Slashdot Mirror
Millions of Websites Vulnerable Due To Security Bug In Popular PHP Script (bleepingcomputer.com)
An anonymous reader writes from a report via BleepingComputer: A security flaw discovered in a common PHP class allows knowledgeable attackers to execute code on a website that uses a vulnerable version of the script, which in turn can allow an attacker to take control over the underlying server. The vulnerable library is PHPMailer, a PHP script that allows developers to automate the task of sending emails using PHP code, also included with WordPress, Drupal, Joomla, and more. The vulnerability was fixed on Christmas with the release of PHPMailer version 5.2.18. Nevertheless, despite the presence of a patched version, it will take some time for the security update to propagate. Judging by past incidents, millions of sites will never be updated, leaving a large chunk of the Internet open to attacks. Even though the security researcher who discovered the flaw didn't publish any in-depth details about his findings, someone reverse-engineered the PHPMailer patch and published their own exploit code online, allowing others to automate attacks using this flaw, which is largely still unpatched due to the holiday season.
I've been seeing this same headline or a paraphrasing of it for OVER A DECADE. Please stop with the duplicates!
Because your legal name is "Nogrial"?
What do you have to hide? Post your real name and stop hiding behind a psuedonym.
This is a third-party library. Why would you need to update all of PHP?
Swiftmailer, another popular lib, is also vulnerable.
https://github.com/swiftmailer/swiftmailer/issues/844
Looks like the core issue is with php's mail() function:
> ... due to 'mail() in PHP already escapes this argument.' However that's not the
> case - PHP passes the parameters through escapeshellcmd() but that doesn't
> prevent the appending of additional arguments, which is the issue here.
i write a lot of my own shit and use external stuff as little as possible :-) ...even in PHP
windows 10 auto updates?!!
/troll
Perhaps this is only the beginning of the start of the self-aware wordpress botnet; but would explain the regular hacking of wordpress sites; that will probably only continue so long as people rely on other peoples' PHP code. Thats not to say that other languages aren't subject; but php is probably the worst because there is no precedence for code quality or coding standards that releases (or even most of the community) follow. Is php functional? Object oriented? Both? Its neither; I would describe it as pure 'bootstrap.' - i.e. patch ontop of patch ontop of patch to fix another patch, and most 'legacy' code bases are stark reminders of the strides node.js developers have taken in recent years to ensure best practices.
" I bet the default has PHPMailer and some example forms installed as well "
No, it doesn't.
Let the "PHP is crap" comments roll!
If you want news from today, you have to come back tomorrow.
That is is open source may be the reason the vulnerability was found?
Unless I'm mis-reading your post, you've brought up three different issues:
a) What is the best way to update a PHP script?
b) How do Wordpress and Drupal update by default?
c) How do you update the PHP interpreter without breaking scripts?
> a) What is the best way to update a PHP script?
Probably the best way is to use a revision control system such as "git", "cvs", "svn", or "hg". You can look at the Wordpress SVN here:
https://core.trac.wordpress.or...
The system tracks all changes:
https://core.trac.wordpress.or...
On an up-to-date server, you can run "svn update" to retrieve all of the updates that you're missing. An an older system, you can pull only the specific changes you want, such as security patches:
https://core.trac.wordpress.or...
b) How do Wordpress and Drupal update by default?
In a stupid way. The script itself downloads the new version from the Wordpress web site. For this to work, the script (and therefore all scripts on the server) needs to have permission to overwrite files on the server. That's bad because in most cases that means *any* script can change *any* file on the site. Any little security hole in any script allows the bad guy to write whatever he wants, including his own software, and run it on your server. That's a bad idea. It's *possible* to set this up to be reasonably secure, but nobody does. PHP makes the more secure configuration much more difficult than it needs to be.
> c) How do you update the PHP interpreter without breaking scripts?
