Severe SQL Injection Flaw Discovered In WordPress Plugin With Over 1 Million Installs

According to BleepingComputer, "A WordPress plugin installed on over one million sites has just fixed a severe SQL injection vulnerability that can allow attackers to steal data from a website's database." The plugin's name is NextGEN Gallery, which has its own set of plugins due to how successful it is. From the report: According to web security firm Sucuri, who discovered the NextGEN Gallery security issues, the first attack scenario can happen if a WordPress site owner activates the NextGEN Basic TagCloud Gallery option on his site. This feature allows site owners to display image galleries that users can navigate via tags. Clicking one of these tags alters the site's URL as the user navigates through photos. Sucuri says that an attack can modify link parameters and insert SQL queries that will be executed by the plugin when the attacker loads the malformed URL. This happens due to improper input sanitization in the URL parameters, a common problem with many WordPress and non-WordPress web applications. The second exploitation scenario can happen if website owners open their site for blog post submissions. Because attackers can create accounts on the site and submit a blog post/article for review, they can also insert malformed NextGEN Gallery shortcodes. Sucuri says the plugin's authors fixed this flaw in NextGEN Gallery 2.1.79.

Not Wordpress!!

It's known for being so secure!! How could this happen??!?!?

Re:Not Wordpress!!

[Tablizer]

Yah, toldja to use SharePoint. *head duck*

Sanitizing Untrusted Input

[NIGGERpenisbestPENIS]

Sanitizing untrusted input: it just can't be that hard. It's not that hard when I do it. So why so many iterations of the same (relatively simple) theme from WordPress and similar platforms? Really it's pitiful. At least make the attackers come up with something new.

Re:Sanitizing Untrusted Input

wordpress_really_sanitize

Re:Sanitizing Untrusted Input

[Dracos]

Because WP is the product of a lousy team with the lowest possible standard of practices, their tradition since 2004. Those attitudes permeate throughout the WP "development" landscape. If the core presented best practices and enforced using them, so many vulnerabilities would have been mitigated. Not only is WP shitty code, it begets shitty code.

Re:Sanitizing Untrusted Input

[Frosty+Piss]

I'm also glad I don't use PHP

The is crap written in EVERY language, and variations of C are certainly not immune to this. I can write code that accepts unsanitized input in any language you choose.

Re:Sanitizing Untrusted Input

[2fuf]

> It's not that hard when I do it.
(...ehm, let's make sure we get the context right on that one.)

Of course, with you HeartBleed wouldn't have happened either I bet. Still really old code, open source and used almost everywhere, but it took years to catch it.
Never say never, it's so easy to judge with hindsight.

Re: Sanitizing Untrusted Input

[Aethedor]

PHP is not the issue. Yes, it's an easy language which draws a lot of noobish programmers. But it's not hard to make a secure website with PHP. Take a look at this framework for example.

Re:Sanitizing Untrusted Input

[infolation]

The WordPress Codex tells coders how to sanitize user input, but the NextGEN coders seemed to forget the parameterized URL is user input.

Re:Sanitizing Untrusted Input

[munch117]

Sure, but how large is the common subset between the people who choose to use PHP and the people who are capable of designing secure software? I imagine it's not a very large set.

Re:Sanitizing Untrusted Input

[amicusNYCL]

The fact that application documentation is trying to teach security practices that any programmer of the language should already know is a great indication of the quality of programmers involved in the Wordpress ecosystem. If someone who is trying to create Wordpress plugins needs to rely on the Wordpress documentation for basic security practices, then it seems like the barrier to entry is too low. This is why Wordpress has the reputation that it does. On one hand it's great that anyone can make a plugin for Wordpress, but on the other hand it sucks that just anyone can create a plugin for Wordpress. SQL injection vulnerabilities have been the #1 attack vector for web servers for over a decade, and it's because of shit like Wordpress. It's frankly embarrassing that SQL injection is still an issue, the people behind the NextGEN plugin should be ashamed of themselves. There's absolutely no excuse at all, it looks like Wordpress requires PHP 5 and if that's the case then the mysqli extension is available, and if that's the case then they should have a database abstraction layer where the usual way of using it is prepared statements and parameterized queries, all of their own code should be using that and all of their own examples should show that. This argument could have been made in 2004 also. Wordpress is only a year older than PHP 5, they could have been doing this for a long time but since their codebase looks like something that a first-year programming student produced as their first project it's no major surprise that the people writing code for them are still making first-year errors.

Re: Sanitizing Untrusted Input

[dgatwood]

Actually, to some degree, PHP is the issue. PHP has supported ways of performing MySQL queries that use placeholders for many years, but they also resisted breaking existing code by ripping out the old interfaces for way longer than made sense. Note that in PHP 7, they finally removed them, so we should start to see PHP app security improve dramatically as panicked admins realize that they have to replace all this crappy code.

