Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Millions At Risk From Critical Vulnerabilities From WordPress Plugins

Unknown Lamer posted about a year ago | from the just-use-ur-web dept.

Security 145

First time accepted submitter dougkfresh writes "Checkmarx's research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection. Furthermore, a concentrated research into e-commerce plugins revealed that 7 out of the 10 most popular e-commerce plugins contain vulnerabilities. This is the first time that such a comprehensive survey was prepared to test the state of security of the leading plugins." It does seem that Wordpress continues to be a particularly perilous piece of software to run. When popularity and unsafe languages collide.

cancel ×

145 comments

Sorry! There are no comments related to the filter you selected.

Not an unsafe language... (5, Insightful)

dclozier (1002772) | about a year ago | (#44051999)

Just bad coding. Any language can be coded with badly. (some more easily or accidentally than others)

Re:Not an unsafe language... (4, Funny)

Anonymous Coward | about a year ago | (#44052051)

It's not bad coding, those are just misunderstood features. SQL Injection? - That's just a back door we left in for convenience.

Re:Not an unsafe language... (1)

Anonymous Coward | about a year ago | (#44052079)

Just bad coding. Any language can be coded with badly. (some more easily or accidentally than others)

Well, yeah, other than [INSERT FAVORITE LANGUAGE HERE]. Any programmer worth his or her salt knows that language has all sorts of obvious safeguards against this sort of thing if you have even the vaguest clue what you're doing, which makes it that much more betterer and you should all use it right now and hire me for lots of money.

Re:Not an unsafe language... (5, Funny)

Anonymous Coward | about a year ago | (#44052141)

I personally only use HTML9 Responsive Boilerstrap JS. If you're using any other framework then you're just wasting your time.

Here's a link for you poor slobs that haven't jumped on the bandwagon.

http://html9responsiveboilerstrapjs.com/

Re:Not an unsafe language... (2)

Hognoxious (631665) | about a year ago | (#44052201)

Is it webscale, or does it use joins?

Re:Not an unsafe language... (2)

Larryish (1215510) | about a year ago | (#44053093)

My marketing department uses it because the rubygems facepalm API really lets us utilize turn-key e-tailers in order to better monetize one-to-one vortals.

Re:Not an unsafe language... (4, Funny)

ArcadeMan (2766669) | about a year ago | (#44053171)

Is that a dog?

Re:Not an unsafe language... (0)

Anonymous Coward | about a year ago | (#44053421)

Pfft. If it were really cool it would use the .io domain. It's all the rage these days.

Re:Not an unsafe language... (4, Insightful)

ackthpt (218170) | about a year ago | (#44052185)

Just bad coding. Any language can be coded with badly. (some more easily or accidentally than others)

Well, yeah, other than [INSERT FAVORITE LANGUAGE HERE]. Any programmer worth his or her salt knows that language has all sorts of obvious safeguards against this sort of thing if you have even the vaguest clue what you're doing, which makes it that much more betterer and you should all use it right now and hire me for lots of money.

Assuming management or the analyst who specs the code gives the coder sufficient time to do it right.

Something I continue to observe in outsourced code is an incredible sense of optimism regarding security. Not because the coder is a fool (well, he/she might be) but because security and good practices are not emphasised, time and cost of up front development are too often the deciding factors.

Re:Not an unsafe language... (1)

webnut77 (1326189) | about a year ago | (#44053005)

Wish I had mod points.

Re:Not an unsafe language... (4, Insightful)

Giant Electronic Bra (1229876) | about a year ago | (#44052227)

Some encourage it more than others, and some provide security-oriented features. For instance perl's taint mode is a great security feature. Truthfully strong typing and mature frameworks go a long ways, IF you know how to use them.

HOWEVER all this is secondary. The appalling thing is THAT NONE OF THESE PLUGINS WERE EVER AUDITED. Any webapp is almost sure to have some sort of hole in it. You can plug them but its tricky and no team will find them all. The question then is how on God's Green Earth have so many people deployed this stuff and not audited it thoroughly (or at all)? I taught web-app security and was one of the earliest people in the business, I'd never in a million years deploy one of these plugins for a client and not beat it to death with a fuzzer and 10 other things. This is just basic crap I was teaching in my college courses 8 years ago (and it wasn't exactly revolutionary then). Hell, I don't consider myself any sort of security genius by a long shot, but all I can say is that there are a lot of scarily ignorant fools out there...

Re:Not an unsafe language... (5, Insightful)

chuckinator (2409512) | about a year ago | (#44053027)

Auditing isn't cool and takes time that could be better spent posting pictures of food with a sepia filter on Instagram.

Re:Not an unsafe language... (1)

Giant Electronic Bra (1229876) | about a year ago | (#44053579)

Indeed, deserves a +1 (for either obvious or funny, but you know, really obvious things can be pretty funny ;)

Re:Not an unsafe language... (2)

indeterminator (1829904) | about a year ago | (#44053189)

The question then is how on God's Green Earth have so many people deployed this stuff and not audited it thoroughly (or at all)?

Because your client will want new plugins every week, gets tired of asking you everytime, and wants you to set up the permissions so that the GUI plugin installer works ("what do you mean not a good idea? the last site I had worked that way and I never had any problems with it"), then proceeds to install all the plugins he needs to make his blog on cats and other larger-than-life stuff buzzword compatible.

