Slashdot Mirror
Severe SQL Injection Flaw Discovered In WordPress Plugin With Over 1 Million Installs (bleepingcomputer.com)
According to BleepingComputer, "A WordPress plugin installed on over one million sites has just fixed a severe SQL injection vulnerability that can allow attackers to steal data from a website's database." The plugin's name is NextGEN Gallery, which has its own set of plugins due to how successful it is. From the report: According to web security firm Sucuri, who discovered the NextGEN Gallery security issues, the first attack scenario can happen if a WordPress site owner activates the NextGEN Basic TagCloud Gallery option on his site. This feature allows site owners to display image galleries that users can navigate via tags. Clicking one of these tags alters the site's URL as the user navigates through photos. Sucuri says that an attack can modify link parameters and insert SQL queries that will be executed by the plugin when the attacker loads the malformed URL. This happens due to improper input sanitization in the URL parameters, a common problem with many WordPress and non-WordPress web applications. The second exploitation scenario can happen if website owners open their site for blog post submissions. Because attackers can create accounts on the site and submit a blog post/article for review, they can also insert malformed NextGEN Gallery shortcodes. Sucuri says the plugin's authors fixed this flaw in NextGEN Gallery 2.1.79.
It's known for being so secure!! How could this happen??!?!?
Friends don't let friends use wordpress. Give your friends cocaine, it's better for them.
Irresponsible disclosure is responsible
Did you really name your son Robert'); Drop Table Students;--?
"...This happens due to improper input sanitization in the URL parameters"
Not this shit again. Look kids, use parameterized queries (prepared statements) or a decent sanitizer library (there are several available that are actually very good).
To get hacked because of poor sanitizing of inputs is downright embarrassing in this day and age.
Just cruising through this digital world at 33 1/3 rpm...
Sanitize
They can take my LifeAlert pendant when they pry it from my cold dead fingers.
I bet there is somebody, somewhere, that is actually surprised about this. And they're probably using a Mac.
But why are your alternatives, the COBOL and Lisp CMS so unpopular?
Table-ized A.I.
It's so secure written in the professional engineered PHP...
If I could down-vote you I would. I suppose you write all your code in C (not that C++ shit) when you don't have the time to pound it out in machine (with vi, only nubes use anything else). Or are you one of those trendy Ruby On Rails guys - oh, wait, that's old news. But never mind, I assume all your code is revolutionary and bug free...
If you want news from today, you have to come back tomorrow.
Because WP is the product of a lousy team with the lowest possible standard of practices, their tradition since 2004. Those attitudes permeate throughout the WP "development" landscape. If the core presented best practices and enforced using them, so many vulnerabilities would have been mitigated. Not only is WP shitty code, it begets shitty code.
I'm also glad I don't use PHP
The is crap written in EVERY language, and variations of C are certainly not immune to this. I can write code that accepts unsanitized input in any language you choose.
If you want news from today, you have to come back tomorrow.
It's so secure written in the professional engineered PHP...
If I could down-vote you I would. I suppose you write all your code in C (not that C++ shit) when you don't have the time to pound it out in machine (with vi, only nubes use anything else). Or are you one of those trendy Ruby On Rails guys - oh, wait, that's old news. But never mind, I assume all your code is revolutionary and bug free...
Absolutely. I use Erlang Outlaw Techno Psychobitch like all the cool kids
http://saveie6.com/
Comment removed based on user account deletion
I've gotten tired of script kiddies banging down my virtual doors because of PHP and MySQL. These days I'm converting my websites to static websites by using Pelican (Python). There's no bragging rights in hacking HTML files.
> It's not that hard when I do it.
(...ehm, let's make sure we get the context right on that one.)
Of course, with you HeartBleed wouldn't have happened either I bet. Still really old code, open source and used almost everywhere, but it took years to catch it.
Never say never, it's so easy to judge with hindsight.
PHP is not the issue. Yes, it's an easy language which draws a lot of noobish programmers. But it's not hard to make a secure website with PHP. Take a look at this framework for example.
It doesn't have to be like this. All we need to do is make sure we keep talking.
I'm using PHP for many years, got a lot of hack attempts, but never got owned. So, give me your best shot.
It doesn't have to be like this. All we need to do is make sure we keep talking.
The WordPress Codex tells coders how to sanitize user input, but the NextGEN coders seemed to forget the parameterized URL is user input.
Sure, but how large is the common subset between the people who choose to use PHP and the people who are capable of designing secure software? I imagine it's not a very large set.
People on cheap shared hosting providers. Mom an' pop shops.
The fact that application documentation is trying to teach security practices that any programmer of the language should already know is a great indication of the quality of programmers involved in the Wordpress ecosystem. If someone who is trying to create Wordpress plugins needs to rely on the Wordpress documentation for basic security practices, then it seems like the barrier to entry is too low. This is why Wordpress has the reputation that it does. On one hand it's great that anyone can make a plugin for Wordpress, but on the other hand it sucks that just anyone can create a plugin for Wordpress. SQL injection vulnerabilities have been the #1 attack vector for web servers for over a decade, and it's because of shit like Wordpress. It's frankly embarrassing that SQL injection is still an issue, the people behind the NextGEN plugin should be ashamed of themselves. There's absolutely no excuse at all, it looks like Wordpress requires PHP 5 and if that's the case then the mysqli extension is available, and if that's the case then they should have a database abstraction layer where the usual way of using it is prepared statements and parameterized queries, all of their own code should be using that and all of their own examples should show that. This argument could have been made in 2004 also. Wordpress is only a year older than PHP 5, they could have been doing this for a long time but since their codebase looks like something that a first-year programming student produced as their first project it's no major surprise that the people writing code for them are still making first-year errors.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
NextGEN Gallery is maintained by Imagely. We're the WordPress photography experts.
Hey Imagely, maybe you should hire a programming expert to write your code while you take pictures.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
if ($wordpress = $secure){
$nukes_armed = true;
echo "Welcome mr president!",
}
Actually, to some degree, PHP is the issue. PHP has supported ways of performing MySQL queries that use placeholders for many years, but they also resisted breaking existing code by ripping out the old interfaces for way longer than made sense. Note that in PHP 7, they finally removed them, so we should start to see PHP app security improve dramatically as panicked admins realize that they have to replace all this crappy code.
Check out my sci-fi/humor trilogy at PatriotsBooks.
In any programming language, people can do stupid things. Also in PHP 7. And even with the older MySQL library in PHP, it was very well possible to write a secure database driven application. All it required was knowledge, like with any language.
It doesn't have to be like this. All we need to do is make sure we keep talking.
Yes, but when you have an API that is known to be fundamentally insecure, keeping it around for more than a decade solely to preserve code compatibility is generally a really bad idea that can only encourage the proliferation of dangerous code copied from other dangerous code. The assumption was that PHP 5 would be replaced by a new major version that broke backwards compatibility after just a couple of years, but instead it took eleven.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Even the PDO library can be used in an insecure way. A language is just a language. It's the programmer that makes the application secure or vulnerable.
It doesn't have to be like this. All we need to do is make sure we keep talking.
The is crap written in EVERY language
Including English, it seems!