Millions of Websites Vulnerable Due To Security Bug In Popular PHP Script (bleepingcomputer.com) 104
An anonymous reader writes from a report via BleepingComputer: A security flaw discovered in a common PHP class allows knowledgeable attackers to execute code on a website that uses a vulnerable version of the script, which in turn can allow an attacker to take control over the underlying server. The vulnerable library is PHPMailer, a PHP script that allows developers to automate the task of sending emails using PHP code, also included with WordPress, Drupal, Joomla, and more. The vulnerability was fixed on Christmas with the release of PHPMailer version 5.2.18. Nevertheless, despite the presence of a patched version, it will take some time for the security update to propagate. Judging by past incidents, millions of sites will never be updated, leaving a large chunk of the Internet open to attacks. Even though the security researcher who discovered the flaw didn't publish any in-depth details about his findings, someone reverse-engineered the PHPMailer patch and published their own exploit code online, allowing others to automate attacks using this flaw, which is largely still unpatched due to the holiday season.
Re: (Score:1)
" I bet the default has PHPMailer and some example forms installed as well "
No, it doesn't.
Re: (Score:2)
Well, it's pretty generally accepted that the P does not always mean PHP anymore -- perl or python were rolled into that acronym a decade or so ago.
Re: (Score:1)
Re: (Score:2)
I'm pretty sure Slashdot still uses mod-perl. That was the original "MP" in "LAMP".
I'm pretty sure the original LAMP was Linux, Apache, MySQL, Perl.
Re: just one? (Score:1)
Re: (Score:1)
What do you have to hide? Post your real name and stop hiding behind a psuedonym.
Re: just one? (Score:1)
Re: just one? (Score:1)
Re: (Score:1)
Because your legal name is "Nogrial"?
Re: just one? (Score:1)
Re: (Score:1)
This is a third-party library. Why would you need to update all of PHP?
Re: (Score:2)
windows 10 auto updates?!!
Re: (Score:2)
/troll
Three answers to three questions (Score:5, Informative)
Unless I'm mis-reading your post, you've brought up three different issues:
a) What is the best way to update a PHP script?
b) How do Wordpress and Drupal update by default?
c) How do you update the PHP interpreter without breaking scripts?
> a) What is the best way to update a PHP script?
Probably the best way is to use a revision control system such as "git", "cvs", "svn", or "hg". You can look at the Wordpress SVN here:
https://core.trac.wordpress.or... [wordpress.org]
The system tracks all changes:
https://core.trac.wordpress.or... [wordpress.org]
On an up-to-date server, you can run "svn update" to retrieve all of the updates that you're missing. An an older system, you can pull only the specific changes you want, such as security patches:
https://core.trac.wordpress.or... [wordpress.org]
b) How do Wordpress and Drupal update by default?
In a stupid way. The script itself downloads the new version from the Wordpress web site. For this to work, the script (and therefore all scripts on the server) needs to have permission to overwrite files on the server. That's bad because in most cases that means *any* script can change *any* file on the site. Any little security hole in any script allows the bad guy to write whatever he wants, including his own software, and run it on your server. That's a bad idea. It's *possible* to set this up to be reasonably secure, but nobody does. PHP makes the more secure configuration much more difficult than it needs to be.
> c) How do you update the PHP interpreter without breaking scripts?
Most of the time, a function will be deprecated several years before it's removed or disabled by default. Use http://php.net/manual/ [php.net] to understand the PHP you're writing rather than copying and pasting shit from Stackoverflow that might have been halfway correct six years ago. The manual will let you know if a function is deprecated, and point to the newer approach you should use instead. Aside from using good documentation (not forums) as your primary learning tool and avoiding deprecated functions, you can make your software easier to update and fix later. That's mostly about modularity - keep unrelated things separate. Ideally each function you write would be no longer than about 4-12 lines. A simple, short function is easier to update later. Related functions can be group into classes ( http://php.net/manual/en/langu... [php.net] ). It's much easier to fix your file uploader if it's all together in a file called "fileuploader.php" rather than being sprayed through "mega_forum_script.php" (8MB).