Re:Not an unsafe language... (1)

ArcadeMan (2766669) | about a year ago | (#44053281)

There's so many aspects to everything, you cannot assume everyone is an expert on all areas required. You focus a lot on the security but I can bet your plugins would probably be extremely hard to integrate and use, look like crap and be a usability nightmare.

Re:Not an unsafe language... (1)

Giant Electronic Bra (1229876) | about a year ago | (#44053657)

No, I wouldn't write them, I'd just security audit the ones I use. Its just insane to drop in an untested configuration of a webapp doing e-commerce. I don't care that someone else wrote it, I ASSUME they are security-incompetent and test.

Granted, other people's responses to my post definitely explain why this crap happens, but it doesn't make it any less scary or eye-rolling. The real problem is people just don't have any idea how bad the stuff they can install free on their servers really is, unless they've had some education on it. Most people never get that (and how would they know they want it). So you have this kind of yuck. What we need are some webapps written with the mindset of FreeBSD, totally audited and known good code supplied from a single auditor. In fact the webapp world needs this MUCH MORE than OSes do.

Re:Not an unsafe language... (2)

dgatwood (11270) | about a year ago | (#44053697)

The appalling thing is THAT NONE OF THESE PLUGINS WERE EVER AUDITED.

Does this surprise anyone? There's a good reason why WordPress systems are popular targets for hacking....

That said, to some degree, I blame the language designers for not being more aggressive at forcing people to upgrade their old-style SQL queries to use a more modern, parameterized syntax.

If you really want the web to be more secure, we should:

  • Eliminate the PHP/Perl/Python mysql extensions. Force everyone to rewrite their software with either mysqli or PDO. Period.
  • Add tainted data tracking into the language runtime for PHP, Perl, Python, etc. This means:
    • All data coming from outside the code itself (from all files, from GET/POST request fields, etc.) is marked as tainted.
    • String concatenation of tainted data with untainted data results in tainted data.
    • Variable substitution of tainted data inside a string results in a tainted string.
    • Taint is preserved across function calls, such as explode/implode.
    • Data can only become untainted by casting it to a numeric type. (No, mysql_real_escape_string should not untaint anything. That function is a hack. You shouldn't be using it in production code.)
  • All mysqli and PDO functions/methods should throws an exception if a tainted string is passed as a format argument.
  • When the language is running in a web server, all output to stdout (to a browser) should similarly throw an error unless the taint type matches the current Content-Type value. For example, if the headers say Content-Type: text/html, then input from an HTML file is not tainted. Input from a database or text file should have to be either quoted for output or sanitized through your choice of sanitizer functions, tailored for various purposes (e.g. an anti-XSS sanitizer).

And so on. These changes would go very, very far towards eliminating SQL injection attacks and XSS. The fact that such protection schemes are both incomplete and disabled by default in most programming languages suggests to me that security is not a high enough priority.

IMO taint protection should be part of the default configuration when running in a web server environment. If there are bugs that make that impossible, then those should be the absolute highest priority bugs on the plates of the language engineers.

In the meantime, everyone should add taint_error_level = E_ERROR to your php.ini file, etc.

Re:Not an unsafe language... (1)

Giant Electronic Bra (1229876) | about a year ago | (#44053847)

Agreed. At least with Perl there IS a taint mechanism and it generally works as you describe (IE you can only untaint data by explicitly calling 'untaint()' or running it through a regex). If you properly use layers like Class::DBA you should never need to compose SQL or have SQL generated in-app, you should be entirely in bind-parameter land (and even that is normally hidden from view). I wrote an entire CMS/e-commerce platform in Perl 15 years ago using those tools. AFAIK no security holes were ever uncovered once we had finished our developer audits, and it was considerably more capable than Wordpress (though there are some nice tools available today like wiki-syntax parsers and XSLT that we didn't have in 1999) with fully apartment hosting and role separation and a bunch of other features that were totally unknown back in those days. Ironic how our thoroughly tested platform is dust now and a giant PoS like Wordpress lingers on. I told them to go open source... ah well.

Re:Not an unsafe language... (1)

dgatwood (11270) | about a year ago | (#44053969)

IMO, running it through a regular expression shouldn't untaint it, either, unless that happens to be a regular expression specifically designed to quote strings properly for output. But yes.

The biggest problem is that young white hat hackers are few and far between. We don't spend nearly enough time in college courses learning about proper security, and as a result, folks come out of school not knowing it. By the time they actually "get" security, most of them are well on their way to retirement, and they aren't always keeping up with the latest programming languages. Unfortunately, most web technology development tends to be done by people straight out of school, because it is a cutting-edge field that is constantly evolving. The result is that the people who understand security often don't understand the web tech, and the people who understand the web tech often don't understand security.

IMO, any college that does not require at least a semester of computer security (ideally, two) for a BS degree is doing their students a disservice. It is a crucial subject for anyone who has any interest in writing software, and it is an area where competent engineers are seriously in demand.

Re:Not an unsafe language... (0)

Anonymous Coward | about a year ago | (#44053491)

WordPress was written in PHP. As a PHP coder I can testify that the language does nothing to prevent SQL injection or even to make it hard. Some languages or frameworks forcibly separate the query string from the parameters or use different types for the string parameters and the query object or have a unified way to perform queries that makes it easier to do it right than wrong. In PHP it's the opposite way around - it's much easier to it wrong than to get it right. SQL injection still isn't on the radar of many junior coders and since PHP is - wrongly in this case - perceived as an easy starter language, so you can see the problem. Of course PHP has an excuse, of a sort: when it was first designed SQL injection as on nobody's radar. But it's 2013 now and in my opinion the language should have long been fixed.

