Slashdot Mirror

← Back to Stories (view on slashdot.org)

Millions of Websites Vulnerable Due To Security Bug In Popular PHP Script (bleepingcomputer.com)

Posted by BeauHD on from the time-to-update dept.

An anonymous reader writes from a report via BleepingComputer: A security flaw discovered in a common PHP class allows knowledgeable attackers to execute code on a website that uses a vulnerable version of the script, which in turn can allow an attacker to take control over the underlying server. The vulnerable library is PHPMailer, a PHP script that allows developers to automate the task of sending emails using PHP code, also included with WordPress, Drupal, Joomla, and more. The vulnerability was fixed on Christmas with the release of PHPMailer version 5.2.18. Nevertheless, despite the presence of a patched version, it will take some time for the security update to propagate. Judging by past incidents, millions of sites will never be updated, leaving a large chunk of the Internet open to attacks. Even though the security researcher who discovered the flaw didn't publish any in-depth details about his findings, someone reverse-engineered the PHPMailer patch and published their own exploit code online, allowing others to automate attacks using this flaw, which is largely still unpatched due to the holiday season.

2 of 104 comments (clear)

  1. Three answers to three questions by raymorris · · Score: 4, Informative

    Unless I'm mis-reading your post, you've brought up three different issues:

    a) What is the best way to update a PHP script?
    b) How do Wordpress and Drupal update by default?
    c) How do you update the PHP interpreter without breaking scripts?

    > a) What is the best way to update a PHP script?

    Probably the best way is to use a revision control system such as "git", "cvs", "svn", or "hg". You can look at the Wordpress SVN here:

    https://core.trac.wordpress.or...

    The system tracks all changes:
    https://core.trac.wordpress.or...

    On an up-to-date server, you can run "svn update" to retrieve all of the updates that you're missing. An an older system, you can pull only the specific changes you want, such as security patches:
    https://core.trac.wordpress.or...

    b) How do Wordpress and Drupal update by default?

    In a stupid way. The script itself downloads the new version from the Wordpress web site. For this to work, the script (and therefore all scripts on the server) needs to have permission to overwrite files on the server. That's bad because in most cases that means *any* script can change *any* file on the site. Any little security hole in any script allows the bad guy to write whatever he wants, including his own software, and run it on your server. That's a bad idea. It's *possible* to set this up to be reasonably secure, but nobody does. PHP makes the more secure configuration much more difficult than it needs to be.

    > c) How do you update the PHP interpreter without breaking scripts?

    Most of the time, a function will be deprecated several years before it's removed or disabled by default. Use http://php.net/manual/ to understand the PHP you're writing rather than copying and pasting shit from Stackoverflow that might have been halfway correct six years ago. The manual will let you know if a function is deprecated, and point to the newer approach you should use instead. Aside from using good documentation (not forums) as your primary learning tool and avoiding deprecated functions, you can make your software easier to update and fix later. That's mostly about modularity - keep unrelated things separate. Ideally each function you write would be no longer than about 4-12 lines. A simple, short function is easier to update later. Related functions can be group into classes ( http://php.net/manual/en/langu... ). It's much easier to fix your file uploader if it's all together in a file called "fileuploader.php" rather than being sprayed through "mega_forum_script.php" (8MB).

    > *super novice programmer here* ... PHP

    You have a much harder road ahead of you than us oldtimers who learned in the 1980s and 1990s. Your newbie code will be exposed in the internet, where it'll be attacked several times per hour. That's very high risk. Minimize your exposure by trying to avoid working with confidential data for now. Recognize your limitations and don't try to write a security system or shopping cart with credit card payments right now. When you *do* have to work on something that could cause damage when attacked, consider asking a programmer who is trained in security to do code review. (I've been programming professionally for 20 years, mostly doing security-related code, and I still ask my peers to review my work - there's no shame in that.)

  2. Drupal core is not affected by Falc0n · · Score: 3, Informative

    If you are using Drupal, please read this PSA: https://www.drupal.org/psa-2016-004

    Most sites needing extended mailing functionality probably use the SMTP contrib module, fortunately they too are not affected by this.

    However, if you are one of the 11,000 (or so) sites reported to be using phpmailer module (and the associated library), you should make sure the library is updated. You can see if you're vulnerable by looking in the sites/all/libraries or sites/default/libraries folders to see if you're using the phpmailer 3rd party library.