Most of the time, a function will be deprecated several years before it's removed or disabled by default. Use http://php.net/manual/ to understand the PHP you're writing rather than copying and pasting shit from Stackoverflow that might have been halfway correct six years ago. The manual will let you know if a function is deprecated, and point to the newer approach you should use instead. Aside from using good documentation (not forums) as your primary learning tool and avoiding deprecated functions, you can make your software easier to update and fix later. That's mostly about modularity - keep unrelated things separate. Ideally each function you write would be no longer than about 4-12 lines. A simple, short function is easier to update later. Related functions can be group into classes ( http://php.net/manual/en/langu... ). It's much easier to fix your file uploader if it's all together in a file called "fileuploader.php" rather than being sprayed through "mega_forum_script.php" (8MB).
> *super novice programmer here* ... PHP
You have a much harder road ahead of you than us oldtimers who learned in the 1980s and 1990s. Your newbie code will be exposed in the internet, where it'll be attacked several times per hour. That's very high risk. Minimize your exposure by trying to avoid working with confidential data for now. Recognize your limitations and don't try to write a security system or shopping cart with credit card payments right now. When you *do* have to work on something that could cause damage when attacked, consider asking a programmer who is trained in security to do code review. (I've been programming professionally for 20 years, mostly doing security-related code, and I still ask my peers to review my work - there's no shame in that.)
If you are using Drupal, please read this PSA: https://www.drupal.org/psa-2016-004
Most sites needing extended mailing functionality probably use the SMTP contrib module, fortunately they too are not affected by this.
However, if you are one of the 11,000 (or so) sites reported to be using phpmailer module (and the associated library), you should make sure the library is updated. You can see if you're vulnerable by looking in the sites/all/libraries or sites/default/libraries folders to see if you're using the phpmailer 3rd party library.
> Wait... the PHP interpreter doesn't tell you this?
Of course it does. It issues a warning at level E_DEPRECATED. The manual answers your question here:
http://php.net/manual/en/error...
And here:
http://php.net/manual/en/error...
As noted in the manual, you not want a log entry every time a someone runs a script which includes a deprecated function; that could be a million times per day, if you have a million visitors. Like most languages, you'll want to set the reporting level higher during development, to see all the notices, then lower on production so you're not spammed by warning you've chosen to disregard.
Well, it's pretty generally accepted that the P does not always mean PHP anymore -- perl or python were rolled into that acronym a decade or so ago.
Someone had to do it.
Users don't want to signup for mailing lists or find a good download site.
Almost every single Linux distro comes preconfigured with a default repository which can be used to automatically locate patches, or download source code if you need to compile your own, if you can't wait for your distro to test and push a patch. Though usually, you choose your distro based on such criteria of how quickly they push essential patches balanced with how often they push patches that break stuff.
Someone had to do it.
Agreed, forums, including Stackoverflow, can certainly provide hints of where to start looking. Then as you said, refer to the documentation to understand exactly what the function does, and precisely what arguments ot takes and how it interprets them.
ALSO after you know a language well, perhaps you've served as a subject matter expert reviewing the certification test for the language, such forums can be a source of creative new ideas, and people may have benchmarked different ways of doing things, etc. Forums can help me find ways to improve my code, if I take the time to thoroughly understand the suggestions I find there. For example "every third day" can be written succinctly as: /* Every third day. */
( int( time() / (24*60*60) ) % 3 == 0 )
That's an idea you might not think of off the top of your head, but might find on Stackoverflow.
However, if I get an idea from Stackoverflow and don't take time to understand it and verify it, you know what my code does? Neither do I. I didn't take time to find out. :)
* That "every third day" code is off the top of my head, untested and may contain a bug.
A little follow-up on the topic of writing code that's exposed in the web:
The natural tendency for most programmers is to think of how to make the code work, and to test that it works, given proper inputs. You'll be way ahead of the game both for security and avoiding bugs if you instead think about how your code can be made to FAIL, and test what it does with IMPROPER inputs. That's a major change of how we think for veteran programmers; a newbie may have an advantage if they can establish that mindset early.
Yea. First it looks like some of the code written by some contractors I work with. Smelly code happens in every language. Imagine the same shit happening in C#. You know you've seen it!
Second, it looks like a whole shitshow of patching needs to happen every damn place in the core. Three, that check had to be thrown in at two places: there is no optimization of the code for it already being inside the same boolean evaluation... And four, u call that a patch...
Use a third party service and call their API. Done.