All except for Perl (0)

Anonymous Coward | about a year ago | (#44053495)

Anything using that language will be coded with badly.

Every language is unsafe. (4, Insightful)

Qzukk (229616) | about a year ago | (#44052003)

It's just that PHP has managed to attract a huge number of absolute retards who do things like evaluate image files (it WAS an image file you uploaded, right? It ended in .gif, right? So it's totally an image file and I shouldn't even be bothered to verify the contents because nobody would ever upload php code ending in .gif) in order to dump the contents out to the browser instead of using ANY of the multiple functions or methods to do just that securely.

Re:Every language is unsafe. (0)

Anonymous Coward | about a year ago | (#44052119)

http://php.net/manual/en/function.mysql-real-escape-string.php
http://php.net/manual/en/function.eval.php
extract($_REQUEST)

I don't even.

Re:Every language is unsafe. (0)

Anonymous Coward | about a year ago | (#44052121)

This goes for web languages in general.

Pointers are too hard :(

Re:Every language is unsafe. (1)

ackthpt (218170) | about a year ago | (#44052285)

This goes for web languages in general.

Pointers are too hard :(

Drop-through logic made easy:

if (x < 100) { do_stuff(); } elseif (x > 100) {do_other_stuff();}

mind the gap

Re:Every language is unsafe. (4, Insightful)

cold fjord (826450) | about a year ago | (#44052143)

More like every language can be used unsafely, and some have built-in weakness in addition. The C language and many of its derivatives have a number of issues that are well known and documented. In that regard both Unix and C are like chainsaws - in skilled hands they make short work of difficult problems that might be far harder or impossible with other tools, but let your attention wander for a moment and you are missing a leg.

Re:Every language is unsafe. (1)

ewanm89 (1052822) | about a year ago | (#44053061)

Strictly speaking, it can't be impossible in any Turing complete language if you can do it in another Turing complete language. But the main point stands, the language doesn't matter, one can do bad things in any language.

Re:Every language is unsafe. (1)

hairyfeet (841228) | about a year ago | (#44053411)

That is why I never understood the hatred for this or that language, i have seen some solid as hell programs in just about any language and I have seen absolute dogshit, again in just about every language.

You can hand a scalpel to a skilled surgeon and he can save your life, you hand that same tool to an enraged chimp you are gonna get nothing but a mess. At the end of the day a tool will only be as good as its user, and a bad coder will make bad code i don't care what language they choose. While some here may argue that this or that language has more safeguards all that is doing is trying to idiot proof the language and as we have seen time and time again the world can always come up with a bigger idiot.

Re:Every language is unsafe. (0)

Anonymous Coward | about a year ago | (#44053587)

In that regard both Unix and C are like chainsaws - in skilled hands they make short work of difficult problems that might be far harder or impossible with other tools, but let your attention wander for a moment and you are missing a leg.

The problem with PHP is that the function to trim a tree is "cut_off_limb" while the function to amputate something is "cutofflimb".

Re:Every language is unsafe. (1)

tepples (727027) | about a year ago | (#44052295)

it WAS an image file you uploaded, right? It ended in .gif, right?

I want to become something other than one of these "absolute retards" you mentioned. If GD returns sane values for the image's width, height, and MIME type [php.net] , what dangers should I still be aware of?

Re:Every language is unsafe. (3, Informative)

MtHuurne (602934) | about a year ago | (#44052535)

That's the wrong question: instead of performing a dangerous operation only if the input doesn't look suspicious, you should not perform the dangerous operation at all. So if the input data is supposed to be an image, pass it to a function that can only process images. That way, if an attacker does manage to sneak in PHP code disguised as an image, it will just trigger an error condition instead of being executed.

THIS! (1)

Chirs (87576) | about a year ago | (#44052981)

Otherwise, it might be possible to create something that is simultaneously a valid image file *and* valid PHP (or SQL, or whatever) code and bypass any checks that you add to validate the file.

Re:Every language is unsafe. (1)

tepples (727027) | about a year ago | (#44053819)

So if the input data is supposed to be an image, pass it to a function that can only process images.

I was under the impression that getimagesize() (the linked function) is "a function that can only process images."

Re:Every language is unsafe. (4, Funny)

Anonymous Coward | about a year ago | (#44052541)

They could exploit GD.

The only solution is to have the user base64 encode the binary GIF data, print it and then snail mail it to you.

You can then build a dedicated PC that's not on the network, type out the base64 data, decode it and confirm it's a valid GIF. Then connect that PC to the network and upload the GIF on behalf of the user.

If the GIF was malicious you simply set that dedicated PC on fire, inform the user (via snail mail) "INVALID GIF IMAGE, PLEASE TRY AGAIN" and then buy another dedicated PC for the next GIF you receive.

It's the only way to be safe. I do this with my site and so far so good: I launched one year ago and I've received 1 GIF so far 3 months ago and I'm about 75% done typing all the base64 data. I hope to confirm his avatar picture by July 1st!

Re:Every language is unsafe. (1)

SirGarlon (845873) | about a year ago | (#44052657)

I can't answer your specific question (I am mostly ignorant of PHP), but perhaps I can be of help with the broader issue of helping people learn about secure coding practices.