Re: Sanitizing Untrusted Input

[Aethedor]

In any programming language, people can do stupid things. Also in PHP 7. And even with the older MySQL library in PHP, it was very well possible to write a secure database driven application. All it required was knowledge, like with any language.

Re: Sanitizing Untrusted Input

[dgatwood]

Yes, but when you have an API that is known to be fundamentally insecure, keeping it around for more than a decade solely to preserve code compatibility is generally a really bad idea that can only encourage the proliferation of dangerous code copied from other dangerous code. The assumption was that PHP 5 would be replaced by a new major version that broke backwards compatibility after just a couple of years, but instead it took eleven.

Re: Sanitizing Untrusted Input

[Aethedor]

Even the PDO library can be used in an insecure way. A language is just a language. It's the programmer that makes the application secure or vulnerable.

Re:Sanitizing Untrusted Input

[cc1984_]

The is crap written in EVERY language

Including English, it seems!

No way!

[Billly+Gates]

It's so secure written in the professional engineered PHP and is known to auto update for folks without I.T. departments and does sanity checks for SQL statements. How could this possibly happen?!

Re:No way!

[Frosty+Piss]

It's so secure written in the professional engineered PHP...

If I could down-vote you I would. I suppose you write all your code in C (not that C++ shit) when you don't have the time to pound it out in machine (with vi, only nubes use anything else). Or are you one of those trendy Ruby On Rails guys - oh, wait, that's old news. But never mind, I assume all your code is revolutionary and bug free...

Re:No way!

But at some level PHP is written in C so clearly it's not "professionally engineered".

Re:No way!

[Billly+Gates]

It's so secure written in the professional engineered PHP...

If I could down-vote you I would. I suppose you write all your code in C (not that C++ shit) when you don't have the time to pound it out in machine (with vi, only nubes use anything else). Or are you one of those trendy Ruby On Rails guys - oh, wait, that's old news. But never mind, I assume all your code is revolutionary and bug free...

Absolutely. I use Erlang Outlaw Techno Psychobitch like all the cool kids

Speaking of injecting

Dont forget to inject a load in your momma's butt tonight

TRUMP SHOOTS! HE SCORES!

Russia 1
USA    0

Updates?

Makes you wonder if they notified their customers about the problem that needed updating. Or was that not in the budget.

Friends

[XparXnoiaX]

Friends don't let friends use wordpress. Give your friends cocaine, it's better for them.

Re:Friends

black tar heroin and some needles you picked up on a san francisco beach is safer.

Re: Friends

[slazzy]

What CMS do you recommend to keep things secure? Concrete5? Drupal?

Re: Friends

[Aethedor]

Banshee for sure!

Little Bobby Tables

[jfdavis668]

Did you really name your son Robert'); Drop Table Students;--?

Re:Little Bobby Tables

I see what you did there ;)

SANITIZE!

Jesus wept

[JustAnotherOldGuy]

"...This happens due to improper input sanitization in the URL parameters"

Not this shit again. Look kids, use parameterized queries (prepared statements) or a decent sanitizer library (there are several available that are actually very good).

To get hacked because of poor sanitizing of inputs is downright embarrassing in this day and age.

Re:Jesus wept

[Tablizer]

I find parameterized queries a pain to test and troubleshoot on some platforms because you cannot see the actual SQL the RDBMS is using. Maybe I'm doing it wrong, but I'm disappointed with them.

Everyone wants sites ASAP and cheap, but debugging them is not ASAP and cheap. Grumble grumble.

Re:Jesus wept

[StormReaver]

I find parameterized queries a pain to test and troubleshoot on some platforms....

You need more training before you write anything that uses a database. Parameterized queries in PHP are easier to use and read than inline SQL, and are trivially easy to see the actual SQL the RDBMS is using.

Maybe I'm doing it wrong, but I'm disappointed with them.

If your statement is a true reflection of your opinion of parameterized queries, then: yes, you are doing it wrong.

Re:Jesus wept

Well, you know the stuff going in so you can interpolate it yourself. Otherwise, you could check the transaction log, which should be enabled anyway for other reasons.

Re:Jesus wept

[mark-t]

I find parameterized queries a pain to test and troubleshoot on some platforms because you cannot see the actual SQL the RDBMS is using. Maybe I'm doing it wrong, but I'm disappointed with them.

You're right....

You're doing it wrong. Prepared statements are absurdly easy in any remotely modern rdbms, often even cheaper and easier than constructing the entire sql string yourself.