> *super novice programmer here* ... PHP
You have a much harder road ahead of you than us oldtimers who learned in the 1980s and 1990s. Your newbie code will be exposed in the internet, where it'll be attacked several times per hour. That's very high risk. Minimize your exposure by trying to avoid working with confidential data for now. Recognize your limitations and don't try to write a security system or shopping cart with credit card payments right now. When you *do* have to work on something that could cause damage when attacked, consider asking a programmer who is trained in security to do code review. (I've been programming professionally for 20 years, mostly doing security-related code, and I still ask my peers to review my work - there's no shame in that.)
Of course it does. E_DEPRECATED warning (Score:3)
> Wait... the PHP interpreter doesn't tell you this?
Of course it does. It issues a warning at level E_DEPRECATED. The manual answers your question here:
http://php.net/manual/en/error... [php.net]
And here:
http://php.net/manual/en/error... [php.net]
As noted in the manual, you not want a log entry every time a someone runs a script which includes a deprecated function; that could be a million times per day, if you have a million visitors. Like most languages, you'll want to set the reporting level higher during development
Agreed. Also different viewpoints and creative ide (Score:2)
Agreed, forums, including Stackoverflow, can certainly provide hints of where to start looking. Then as you said, refer to the documentation to understand exactly what the function does, and precisely what arguments ot takes and how it interprets them.
ALSO after you know a language well, perhaps you've served as a subject matter expert reviewing the certification test for the language, such forums can be a source of creative new ideas, and people may have benchmarked different ways of doing things, etc. For
Ps about security for web code (Score:3)
A little follow-up on the topic of writing code that's exposed in the web:
The natural tendency for most programmers is to think of how to make the code work, and to test that it works, given proper inputs. You'll be way ahead of the game both for security and avoiding bugs if you instead think about how your code can be made to FAIL, and test what it does with IMPROPER inputs. That's a major change of how we think for veteran programmers; a newbie may have an advantage if they can establish that mindset e
Re: Ps about security for web code (Score:1)
I'm not saying they don't know, it's a frame of mi (Score:2)
> Plenty of veteran programmers understand basic concepts such as making sure code can handle invalid parameters properly.
And I *know* basic Spanish. I *think* in English. Most programmers have heard something about programming defensively, a few do so as a matter of course. Most of us, most of the time, think about how things are supposed to work (not how they can fail). For decades we've said things like "garbage in, garbage out." We may know, intellectually, that "garbage in, garbage out" is no l
Re: (Score:2)
b) How do Wordpress and Drupal update by default?
In a stupid way. The script itself downloads the new version from the Wordpress web site. For this to work, the script (and therefore all scripts on the server) needs to have permission to overwrite files on the server. That's bad because in most cases that means *any* script can change *any* file on the site. Any little security hole in any script allows the bad guy to write whatever he wants, including his own software, and run it on your server. That's a bad idea. It's *possible* to set this up to be reasonably secure, but nobody does. PHP makes the more secure configuration much more difficult than it needs to be.
What about an installation on a shared-hosting environment where you only have user permissions? In such an environment you can never just run a sudo command to make a secure update.
As a side note, I just ran the exploit against one of my sites and tried to create a file using the exploit shell, but I then looked for the file and it does not exist anywhere on the server.
Don't run suexec. The creators say suexec is stupi (Score:2)
You don't need sudo to update your files, including your PHP files. They can be owned by your regular user, and updated via ftp/sftp or ssh. The scripts should *run* as user "nobody", so they don't have the same access that you do. Even better, the scripts can run as your own personal nobody, a user created for the purpose such as "execthis_scripts". Using the standard system "nobody" is far more common, though.
If your scripts are running as you, with the same permissions you have when logged in via ssh
Uhm no. It started as a CMS written in Perl & (Score:2)
Might want to double-check your facts there. I remember when PHP was a CMS written in a mix of Perl and C. That was about 1994 or so. I had already written something similar myself. The first web sites were 1989.
Oh you think the vocabulary is the science (Score:2)
I think I misunderstood what you were trying to say. You're under the impression that learning software engineering is nothing more than learning the vocabulary of a particular language. A programmer couldn't learn anything that applies to programming in PHP until after learning the PHP vocabulary, you think.
