Millions of Websites Vulnerable Due To Security Bug In Popular PHP Script (bleepingcomputer.com) 32
An anonymous reader writes from a report via BleepingComputer: A security flaw discovered in a common PHP class allows knowledgeable attackers to execute code on a website that uses a vulnerable version of the script, which in turn can allow an attacker to take control over the underlying server. The vulnerable library is PHPMailer, a PHP script that allows developers to automate the task of sending emails using PHP code, also included with WordPress, Drupal, Joomla, and more. The vulnerability was fixed on Christmas with the release of PHPMailer version 5.2.18. Nevertheless, despite the presence of a patched version, it will take some time for the security update to propagate. Judging by past incidents, millions of sites will never be updated, leaving a large chunk of the Internet open to attacks. Even though the security researcher who discovered the flaw didn't publish any in-depth details about his findings, someone reverse-engineered the PHPMailer patch and published their own exploit code online, allowing others to automate attacks using this flaw, which is largely still unpatched due to the holiday season.
What do you have to hide? Post your real name and stop hiding behind a psuedonym.
Because your legal name is "Nogrial"?
" I bet the default has PHPMailer and some example forms installed as well "
No, it doesn't.
This is a third-party library. Why would you need to update all of PHP?
windows 10 auto updates?!!
/troll
Perhaps this is only the beginning of the start of the self-aware wordpress botnet; but would explain the regular hacking of wordpress sites; that will probably only continue so long as people rely on other peoples' PHP code. Thats not to say that other languages aren't subject; but php is probably the worst because there is no precedence for code quality or coding standards that releases (or even most of the community) follow. Is php functional? Object oriented? Both? Its neither; I would describe it as pu
but would explain the regular hacking of wordpress sites
It's got nothing to do with stuff like this and unless a popular WP plugin is found to be vulnerable to PHPMailer + param injection (unlikely in my opinion) there won't be much damage. Wordpress is vulnerable in general because it's easy to scan huge lists of websites for exploitable unpatched plugins, and because admins don't keep up to date. If a node.js platform ever becomes as popular as WP you can bet it will have the same issues.
Let the "PHP is crap" comments roll!