Re:Jesus wept

[drinkypoo]

And this is why Drupal has a layer to handle this stuff for you. Now, granted, they did screw it up the first time and actually create a hole in it, but at least they fixed it rapidly :)

Re:Jesus wept

[dave420]

You can usually get the raw SQL out of it somehow. It's no excuse. You also have access to the SQL server logs, including the queries run against it.

Re:Jesus wept

[JustAnotherOldGuy]

Drupal does a decent job of sanitizing stuff. I use a sanitizer from a place called jetscripts that seems to work very well. I've thrown a ton of stuff at it and haven't been able to by spoof it yet.

Re:Jesus wept

I find parameterized queries a pain to test and troubleshoot on some platforms because you cannot see the actual SQL the RDBMS is using.

"No hire."

Re:Jesus wept

[Tablizer]

You also have access to the SQL server logs

I do? Don't let the DBA's know.

Re:Jesus wept

Pulling libraries into a WP is essentially copy/paste--which is stupid. That doesn't encourage reuse of SOLID code.

Obligatory xkcd

[OhSoLaMeow]

Sanitize

That's PHP skill for you

Very representative of quality I see from PHP devs.

Re:That's PHP skill for you

[Tablizer]

But why are your alternatives, the COBOL and Lisp CMS so unpopular?

Surprised

[kugeln]

I bet there is somebody, somewhere, that is actually surprised about this. And they're probably using a Mac.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Who the fuck uses anything PHP in production?

And shit like wordpress? For anything?

Having PHP on a server means it will get owned. Having wordpress means it will be owned tomorrow, but definitely by next week.

This isn't news. Insecure software with poor track record and incompetent developers is insecure and has incompetent developers.

Re:Who the fuck uses anything PHP in production?

[NIGGERpenisbestPENIS]

And shit like wordpress? For anything?

Having PHP on a server means it will get owned. Having wordpress means it will be owned tomorrow, but definitely by next week.

This isn't news. Insecure software with poor track record and incompetent developers is insecure and has incompetent developers.

Shhhh! You're supposed to tell them what special snowflakes they are, and how the long history of others who tried the same thing, miraculously won't apply to them. Blame the evil hackers, but give Shining Angel Status to those who set up such tempting targets for them. Anything else would be Blaming The Victim, widely held to be heretical for it detracts from the Holy Status of Victimhood, even when the "victim" made choices with a predictable outcome and was able (and likely advised) to make better choices.

Re: Who the fuck uses anything PHP in production?

[Aethedor]

Having PHP on a server means it will get owned.

I'm using PHP for many years, got a lot of hack attempts, but never got owned. So, give me your best shot.

Re:Who the fuck uses anything PHP in production?

[campuscodi]

People on cheap shared hosting providers. Mom an' pop shops.

Screw the script kiddies...

[__aaclcg7560]

I've gotten tired of script kiddies banging down my virtual doors because of PHP and MySQL. These days I'm converting my websites to static websites by using Pelican (Python). There's no bragging rights in hacking HTML files.

Re: Screw the script kiddies...

If pages can be static, why weren't they already? I run small intranet sites just for the information I care about, and my pages are HTML, jsp, or servlet, depending on need.

Maybe other environments don't give you the choice?

Re: Screw the script kiddies...

If pages can be static, why weren't they already?

Perhaps GP (creimer) is converting each dynamic page to several static ones? Thus introducing the need to regenerate them when adding new content.

Re: Screw the script kiddies...

[__aaclcg7560]

If pages can be static, why weren't they already?

The content was stored inside a MySQL database. I can export the database to a file and then run a script to convert the articles with metadata into Markdown files. Since I'm using Pelican as my static file generator, I can create scripts to convert Markdown files into Python data structures and create Jinja templates to manipulate the data structures. I also use JavaScript, JQuery and Bootstrap to create a responsive base template.

Maybe other environments don't give you the choice?

Other environments typically take six seconds to load the CMS first before showing your content. If your website can't grab the viewer's attention in three seconds, they move on to something else. There's no loading overhead with static web pages because all the work was done on the backend.

On Wordpress? (gasp!)

Really,
    Wordpress is one of the top most porous, hole filled, iffy, disadvantaged website templates out there. Its one boon & bane is its ease of use.
I have worked with, fixed, de-virused, and browsed upon many Wordpress sites, and they are oh so vulnerable. I am surprised this even made the news.

Well there's your problem

[amicusNYCL]

NextGEN Gallery is maintained by Imagely. We're the WordPress photography experts.

Hey Imagely, maybe you should hire a programming expert to write your code while you take pictures.

Tremendous!

[Mats+Svensson]

if ($wordpress = $secure){
        $nukes_armed = true;
        echo "Welcome mr president!",
}