Arthur T Knackerbracket has found the following story:
A critical vulnerability in popular WordPress plugin Simple Social Buttons enables non-admin users to modify WordPress installation options – and ultimately take over websites.
Simple Social Buttons enables users to add social-media sharing buttons to various locations of their websites. The plugin has more than 40,000 active installations, according to WordPress Plugin repository.
[...] “Exploitation is fairly easy if the website allows public registrations, since the only requirement for an attacker to exploit this vulnerability is to have a registered user account,” Oliver Sild, founder and CEO of WebARX, told Threatpost. “It can be a low-privileged user whose only permission is to post a comment.”
[...] “Improper application design flow, chained with lack of permission check resulted in privilege-escalation and unauthorized actions in WordPress installation allowing non-admin users, even subscriber user type to modify WordPress installation options from the wp_options table,” Luka Sikic, developer and researcher with WebARX, said in a Monday post.
At a technical level, the flaw allows a function to iterate through a JSON object provided in the request and update all options – without checking whether the current user has permission to manage options for the plugin.
[...] From there, “there are multiple ways for an attacker to take over a whole website, or administrator account at least, just by modifying those configuration options,” Sild told Threatpost.
The vulnerability, which is rated 9.1 on the CVSS v3 severity scale, was discovered on Feb. 7, and a patch was released on Feb. 8. Users of the plugin are urged to update to version 2.0.22.
-- submitted from IRC
(Score: 5, Funny) by The Mighty Buzzard on Monday February 18 2019, @06:07PM (15 children)
A massive glob of PHP written by people who actually believe writing things in PHP is a good idea has yet another horrible vulnerability? Say it ain't so!
My rights don't end where your fear begins.
(Score: 2) by RS3 on Monday February 18 2019, @07:24PM (7 children)
Very good point, but some of us like a little excitement in our lives. :)
You know, beautiful day, you're half asleep, and suddenly the biggest fish that nobody will believe grabs the line. It's what you showed up for, but were enjoying the calm just the same.
Didn't say I'm a php fan; in fact have barely coded much php; just fell into WP admin and 10 years and no problems yet.
Besides perl, any language you'd recommend to replace php? (not saying I don't like perl, I just know you do a ton of perl)
(Score: 1, Insightful) by Anonymous Coward on Monday February 18 2019, @09:21PM (1 child)
Python. You can run it as a web server directly, a CGI script, FastCGI, SCGI, WSGI, and more. There are also a ton of frameworks and other prebuilt pieces that you can use to run your website and make it safe.
(Score: 2) by fyngyrz on Monday February 18 2019, @09:35PM
Bah. Meant to moderate "Informative." Sorry.
--
Research shows that 6 out of 7 dwarves aren't happy.
(Score: 2) by Thexalon on Monday February 18 2019, @10:34PM
There are good options in both Python and Ruby. I've also had to wrangle both JSP and C#.Net, and neither of those were half as atrocious as PHP.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by The Mighty Buzzard on Tuesday February 19 2019, @12:36AM (1 child)
Anything you know well and can write quickly in. Preferably a scripting language but even compiled ones would be preferable to PHP. The language itself isn't actually quite as bad as people give it credit for but most of the code written in it, including libraries and frameworks like WP, is because of the culture of noobs that adopted it as their language of choice.
My rights don't end where your fear begins.
(Score: 1, Informative) by Anonymous Coward on Tuesday February 19 2019, @03:37AM
There is a difference too in that PHP made the decision along the lines of "never break user space"; in that once a particular method is finalized, the behavior of that should not change. This results in programmers using wrong method calls all the time which lead to security holes. For example, the advice for using MySQL with PHP was to use escape_string(), but that didn't work right when used so it became, mysql_escape_string(), which had security flaws, so then it became mysql_real_escape_string(), but then that was wrong too, so they added other methods. So then, you have a bunch of people coding stuff using outdated advice. Noob or not, if everyone is telling you the "right way" to do something is wrong because the documentation and tutorials haven't caught up, then you are going to do it the wrong way too.
(Score: 0) by Anonymous Coward on Tuesday February 19 2019, @02:30PM (1 child)
Let perl die already.
(Score: 2) by The Mighty Buzzard on Wednesday February 20 2019, @06:05AM
Perl will never die, it's just too useful.
My rights don't end where your fear begins.
