Do we even need SSL?

“Do we even need SSL?” — In almost every project where hosting of some kind is involved this question comes up.

While SSL clearly can be improved it is the most easy way of secure transfer between web servers and web surfers.

In which cases is SSL expendable?

IMHO, encrypted data transfer via SSL is expendable when no private data or login credentials are being transmitted between the web server and you or visitors. That merely applies to static web sites only consisting of HTML, CSS, Javascript, images and nothing else.

In all other cases at least certain parts of a web site or web application should be transmitted via SSL only. The most common example is WordPress. Administrative access to WordPress should always be encrypted. There is a quite obvious reason: Imagine yourself in a Starbuck’s or any other place where you can freely access the Internet. You most probably are happy to have access — this is not the time to worry about other people eavesdropping on wifi connections.

The New York Post (via Bruce Schneier) has a nice blog post on this topic (the author meets a security consultant in Wi-Fi coffee shop for a live “hacking” demo):

He turned his laptop around to reveal all of this:

* Every copy of every e-mail message I sent *and* received.

* A list of the Web sites I visited.

* Even, incredibly, the graphics that had appeared on the Web sites I had visited.

None of this took any particular effort, hacker skill or fancy software. Anyone could do it. You could do it.

All Jon needed was a “packet sniffing” program; such software is free and widely available. (He used a Mac program called Eavesdrop.) It sniffs the airwaves and displays whatever data it finds being transmitted in the public hot spot.

I do not consider this even “hacking” as you only have to start a program that dumps wifi traffic. There are a bit more complicated ways that enable you to eavesdrop even on encrypted wifi traffic but that’s another story.

Security evangelist Bruce Schneier encrypts all of his web server’s transfer — so do I. A basic level of security can be obtained just by buying a SSL certificate and installing it/letting someone install it for you. Most web hosting services provide some way of protecting your web site traffic. If you only want to secure your administrative sections of your website and do not care for the extra bit of hassle that is involved with self-signed certificates you can get the security for free.

I do not say everyone should but you should at least let your web server encrypt sensitive data transfer such as administrative logins.

The keys to running a successful WordPress blog — technically speaking

Heise online reports WordPress is going to clean up the plugins dir because plugins “suck” and that — despite this fact — WordPress has become a constant in the web because large blogs such as Smashing Magazine are using it.

How do large WordPress blogs like Smashing Magazine accomplish this when plugins suck so much?

In the past years I have responsible for many WordPress installations, including Smashing Magazine‘s WordPress installations. I think I can tell you the keys that make a blog running WordPress successful or unsuccessful, technically speaking.

It’s the plugins:

  • How many of them are installed – the less the better!
  • Which ones are installed — always look how experienced the plugin’s developer is!
  • How they got chosen — make a security audit, either by yourself if you are competent, or hire someone how is!

In fact there are many, many WordPress plugins out there that have been developed by, let’s say, inexperienced developers. There are *tons* of security issues out there. The more plugins you install, the more security issues you install.

When I take over as a WordPress sysadmin, the first thing I do is throw out all unneeded plugins. Then I update the remaining ones. Then I try to further reduce the amount of plugins, either by implementing features myself or by replacing plugins with more capable/secure ones.

Here’s my last tip: If you cannot find a decent, capable, and secure WordPress plugin that suits your needs, hire a good developer with a security background to create it for you. Obviously you have to make sure not to hire one of the inexperienced developers. Please don’t go collecting plugins like “Oh I take this, and this one as well, this one sounds nice too” — this is not going to work in the long run. A successful WordPress blog is *always* run by competent admins and developers, not by “WordPress plugin collectors”.

Of course there are other factors as well, like always having the most recent versions of them installed, or to have interesting contents, but those are the keys IMHO.

Serious security issue in OneFileCMS 1.1.0

There a is serious bug in OneFileCMS 1.1.0 that enables remote users to create, write and delete files in web server context.

If you have a running OneFileCMS installation — pull the plug now. Until this issue has been resolved make sure only trusted users can access your OneFileCMS-powered website.

The author has been informed. Please come back later for updates :)

This is the encrypted exploit (I will post the key once the security holes have been fixed)

Happy new year BTW :)

Update 17.01.2010: The issue seems to be resolved! Update now!