Not really so, IMHO. Most of software engineering, and systems architecture in general, is quite independent of any particular programming language. Heck I've written software that's valid in three
DUUUUUUPE (Score:4, Funny)
I've been seeing this same headline or a paraphrasing of it for OVER A DECADE. Please stop with the duplicates!
Swiftmailer (Score:1)
Swiftmailer, another popular lib, is also vulnerable.
https://github.com/swiftmailer/swiftmailer/issues/844
Looks like the core issue is with php's mail() function:
> ... due to 'mail() in PHP already escapes this argument.' However that's not the
> case - PHP passes the parameters through escapeshellcmd() but that doesn't
> prevent the appending of additional arguments, which is the issue here.
Re: (Score:1)
and this is why (Score:1)
i write a lot of my own shit and use external stuff as little as possible :-) ...even in PHP
Re: (Score:1)
Right on, me too.
- The PHPmailer developer.
Patch ontop of patch to fix another patch (Score:1)
Perhaps this is only the beginning of the start of the self-aware wordpress botnet; but would explain the regular hacking of wordpress sites; that will probably only continue so long as people rely on other peoples' PHP code. Thats not to say that other languages aren't subject; but php is probably the worst because there is no precedence for code quality or coding standards that releases (or even most of the community) follow. Is php functional? Object oriented? Both? Its neither; I would describe it as pu
Re: (Score:2)
but would explain the regular hacking of wordpress sites
It's got nothing to do with stuff like this and unless a popular WP plugin is found to be vulnerable to PHPMailer + param injection (unlikely in my opinion) there won't be much damage. Wordpress is vulnerable in general because it's easy to scan huge lists of websites for exploitable unpatched plugins, and because admins don't keep up to date. If a node.js platform ever becomes as popular as WP you can bet it will have the same issues.
Here we go! (Score:2)
Let the "PHP is crap" comments roll!
Re: (Score:2)
Let the "PHP is crap" comments roll!
Yeah, I'm sick of the losers who are busy chasing the new shiny and don't say a word when someone finds a vulnerability in their super special language.
The party line is something like this: Naturally it's totally impossible to write insecure code in any other language, and no other language (or library for any other language) has ever had an exploitable bug, ever. It's all PHP's fault, of course!
All I can say is that PHP (the LAMP stack, really) has made me a boatload of money over the years. Yes, it has b
Re: (Score:1)
Prove Mail.dot.net or mail.java or mail.python is any safer over all.
Re: diff (Score:1)
Yea. First it looks like some of the code written by some contractors I work with. Smelly code happens in every language. Imagine the same shit happening in C#. You know you've seen it!
Second, it looks like a whole shitshow of patching needs to happen every damn place in the core. Three, that check had to be thrown in at two places: there is no optimization of the code for it already being inside the same boolean evaluation... And four, u call that a patch...
Drupal core is not affected (Score:4, Informative)
Most sites needing extended mailing functionality probably use the SMTP contrib module [drupal.org], fortunately they too are not affected by this.
However, if you are one of the 11,000 (or so) sites reported to be using phpmailer module (and the associated library), you should make sure the library is updated. You can see if you're vulnerable by looking in the sites/all/libraries or sites/default/libraries folders to see if you're using the phpmailer 3rd party library.
Re: (Score:2)
Any word on Wordpress? I ran the exploit and it worked on one of my sites so I took the unprecedented step of literally disabling all my WP sites.
Re: (Score:2)
Re: (Score:2)
WP itself is not affected, they say. Plugins and themes of course are the wild card, if they email without using the WP wrappers. https://core.trac.wordpress.or... [wordpress.org]
Mail script have always been a headache. (Score:3)
Re: (Score:1)
Use a third party service and call their API. Done.
Like Mandrill?
Thank you (Score:2)
Re: wait a sec (Score:1)
Re: (Score:1)
That is is open source may be the reason the vulnerability was found?
Re: wait a sec (Score:1)
Re: (Score:2)
Users don't want to signup for mailing lists or find a good download site.
Almost every single Linux distro comes preconfigured with a default repository which can be used to automatically locate patches, or download source code if you need to compile your own, if you can't wait for your distro to test and push a patch. Though usually, you choose your distro based on such criteria of how quickly they push essential patches balanced with how often they push patches that break stuff.