoid working with confidential data for now. Recognize your limitations and don't try to write a security system or shopping cart with credit card payments right now. When you *do* have to work on something that could cause damage when attacked, consider asking a programmer who is trained in security to do code review. (I've been programming professionally for 20 years, mostly doing security-related code, and I still ask my peers to review my work - there's no shame in that.)
PHP has so many better ways to handle sending mail than using PHPMailer. If someone is using PHPMailer in the first place, chances are there are more vulnerabilities on the web server than just this one.
Is it a class library script, or a script library class?
Open source's biggest weakness is that security patches take a long time to propagate throughout the user base. A lot of people never even bother with updates at all unless some new feature or major bug fix that effects them is included.
People rail on the auto MS Update but those people are usually techies or people who just like to complain about anything MS does. 99% of the actual users base don't want to have to download and install patches. Thus MS patches get propagated much faster across the user base. And if the patch breaks any existing functionality or causes problems people know exactly who to blame. And MS is very motivated to fix any issues as fast as possible to limit the bad publicity. If a Linux or other open source application update breaks anything there is really no one the average user can complain to about fixing things. And when a normal user tries to communicate their problem on one of support forums they are usually ridiculed and called idiots.
Users don't want to signup for mailing lists or find a good download site. And even when they find a site they struggle to determine exactly which patch the need to download and then perform the installation. Open source download sites are written in techie talk. There is usually about 30 different updates to chose from.
And with Linux branched into so many distributions that incompatibilities are becoming a concern. Pick the wrong distribution and you may find the developers who created the distribution have lost interest and moved on to something else meaning you will be receiving no security or bugs fixes in the future. But since it is open source they can always make their own changes right? Maybe the average user can go stay at a Holiday Inn Express and come out the next day as OS programmer.
I'm pretty sure Slashdot still uses mod-perl. That was the original "MP" in "LAMP".
Why fix when you can be the first to exploit? Or...
Why fix when that will ruin your chance to sell an exploit?
Not everyone out there wants what you want. In fact most of them just want money.
Saw this the other day. looks like a standard command line parameter sanitation error.
Version 5.2.17
if (!empty($this->Sender)) {
$params = sprintf('-f%s', $this->Sender);
}
if ($this->Sender != '' and !ini_get('safe_mode')) {
$old_from = ini_get('sendmail_from');
ini_set('sendmail_from', $this->Sender);
}
Version 5.2.18 (patched)
if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
$params = sprintf('-f%s', escapeshellarg($this->Sender));
}
if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) {
$old_from = ini_get('sendmail_from');
ini_set('sendmail_from', $this->Sender);
}
Spot the problem?
If you are using Drupal, please read this PSA: https://www.drupal.org/psa-2016-004
Most sites needing extended mailing functionality probably use the SMTP contrib module, fortunately they too are not affected by this.
However, if you are one of the 11,000 (or so) sites reported to be using phpmailer module (and the associated library), you should make sure the library is updated. You can see if you're vulnerable by looking in the sites/all/libraries or sites/default/libraries folders to see if you're using the phpmailer 3rd party library.
The default LAMP setup has PHP and Apache installed.
Uhh, that is what the "A" and "P" in LAMP stand for.
Remove either one and it isn't a LAMP setup anymore.
Isn't that like saying a functioning airplane by default has wings on it?
> Wait... the PHP interpreter doesn't tell you this?
Of course it does. It issues a warning at level E_DEPRECATED. The manual answers your question here:
http://php.net/manual/en/error...
And here:
http://php.net/manual/en/error...
As noted in the manual, you not want a log entry every time a someone runs a script which includes a deprecated function; that could be a million times per day, if you have a million visitors. Like most languages, you'll want to set the reporting level higher during development, to see all the notices, then lower on production so you're not spammed by warning you've chosen to disregard.
Well, it's pretty generally accepted that the P does not always mean PHP anymore -- perl or python were rolled into that acronym a decade or so ago.
Someone had to do it.
Users don't want to signup for mailing lists or find a good download site.
Almost every single Linux distro comes preconfigured with a default repository which can be used to automatically locate patches, or download source code if you need to compile your own, if you can't wait for your distro to test and push a patch. Though usually, you choose your distro based on such criteria of how quickly they push essential patches balanced with how often they push patches that break stuff.
Someone had to do it.
Agreed, forums, including Stackoverflow, can certainly provide hints of where to start looking. Then as you said, refer to the documentation to understand exactly what the function does, and precisely what arguments ot takes and how it interprets them.
ALSO after you know a language well, perhaps you've served as a subject matter expert reviewing the certification test for the language, such forums can be a source of creative new ideas, and people may have benchmarked different ways of doing things, etc. Forums can help me find ways to improve my code, if I take the time to thoroughly understand the suggestions I find there. For example "every third day" can be written succinctly as: /* Every third day. */
( int( time() / (24*60*60) ) % 3 == 0 )
That's an idea you might not think of off the top of your head, but might find on Stackoverflow.
However, if I get an idea from Stackoverflow and don't take time to understand it and verify it, you know what my code does? Neither do I. I didn't take time to find out. :)
* That "every third day" code is off the top of my head, untested and may contain a bug.
Linux is for queers.
A little follow-up on the topic of writing code that's exposed in the web:
The natural tendency for most programmers is to think of how to make the code work, and to test that it works, given proper inputs. You'll be way ahead of the game both for security and avoiding bugs if you instead think about how your code can be made to FAIL, and test what it does with IMPROPER inputs. That's a major change of how we think for veteran programmers; a newbie may have an advantage if they can establish that mindset early.