WP Plugin Security: Multiple Leaks in WP-PhotoContest

What IS WP PhotoContest? The readme states:

This plugin permits you to create a ‘voting for photos-contest’ from the WordPress admin panel Subscribed users can uploads photos and everyone else can vote for the uploaded photos (sic).

The author could rephrase that as follows:

This plugin permits everyone to inject SQL commands into the database and to do a cross site scripting attack.

You most certainly do not want to install this plugin even if you are in the mood for a photo contest.

I did not review the whole plugin, just login.php where I have found the XSS leak and view.php as well as viewimg.php where the SQL injection leaks are located. Most propably there are even more leaks as this plugin seems to be from an inexperienced PHP programmer.

The author has been notified at UTC 1022. Information applies to version 1.0 and 1.0.1.

Details

The XSS leak is all too common:

$frompost_id = $_REQUEST['prid'];
...
<a href="<?php echo bloginfo('wpurl'); ?>/wp-content/plugins/wp-photocontest/login.php?post_id=<?php echo $frompost_id; ?>"><?php _e('Log In', 'wp-photocontest') ?></a>

There it is. A classic.

SQL injection in view.php and viewimg.php:

$post_id = $_REQUEST['prid'];
...
$q1 = "SELECT contest_id, start_date, end_date, contest_path, contest_name, intro_text, num_photo FROM ".$wpdb->prefix."photocontest_admin where post_id=$post_id";
$out = $wpdb->get_row($q1);

This is also a classic and a beginners mistake as well. There is no security whatsoever. Don’t consider this plugin to be safe when the mentioned leaks have been fixed!

What to do for plugin users

Deactivate and remove WP-PhotoContest immediately and wait for a revised plugin.

This issue has been resolved

WP Plugin Security: When the genius is out for lunch

I am in the mood for some more ranting… Why am I doing this? The low security level in the WordPress community aggravates me. And I care about the security of WordPress users out there. So here goes the next issue.

It’s a rather insignificant XSS security vulnerability but since the WP theme’s author runs the Website GeniusHackers.com and his Swift theme for WordPress is getting more than 2000 downloads per week you might be interested in this.

There is a simple XSS hole in search.php of the Swift theme. GET parameter ‘s’ does not get sanitized or even touched. Go to GeniusHackers.com, paste this into the search box and press enter for a live demo.

<style>*{visibility:hidden}html,body{visibility:visible}</style><div style=visibility:visible;line-height:150px;font-size:200px;color:green;position:absolute;top:0;left:0;padding:0;margin:0;background-color:red;width:10000px;height:10000px;margin-left:-200px;margin-top:-300px;padding-top:100px>XSS XSS XSS XSS XSS<script>alert(String.fromCharCode(88)+String.fromCharCode(83)+ String.fromCharCode(83))</script></div>

If a red page appears containing ‘XSS’ and a JS alert box containing ‘XSS’, the genius hacker has not yet fixed it.

You may want to check your own blog the same way. If it is vulnerable, search for something like this in your theme’s PHP files:

Search results for "<?php echo $_GET['s']; ?>"

and replace with

Search results for "<?php the_search_query(); ?>"

Search result page might still look ugly after a XSS attempt but at least nothing gets injected and rendered or even executed.

Update: Theme has been updated. Download the updated version with WordPress.org. See SwiftThemes.com for more information.

WP Plugin Security: WP Shopping Cart/WP eCommerce Security Holes

Another week, another security hole. This time I have found several holes in ajax-and-init.php from WP-eCommerce v3.7.4 aka WP Shopping Cart. It is the latest stable version. Let’s go.

The first issue is an unrestricted file deletion security breach. Remote attackers can trick a logged in WP user to click prepared links that can make the above mentioned script to delete files in webserver context. WP users must be logged in, a simple subscriber account would be sufficient.

The second issue is a SQL injection security breach. It is possible for remote attackers to trick a logged in WP user to click prepared links and have “Products List” items deleted and table “Products Files” truncated. As above, WP users must be logged in, a simple subscriber account would be sufficient.

There is at least another hole that enables remote attackers to change the plugin’s configuration under similar conditions.

What to do

Upgrade immediately to version 3.7.5 RC1.

Conclusion

The author of the plugin has been notified. I wonder though why these security leaks have not been mentioned in the 3.7.5 RC1 announcement… Judge for yourself.

UPDATE Oct 19, 2009: Leaks are still unfixed in the current stable version.