One of the basic principles of secure coding is to validate user input to ensure it is what you expect. If you are checking the image size and MIME type you are headed in the right direction. Whether you've gone sufficiently far, I'll leave to PHP experts.

To get started learning more, you can do worse than the OWASP Top 10 [googlecode.com] (PDF) -- skip to page 5 to bypass a thicket of jargon that may confuse you at first. Probably other readers can suggest other, gentler, starting points. I am suggesting the OWASP Top 10 because it's commonly cited and because it discusses how to prevent each of the major classes of application vulnerabilities. It's not perfect. It will take some time and thought for a newcomer to digest, but for me the effort was worth it.

You can also go to OWASP meetings if there is a chapter near you, or maybe find a local PHP user's group and ask about security.

Re:Every language is unsafe. (0)

Anonymous Coward | about a year ago | (#44053571)

This is generally good enough, but might still return true for images that have extra data contained within, which may include PHP code. Like how you can include .rar files at the end of JPG images.

Whenever you let users upload images, store them somewhere outside the web root and use readfile('../path/to/file.png') to display them such that no extra code or contents in them has any chance of being ran by the webserver.

Re:Every language is unsafe. (1)

Qzukk (229616) | about a year ago | (#44053875)

For gods sake, don't include() it to send it to the browser, because it could be a valid image with in an EXIF tag.

Re:Every language is unsafe. (0)

Anonymous Coward | about a year ago | (#44052451)

The problem you describe typically arises from a badly configured HTTP server together with dumping uploads in a publicly accessible directory. The user uploads a file and accesses it, the server sees that it's a PHP file, and executes it. The solution is to disable automatic running of PHP files, at the very least in directories with user content. You don't need to "verify the contents".

It's not like people are actively running eval() on GIF images. That doesn't even make sense.

Re:Every language is unsafe. (0)

Anonymous Coward | about a year ago | (#44052605)

In fact, it's the retards that "designed" the language in the first place.

Re:Every language is unsafe. (4, Insightful)

dkleinsc (563838) | about a year ago | (#44052645)

Every language is unsafe, but some almost try to be as unsafe as possible.

For example, the oldest (and until fairly recently, only) way of handling database queries in PHP pretty much asks for you to be vulnerable to SQL injection attacks, because there's no parameterization so all you can do is awkwardly run a hodgepodge of escaping functions and hope they work. By contrast, Perl, Java, Python, and C# all provide support for parameterizing queries in their standard approaches to handling database queries about 10 years before PHP did. That's the kind of thing that gives PHP its bad reputation.

Re:Every language is unsafe. (3, Informative)

Dragonslicer (991472) | about a year ago | (#44053959)

For example, the oldest (and until fairly recently, only) way of handling database queries in PHP pretty much asks for you to be vulnerable to SQL injection attacks, because there's no parameterization so all you can do is awkwardly run a hodgepodge of escaping functions and hope they work. By contrast, Perl, Java, Python, and C# all provide support for parameterizing queries in their standard approaches to handling database queries about 10 years before PHP did. That's the kind of thing that gives PHP its bad reputation.

Depends on your definition of "fairly recently." PDO was available as an extension for PHP 5.0 (2004) and was included in the standard installation for PHP 5.1 (2005). There hasn't been any excuse not to be using it for at least 5 years.

Re:Every language is unsafe. (1)

cjjjer (530715) | about a year ago | (#44052669)

I hate to say it but it sounds like PHP is the new classic ASP with regards to exploits...

Not that I am saying classic ASP devs got any smarter they just moved from ASP to other forms of server scripting/languages.

Re:Every language is unsafe. (0)

Anonymous Coward | about a year ago | (#44052805)

Even though I agree that user input validation is paramount, calling someone an `absolute retard' for not doing so is not done.

Do not panic (0)

Anonymous Coward | about a year ago | (#44052017)

It is only millions of bloggors that are at risk, not millions of dollors.

Re:Do not panic (2)

lightknight (213164) | about a year ago | (#44052407)

Well, the problem is some of the more intelligent crackers out there have been upping their game recently...they have, if memory serves me correctly, found ways of getting websites to arbitrarily become a part of botnets. That's right, it's no longer just a matter of your website's database being compromised, with your liability ending with a broadcasted message to everyone telling them to change their passwords / check their credit cards...now your website, or rather the host machine that the website is running on, can be hijacked into DDOS'ing the DHS's main servers, or something equally tasteful. If repeated phone calls from the bank telling you to fix your website's code was enough motivation, then possibly a heart to heart talk with Agent Bob and Agent Rob will. And I'm sure the part where you tell them that you hired the lowest bidder to build the site (or just used the built-in), use a Mac because you're super-bad with computers (but still have a blog, because of that advertising money, amiright?), and that you have no idea how to fix it, and thus can't be held accountable for whatever has happened, will go over well with them. It'll be a real knee-slapper, you'll be laughing, they'll be laughing, and the whole thing will be cleaned right up inside of a week.

In other news, the DoJ may have found a use for all those crackers they plan on catching -> early-release program, clean-slate, provided they fix WordPress and help hunt down the old installs. Should keep them busy for the next several eons...

which plugins? (0)

Anonymous Coward | about a year ago | (#44052029)

It would be helpful to know which plugins are vulnerable.