How can they do this without some sort of remote control and monitoring. Especially for taxis. It's known and 100% proven that people will shit, puke, jerk off, and fuck inside taxis (in exactly that order btw). How can autonomous freight and taxis exist without remote monitoring? I feel like when you start to shit there should be a voice that reminds you that you are not in a toilet.
if an airplane has enough thrust it doesn't need wings.
PHP doesn't need Apache anymore. It's had a standalone web server for years now.
http://php.net/manual/en/features.commandline.webserver.php
I run a single page web app this way. It's actually rock solid.
Node.js is overrated.
Use a third party service and call their API. Done.
The Joomla website has an advisory notice regarding this issue:
After analysis, the JSST has determined that through correct use of the JMail class, there are additional validations in place which make executing this vulnerability impractical within the Joomla environment
I see above that Drupal sites should generally be okay as well, so it seems like out of the "big three" CMS platforms, the only one that is really going to be hit by this is WordPress. No surprise there there. WordPress users: Upgrade now. Joomla users: Chill out and wait for Joomla 3.7.
Might want to double-check your facts there. I remember when PHP was a CMS written in a mix of Perl and C. That was about 1994 or so. I had already written something similar myself. The first web sites were 1989.
When people like you figure out that posting anonymously is supposed to be something you do when tying what you wrote back to you could be dangerous in some way. It isn't supposed to be the norm.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
He/She is absolutey correct. While I abhore abuse of the AC mechanism, this isn't really the best post to make the point. It was concise, poignant, and accurate.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
You don't need sudo to update your files, including your PHP files. They can be owned by your regular user, and updated via ftp/sftp or ssh. The scripts should *run* as user "nobody", so they don't have the same access that you do. Even better, the scripts can run as your own personal nobody, a user created for the purpose such as "execthis_scripts". Using the standard system "nobody" is far more common, though.
If your scripts are running as you, with the same permissions you have when logged in via ssh, that means any of your scripts can change any of your files. Any security hole in any script allows an attacker to put malware in all of your files. That happens when your web host is incredibly stupid and runs PHP using something called "suexec". Here's what the developers of suexec have to say in the Apache manual:
--
if suEXEC is improperly configured, it can cause any number of problems and possibly create new holes in your computer's security. If you aren't familiar with managing setuid root programs and the security issues they present, we highly recommend that you not consider using suEXEC.
--
They aren't kidding. At least half of the badly hacked web sites I've been called in to recover were hacked due to suexec. Every file is potentially affected, so we charge $1000 and up for remediation.
> then looked for the file and it does not exist anywhere on the server.
If it's a shared server, you shouldn't be able to see most of the filesystem easily. Can you see /usr/lib and /var/log? If so, your web host might be an idiot. If not, you may well have used the exploit to create a file in a part of the filesystem that you can't easily see.
I think I misunderstood what you were trying to say. You're under the impression that learning software engineering is nothing more than learning the vocabulary of a particular language. A programmer couldn't learn anything that applies to programming in PHP until after learning the PHP vocabulary, you think.
Not really so, IMHO. Most of software engineering, and systems architecture in general, is quite independent of any particular programming language. Heck I've written software that's valid in three or four languages, and when someone releases a new language my old code might run as that language too. Do you remember in your high school textbooks for each chapter there would be four or five vocabulary words at the beginning or end of each 50 page chapter? Those four or five vocabulary words are the language of each chapter. The other 99% is the stuff you should know. Programming is the same - the language is about 1% of what a competent programmer should know.
As always, Slashdot.org is the best site to check while drinking my first morning cup of coffee at work. After reading this, I was able to go check our Intranet and external websites for my company to verify that this does not effect us. Thank you so much!
"Instant gratification takes too long." - Carrie Fisher
RUN chmod 777 -R /www
Seems a bit loose on the permissions I would say.
PHP never needed Apache.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
That's absurd. If nobody does it then where did all those bugs in the bugzilla / issue tracker come from? How did this found? Oh that's right. You are actually posting in an article about how this was done claiming nobody ever does it. ROTFLMAO
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
That is provably true actually; not conjecture.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
> Plenty of veteran programmers understand basic concepts such as making sure code can handle invalid parameters properly.
And I *know* basic Spanish. I *think* in English. Most programmers have heard something about programming defensively, a few do so as a matter of course. Most of us, most of the time, think about how things are supposed to work (not how they can fail). For decades we've said things like "garbage in, garbage out." We may know, intellectually, that "garbage in, garbage out" is no longer valid since attackers will submit garbage daily, yet we continue to write functions that fail quite ungracefully when fed garbage input.
Some of this may be SQA 101, but I'd posit that 90% of programmers don't know what SQA stands for, much less have SQA as their native tongue. Evidence of this is the hundreds of CVEs issued every month. Half of the people who created the flaws behind those CVEs can probably look at the flawed code and tell you where they went wrong, how they should have written it. The safe way isn't what came naturally, though.
I have a registered account. Two, in fact. But I usually post anonymously because the mods are on crack.
The complete deterioration in the quality of those who post and mod here is frustrating. For example people seem to think there is a "-1. The Truth Hurt My Feelings" option. I don't see joining in the deterioration and becoming one of them as the answer though.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
> maybe it's time to learn the current standard for web excellence
Will do. What exactly *is* the current standard for web excellence?
What you're describing is called a Missile.
user@host$ diff
I'm pretty sure Slashdot still uses mod-perl. That was the original "MP" in "LAMP".
I'm pretty sure the original LAMP was Linux, Apache, MySQL, Perl.
If anyone is wondering it stands for software quality assurance. I think ;)
What's in a name?
Slashdot used to be great.
Nope. PHP was the P in the original LAMP, though an equivalent stack with Perl existed at the same time.
You won't get an answer. These anti-PHP zealots never say what you should use instead. I've never once got an answer that was a suitable replacement that can do everything PHP can do. All back-end technologies have their warts, both in security and features.