Might want to double-check your facts there. I remember when PHP was a CMS written in a mix of Perl and C. That was about 1994 or so. I had already written something similar myself. The first web sites were 1989.
When people like you figure out that posting anonymously is supposed to be something you do when tying what you wrote back to you could be dangerous in some way. It isn't supposed to be the norm.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
He/She is absolutey correct. While I abhore abuse of the AC mechanism, this isn't really the best post to make the point. It was concise, poignant, and accurate.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
You don't need sudo to update your files, including your PHP files. They can be owned by your regular user, and updated via ftp/sftp or ssh. The scripts should *run* as user "nobody", so they don't have the same access that you do. Even better, the scripts can run as your own personal nobody, a user created for the purpose such as "execthis_scripts". Using the standard system "nobody" is far more common, though.
If your scripts are running as you, with the same permissions you have when logged in via ssh, that means any of your scripts can change any of your files. Any security hole in any script allows an attacker to put malware in all of your files. That happens when your web host is incredibly stupid and runs PHP using something called "suexec". Here's what the developers of suexec have to say in the Apache manual:
--
if suEXEC is improperly configured, it can cause any number of problems and possibly create new holes in your computer's security. If you aren't familiar with managing setuid root programs and the security issues they present, we highly recommend that you not consider using suEXEC.
--
They aren't kidding. At least half of the badly hacked web sites I've been called in to recover were hacked due to suexec. Every file is potentially affected, so we charge $1000 and up for remediation.
> then looked for the file and it does not exist anywhere on the server.
If it's a shared server, you shouldn't be able to see most of the filesystem easily. Can you see /usr/lib and /var/log? If so, your web host might be an idiot. If not, you may well have used the exploit to create a file in a part of the filesystem that you can't easily see.
I think I misunderstood what you were trying to say. You're under the impression that learning software engineering is nothing more than learning the vocabulary of a particular language. A programmer couldn't learn anything that applies to programming in PHP until after learning the PHP vocabulary, you think.
Not really so, IMHO. Most of software engineering, and systems architecture in general, is quite independent of any particular programming language. Heck I've written software that's valid in three or four languages, and when someone releases a new language my old code might run as that language too. Do you remember in your high school textbooks for each chapter there would be four or five vocabulary words at the beginning or end of each 50 page chapter? Those four or five vocabulary words are the language of each chapter. The other 99% is the stuff you should know. Programming is the same - the language is about 1% of what a competent programmer should know.
As always, Slashdot.org is the best site to check while drinking my first morning cup of coffee at work. After reading this, I was able to go check our Intranet and external websites for my company to verify that this does not effect us. Thank you so much!
"Instant gratification takes too long." - Carrie Fisher
PHP never needed Apache.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
That's absurd. If nobody does it then where did all those bugs in the bugzilla / issue tracker come from? How did this found? Oh that's right. You are actually posting in an article about how this was done claiming nobody ever does it. ROTFLMAO
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
That is provably true actually; not conjecture.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
> Plenty of veteran programmers understand basic concepts such as making sure code can handle invalid parameters properly.
And I *know* basic Spanish. I *think* in English. Most programmers have heard something about programming defensively, a few do so as a matter of course. Most of us, most of the time, think about how things are supposed to work (not how they can fail). For decades we've said things like "garbage in, garbage out." We may know, intellectually, that "garbage in, garbage out" is no longer valid since attackers will submit garbage daily, yet we continue to write functions that fail quite ungracefully when fed garbage input.
Some of this may be SQA 101, but I'd posit that 90% of programmers don't know what SQA stands for, much less have SQA as their native tongue. Evidence of this is the hundreds of CVEs issued every month. Half of the people who created the flaws behind those CVEs can probably look at the flawed code and tell you where they went wrong, how they should have written it. The safe way isn't what came naturally, though.
The complete deterioration in the quality of those who post and mod here is frustrating. For example people seem to think there is a "-1. The Truth Hurt My Feelings" option. I don't see joining in the deterioration and becoming one of them as the answer though.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
What you're describing is called a Missile.
user@host$ diff
I'm pretty sure Slashdot still uses mod-perl. That was the original "MP" in "LAMP".
I'm pretty sure the original LAMP was Linux, Apache, MySQL, Perl.