Re:which plugins? (-1)

Anonymous Coward | about a year ago | (#44052067)

The one that posts the videos of your cuckolded dad lapping cum from your mom's asshole after 10 black dudes have had their way with her is definitely not vulnerable.

Re:which plugins? (1)

amicusNYCL (1538833) | about a year ago | (#44052191)

I'm sure they notified the plugin authors, just keep your plugins updated. Their PDF report has a description of the plugins (including lines of code and downloads), but blacks out the title.

The issue that I've noticed is with small busi... (0)

Anonymous Coward | about a year ago | (#44052043)

I really like Wordpress, but the issue that I've noticed is with some small business owners. They want a web site, but they are not willing to spend the money to keep it updated. They are often not savvy enough to run the update themselves. They want to be on the Internet, but they have absolutely no understanding of what this involves. It's the equivalent of the home user that is not willing to do his homework about computer security, and ends up contributing their PC to a botnet. They have someone install Wordpress, pay scraps to have a template they like, and then they never maintain it.

Re:The issue that I've noticed is with small busi. (0)

Anonymous Coward | about a year ago | (#44052721)

Your first clue that they aren't serious about making money with the internet is that they wanted to use Wordpress. What a shame. No self respecting developer offers Wordpress as a solution unless they think the site is not going anywhere.

Re:The issue that I've noticed is with small busi. (2)

lightknight (213164) | about a year ago | (#44052745)

Welcome to reality. Some people believe that the best way to 'get through life' is by being at the top of things...you may not know how to do anything, but you know how to pull the cord that does something. Some people believe that the best way to 'get through life' is by being the best you can be at something, even if you are terri-bad at everything else. Some people believe that the best way to 'get through life' is by being the best you can be at several somethings, even if you are not the absolute best. And so on.

The problem with small business owners is that they, in this instance, are running on the basis of some dime-store logic, and not the full diamond. "You need to look to cut costs everywhere" which has a corollary in the form of "You need to understand your art / business / science well enough to know when you are cutting costs, and when you are screwing yourself long-term." Unfortunately, this is typically lost on small-business owners, since they think that in order to get ahead of the game, they need to rush people / everything, because "time is money"; what is actually happening here is a programmer is trying to explain to them why what they are thinking about doing is going to cost them tens to hundreds of thousands of dollars, but their attention span won't allow them to spend five minutes to save themselves that money. Being the head of a small-business somehow leads one to believe that you need to act like every bad CEO / president / actor on TV you've ever seen, which means asking for bullet points and never seeming interested in the details.

WordPress is fine if you are running a blog. It's fine if you have a dedicated programmer on staff, and you are running a company that sells t-shirts with funny slogans over the internet. It can't be hacked into a better product...it doesn't work like that. If you aren't selling t-shirts, consider something else. Everyone will offer their favorite flavor of the month CMS (which, in common parlance, can be seen as a website that lets you add most new products / adjust prices without needing to hassle a programmer); many of them suck, and popular does not mean good. Do some research, see how much it would cost for a mid-range developer (look at the high-end of the reported salaries...those sites tend to lie) to know what it will look like if your website needs to be pulled out of the fire (manually); hopefully that will never happen...you'll open up a decent relationship with a good firm, choose the right CMS, and never have to worry about Plan B. Plan B, in case you are unawares, is when that firm disappears for whatever reason, and leaves you with a website that you need updated, but no one else is familiar with, but you absolutely, positively need someone to fix it, because otherwise your business is sunk.

Wordpress! (0)

Anonymous Coward | about a year ago | (#44052063)

The industry leading backdoor with blog functionality.

e-commerce plugins vulnerable (3, Interesting)

schneidafunk (795759) | about a year ago | (#44052065)

According to the PDF [checkmarx.com] , e-commerce plugins are in the list. I'm a bit surprised to see that, as I assumed developers would be thinking about security first with e-commerce.

Re:e-commerce plugins vulnerable (3, Interesting)

Vanderhoth (1582661) | about a year ago | (#44052123)

I agree it should be the first consideration, but the people who want the implementation are MBAs that care more about getting people's money, return on investments and how something looks rather than how secure it is.

<sarcasm>Why pay money up front for security you might never need? It's better to wait until something does happen, like millions of credit card nubmers are stolen, and give the money to the PR people to clean up the mess. It's way cheaper if the gamble pays off.</sarcasm>

Re:e-commerce plugins vulnerable (0)

Anonymous Coward | about a year ago | (#44052139)

"" everyone knows, when you make an assumption, you make an ass out of "u" and "umption" ""

Re:e-commerce plugins vulnerable (0)

Anonymous Coward | about a year ago | (#44052157)

Does anyone else find it kind of funny that they are serving their download from a WordPress site?

Re:e-commerce plugins vulnerable (2)

Algae_94 (2017070) | about a year ago | (#44052239)

They only did a study on plugins. They must be assuming that WordPress itself is super secure. Bad assumption.

Re:e-commerce plugins vulnerable (0)

Anonymous Coward | about a year ago | (#44052281)

They didn't want to pay for hosting a Slashdoted article, but they had a large list of wordpress vulnerabilities that can take root. How would you have solved that situation?

Re:e-commerce plugins vulnerable (0)

Anonymous Coward | about a year ago | (#44052449)

HA HA HA! Security is the last thing that people developing WordPress plugins would be thinking about. Of course there's still people doing e-commerce that don't hash passwords, too (costcentral.com, I'm pointing at you).

Let's keep the tree green (2)

dkegel (904729) | about a year ago | (#44052089)

The solution is easy: hosting providers should be required to continuously run vulnerability scanners, and instantly take down any sites which have known vulnerabilities. As a bonus, it would clear out a lot of crap sites.

Re:Let's keep the tree green (2)

Spy Handler (822350) | about a year ago | (#44052209)

I don't know about "should be required", who's going to require them, Congress? DOJ?

However the smarter ones do just what you described, out of their own self interest. My hosting company contacted me once about a vulnerable Mambo extension they found.

Re:Let's keep the tree green (2)

dkegel (904729) | about a year ago | (#44052353)

Congress, say.

And of course 'instantly' would be too gestapo for real life. We'd really want a grace period with escalating warnings, followed by fines, followed by pulling-the-plug.

And it'd be much better if industry came up with this on its own first. What's the state of the art?

Rackspace talks about security,
http://www.rackspace.com/managed_hosting/services/security/ [rackspace.com]
but doesn't seem to offer proactive vulnerability scanning, and if they did, they would charge for it instead of just doing it.

Godaddy seems to offer this as an extra cost
service instead of just doing it:
http://www.godaddy.com/security/website-security.aspx [godaddy.com]

Here's one wordpress hosting provider that promises to install all security updates within one hour (wow):
https://wpengine.com/security/ [wpengine.com]

So, industry guys, can we get our act together and offer security scans and upgrades as part of the basic service plan?

Re:Let's keep the tree green (1, Insightful)

amicusNYCL (1538833) | about a year ago | (#44052217)

The solution is easy: hosting providers should be required

The solution is authoritarian.

In case you were wondering... (0, Flamebait)

slashmydots (2189826) | about a year ago | (#44052105)

Like I need another reason to hate Wordpress. In case you're not familiar, it's basically a website design suite for morons who don't know HTML or CSS even though I could teach both to a moderately intelligent monkey. It got so popular that it's the biggest hacking target on the entire internet and anyone who uses it is seen as a complete joke by actual web developers like me. If you see "wordpress experience" on a job listing, run! That company is beyond all hope.
br /. I think I can break down how this came about. People who aren't qualified to make a website hopped on, added a bunch of code that someone else wrote via a plugin, they have NO IDEA what it does or how it really works or that it should be updated, and then they send it out to the public internet on a cheapo host with little to no security. What could possibly go wrong there?

Re:In case you were wondering... (1)

Anonymous Coward | about a year ago | (#44052127)

and anyone who uses it is seen as a complete joke by actual web developers like me.

So just like how you web monkeys... err... "developers" appear to programmers.

Re:In case you were wondering... (3, Funny)

slashmydots (2189826) | about a year ago | (#44052273)

ohhhhh that's right, my second degree is in software programming with .NET and ASP

Re:In case you were wondering... (2)

amicusNYCL (1538833) | about a year ago | (#44052347)

From where does one get a degree in .NET?

Re:In case you were wondering... (1)

Anonymous Coward | about a year ago | (#44052349)

ohhhhh that's right, my second degree is in software programming with .NET and ASP

I believe the GP rests his/her case.

Re:In case you were wondering... (0)

Anonymous Coward | about a year ago | (#44052383)

Digging your hole deeper, web monkey?

Re:In case you were wondering... (0)

Anonymous Coward | about a year ago | (#44052779)

I think you mean scripting, web monkey.

Re:In case you were wondering... (0)

Anonymous Coward | about a year ago | (#44052205)

No one cares what you think. If you don't have something insightful to add to the conversation that hasn't been addressed in the blurb then you're just wasting people's time trying to make yourself look like a hard nose professional. Real professionals are out there doing it, you're just talking about doing it.

I guess if you need to do that to pad your ego enough to make yourself feel better then it is what it is. Sad that we can't have people who can stand on their merits instead of their oversized egos.

Re:In case you were wondering... (0)

Anonymous Coward | about a year ago | (#44052235)

it's basically a website design suite for morons who don't know HTML or CSS even though I could teach both to a moderately intelligent monkey.

br /. I think I can break down how this came about.

Your failure to properly use HTML in your comment is rather humorous. :)

Re:In case you were wondering... (1, Funny)

amicusNYCL (1538833) | about a year ago | (#44052257)

...morons who don't know HTML or CSS even though I could teach both to a moderately intelligent monkey... ...actual web developers like me... ...beyond all hope.
br / . I think...

Yes, your mastery of HTML and websites is truly something to behold.

Re:In case you were wondering... (2)

slashmydots (2189826) | about a year ago | (#44052299)

Read the reply right above you. Spoiler alert, I'm also an offline software programmer.

Re:In case you were wondering... (0)

Anonymous Coward | about a year ago | (#44052337)

Are you an "offline software programmer" because your mom doesn't have the internets in her basement?

Re:In case you were wondering... (1)

Lunix Nutcase (1092239) | about a year ago | (#44052403)

ASP is "offline" programming? Since when?

Re:In case you were wondering... (0)

Anonymous Coward | about a year ago | (#44052633)

So you have an actual degree in "software programming with .NET and ASP"? Like, from a university, or a cereal box?

I just assumed that was a joke...

Re:In case you were wondering... (1)

Lunix Nutcase (1092239) | about a year ago | (#44052679)

He won that degree from a claw game.

Re:In case you were wondering... (0)

Anonymous Coward | about a year ago | (#44053647)

Read the reply right above you.

Hmm... mmm hmm, yes, yes, I see now! Someone else agrees that such a showcase of your evidently inept abilities to write HTML where you don't need to write it (Slashdot will add line breaks for you) is hilariously ironic when presented with the rest of your post! Good, glad we're all on the same page here.

Spoiler alert, I'm also an offline software programmer.

Oh, good. I mean, you can't be much worse at that than you are at HTML, which CAN, by someone's assertion, I forget whose, be taught to a moderately intelligent monkey, so there's some hope for you.

Re:In case you were wondering... (5, Insightful)

Zedrick (764028) | about a year ago | (#44052335)

I used to be of the same opinion, but... I've been working in the hosting business for 10 years now, and that kind of attitude doesn't really work in real life.

It's 2013, most people (at least in developed countries with high IT penetration) have their own domain and website nowadays. Do you really think it's fair to call a 50 year old woman who wants a nice website for her cat-blog a moron? Or the coin collector who don't care about computing but just want to write about English hammered coins? Or the fishing club whose members wants a nice looking site with a gallery and perhaps a public calendar? Or the girlfriend who wants to blog about cooking? Are they all morons?

Websites are not just for companies or IT-people anymore.

Also, Wordpress is way way better than it used to be a few years ago (unlike Joomla which is a total fail in every version). Since 3.5.1 was released, I've seen more customers hacked due to brute force logins than security exploits in outdated themes or plugins.

Re:In case you were wondering... (0)

Anonymous Coward | about a year ago | (#44052557)

Then those people should be using hosted sites managed by a service like: wordpress.com blogger, facebook, google plus, etc.

The moment those technically retarded people choose to take on the responsibility of managing their own website, shit like this happens.

Re:In case you were wondering... (0)

Anonymous Coward | about a year ago | (#44052827)

For he's a wanker, he's a wanker, tra la la la la. Sod off you cunt.

Developers don't care (0)

Anonymous Coward | about a year ago | (#44052357)

Instead of focusing on languages or management, why don't we admit that for the overwhelming majority of programmers, especially those who give away their code, security isn't even an afterthought, it's a neverthought. They're so intent on making a plugin or Android app or Windows application that Does Something Cool that they don't even think about security. And I would bet that better than 80% of them don't have anywhere near the expertise to properly evaluate their own code to look for security flaws.

This isn't just a FOSS issue -- although the habit of saying, "the source code is available and it's free, so fix it if you want" certainly feeds the situation -- look at the security train wreck that Windows and other high-profile pieces of code have been for years.

Ooh, scary Open Source, look at the nasties (5, Insightful)

xenoc_1 (140817) | about a year ago | (#44052393)

Great, Dice posts story from a corporate-software-industrial-complex advertorial mag, with a link to their so-called blog. Which ironically is running WordPress, along with a bunch of common plugins like "Yoast WordPress SEO plugin v1.4.7" and "All in One SEO Pack 1.6.14.6". Right there tells me how clueless they are about WordPress, because unless you have a damn good special reason, you do not want to be running two separate SEO plugins. LeadGen contact form plugin, a bunch of ad and analytics beyond the usual, and no apparent caching plugin. Oh, and no Google Authorship id done the correct way, despite both of those SEO plugins having "fill in the blank" prompting for it (they do have an XFN tag on their contact info but don't do the full Google social.)

For more laughs, their verison of All-In-One SEO is downlevel. Exactly what Checkmarx themselfes warn agansit. They are on 1.6.14.6, current version is 2.0.2. [wordpress.org]

Yeah, I'm gonna listen to them about WordPress security.

When you click through their blog to the actual PDF report [checkmarx.com] , guess what? They redacted the names of all those "at-risk" plugins, noting only 6 by name. Four of which they claim took their advice and fixed the problem, and two (WP Super Cache and W3 Total Cache) which I recall getting fixes for months ago. Hot news. I guess that even though their supposed expertise is in scanning for vulnerabilities, they are not going to tell you which are at risk in the current environment, because you didn't pay them. Classic dipstick move. Total and utter unawareness of the karmic and $$ benefits of internet "gift culture", such as, the whole damn open source movement and the specific WordPress ecosystem in which they are supposedly expert.

But we should listen to them, because: Checkmarx was recognized by Gartner as sole visionary in their latest SAST magic quadrant and as
Cool vendor in application security.

Re:Ooh, scary Open Source, look at the nasties (0)

Anonymous Coward | about a year ago | (#44052815)

Not to mention their recommendation: use static code analysis.

By the way, we sell that.

Re:Ooh, scary Open Source, look at the nasties (1)

St.Creed (853824) | about a year ago | (#44053289)

But we should listen to them, because: Checkmarx was recognized by Gartner as sole visionary in their latest SAST magic quadrant and as
Cool vendor in application security.

Visionary just means they paid Gartner. The Cool vendor means they took 'em to a brothel as well.

Okay I'm joking. Still... the fact they were whoring out "pattern based stragegy" (you had to pay to use the term) not long ago leaves me wondering.

Wordpress should die (1)

TheSkepticalOptimist (898384) | about a year ago | (#44052435)

People complain about IE6 or Flash or Java, but every web developer I know ABHORS WordPress.

The moment a company decides to use Wordpress as their underlying site "technology", its game over. This was supposed to be a product that allowed people at home to set up a content site quickly, not an enterprise level technology.

So if this thing is causing significant security issues, it should be placed at the top of the Internet's most hated and avoided like the plague.

If you want to blog online, use Facebook or Twitter or any other established social platform, nobody sets up their own blog anymore, that is so early 21st century.

Re:Wordpress should die (1)

amicusNYCL (1538833) | about a year ago | (#44052683)

nobody sets up their own blog anymore, that is so early 21st century.

Shit, is it mid-century already? Where the hell does the time go?

Re:Wordpress should die (0)

Anonymous Coward | about a year ago | (#44052691)

I literally know THOUSANDS of Web Developers (I been doing this since 1994) and I don't know a single one who ABHORS WordPress and at least a third of them have moved to exclusively providing solutions via WordPress. Maybe your high school could do a work shop on it and explain the benefits, then those "developers" you know will be able to embrace it by the end of their sophomore year.

Re:Wordpress should die (0)

Anonymous Coward | about a year ago | (#44052801)

Prove it.

Re:Wordpress should die (1)

realityimpaired (1668397) | about a year ago | (#44053039)

If you want to blog online, use Facebook or Twitter or any other established social platform

Maybe I don't want the advertising that goes with a platform like that, or the space limitations, or the way they assert copyright on the stuff I create, or maybe the WP blog is just a front-end for a domain name that's primarily there for e-mail, or...? There's a lot of reasons to run something like WordPress, and social media as you suggest is not a fix-all substitution.

Besides, it's not like Facebook and Twitter have never been hacked... they're big juicy targets with the number of users they have and the amount of information they're collecting about their users.

Re:Wordpress should die (1)

LordThyGod (1465887) | about a year ago | (#44053091)

The moment a company decides to use Wordpress as their underlying site "technology", its game over.

Like CNN, NYTimes ... ?

This was supposed to be a product that allowed people at home to set up a content site quickly, not an enterprise level technology.

Actually originally and for a long time, it was a blogging platform ... for people who write blogs. Not really for housewifes and the like.

So if this thing is causing significant security issues, it should be placed at the top of the Internet's most hated and avoided like the plague.

"if" ? If your aunt had a dick she'd be your uncle.

Anybody audit CPAN lately? (1)

Medievalist (16032) | about a year ago | (#44052511)

Never use a module if you can possibly avoid it, and keep everything you use patched up to date.

That way you'll be as safe as you can be - because you'll only be using modules you aren't actually capable of writing yourself.

Pulling in a dozen wordpress plugins (or a dozen CPAN modules, or the Ruby or Python equivalents) so you can avoid learning how to unpack a trivial format is the road to software maintenance hell...

Which Ones?!?! (5, Insightful)

Rob Riggs (6418) | about a year ago | (#44052581)

What an absolutely useless article and report. Scaremongering at its best, with no actionable content. Which plugins have vulnerabilities? Can they be mitigated through configuration changes or do they need to be disabled/uninstalled? What is the potential exposure? Those are the sort of things a computer professional needs. Where are the damned CVEs?

+1 Insightful (1)

mccrew (62494) | about a year ago | (#44053215)

Wish I had some mod points for you today.

Re:Which Ones?!?! (1)

kermidge (2221646) | about a year ago | (#44053381)

Giving useful infos would require having useful info, giving a shit, and having a mind to do it with. This way, the author gets web views, gets rep, gives a company name or two to establish bona fides, without really having to do anything. I might presume that asking the people who did the study might get you useful infos - perhaps even at a discount. Or maybe the relevant info is only for those in the know, not just casually anyone with a Word-Press powered site.

Further if one is getting these plugins from "a reputable source" then why can't one have some assurance that said plugins have already been tested and vetted?

Zedrick had some good points above about end-users. Expecting everyone on the bloddy web who puts up a site to be some elite webby pro is simply arrogant and unsupportable.

Re:Which Ones?!?! (0)

Anonymous Coward | about a year ago | (#44053549)

Finally someone said this. I'm not trying to troll and say Slashdot has lost this or that.. but look at the last of the post... one blanket statement and incomplete sentence that barely makes sense. I just get how they can post this crap, it was never this bad.

Oh no! (1)

interval1066 (668936) | about a year ago | (#44052919)

My wordpress blog might get comprimised. Let me jump right on that little emergency...

Is this news, or just the general state of things? (1)

water-and-sewer (612923) | about a year ago | (#44053409)

It seems like I read a version of this article about once a month. Seems like Wordpress is always not-too-far-away from some amazing catastrophe that will cause Western civilization to collapse.

I have been looking around for a new blog platform in order to redo my personal website, which is an aging Joomla 1.x system (and actually works fine, thank you very much, I just wish the URLs weren't so awkward). As far as I can tell, the entire rest of the world abandoned everything other than Wordpress, but actually I'd prefer something that didn't seem to be semi-permanently at risk of critical vulnerabilities due to crap plug-ins or whatever.

Right now, I'm looking favorably at serendipity, which seems simple and relatively safe. Joomla 2 isn't better in ways that interest me and worse in ways that do. I want no part of Drupal, and a lot of other stuff out there just isn't right for me. So, still looking actively at everything other than the blogging platform that is apparently in continous state of near catastophe.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?