(Score: 2) by Thexalon on Monday February 18 2019, @07:25PM (3 children)
That, and it's aimed an audience that picks their tools mostly by brand recognition and market penetration rather than by technical merits. Who are adding lots of chunks of code without evaluating them in any meaningful way because of "Ooh! Shiney!". This leads to a dynamic not all that different from the security nightmares of pre-NT Windows.
The good news is that 40,000 plugin installs out of something like 170 million Wordpress installs means only about 0.02% are vulnerable to this particular attack.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by RandomFactor on Monday February 18 2019, @07:38PM (2 children)
So am I reading this correctly - the big thing keeping 40k WP sites from being pwned is basically that the bad guys must overcome the hurdle of having to register on them?
I've recently had a WP site dumped on me to maintain. I had avoided it for so many years.......
В «Правде» нет известий, в «Известиях» нет правды
(Score: 3, Informative) by Thexalon on Monday February 18 2019, @07:42PM (1 child)
A lot of Wordpress sites don't allow just any random person to register to the site. This is a privilege escalation vulnerability, so no account = no privileges = nothing to escalate.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by fyngyrz on Monday February 18 2019, @09:42PM
I don't let anyone register to my site. I don't use that plugin, either.
Letting random unknown people mess with wordpress is like handing someone a hammer and asking them to hit you on the head.
I'm about ready to move to a static site anyway. Tired of constantly updating both WP and PHP and having to maintain a completely isolated site out on the net so that if it is compromised, it can't screw up anything else.
--
What if there were no hypothetical questions?
(Score: 2) by All Your Lawn Are Belong To Us on Monday February 18 2019, @07:53PM
Joined the stampede on +1.... shame we don't have a +1 Tragically True mod.
This sig for rent.
(Score: 1) by barrahome on Monday February 18 2019, @10:48PM (1 child)
Language is not the problem, you can write vulnerable code on any language. PHP made it easier to code when they started, people didn't do that much security at all. Blame lazy coder's and they code.
(Score: 2) by The Mighty Buzzard on Tuesday February 19 2019, @12:40AM
The language itself is a bit of a problem but, yes, most of the problem is the coders who use it. They're also the coders who create the frameworks and libraries and such though, so they make it to where the language itself actually is the problem as well.
My rights don't end where your fear begins.
(Score: -1, Redundant) by Anonymous Coward on Monday February 18 2019, @07:38PM
s/t
(Score: 5, Funny) by Anonymous Coward on Monday February 18 2019, @08:25PM (1 child)
So this is a bug that only affects those sites that infect the web with social media buttons?
Bwahahahahahahahaha!
Beautiful retribution!
(Score: 2) by Azuma Hazuki on Tuesday February 19 2019, @12:09AM
Isn't it great? :D I got a huge laugh out of reading that bit.
I am "that girl" your mother warned you about...
(Score: 3, Funny) by Anonymous Coward on Monday February 18 2019, @08:41PM
I thought those were synonyms. https://www.dictionary.com/browse/synonym [dictionary.com]
Sorry dude, but your code is severely wordpressed. Sorry dude, but your code has severe vulnerabilities.
See? These are synonyms!
(Score: 4, Funny) by stretch611 on Monday February 18 2019, @08:44PM
At least Wordpress will be able to claim the title of "Worst Security Nightmare" after flash reaches End of Life in 2020.
25 years ago, when browsers and the WWW started coming around, who knew that there would be software so bad, that even Microsoft products would look good by comparison.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 0) by Anonymous Coward on Monday February 18 2019, @10:18PM (4 children)
AI that scans WordPress plugins for vulnerabilities surely doesn't require that much effort to get results.
(Score: 1, Informative) by Anonymous Coward on Monday February 18 2019, @11:13PM
But its too simple to attract any AI researchers. I mean 'curl | grep -i wordpress` isn't exactly rocket science.
(Score: 3, Funny) by The Mighty Buzzard on Tuesday February 19 2019, @12:44AM (2 children)
You don't need AI for that. This should cover detecting if you have a WP vulnerability for the foreseeable future:
while(1){ echo "Your WP install is vulnerable!"; }
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday February 19 2019, @04:12PM (1 child)
Bug report: This script claims my WP install being vulnerable despite me not having WP installed.
(Score: 0) by Anonymous Coward on Wednesday February 20 2019, @03:56AM
No, that is correct. Better reformat to wipe the rootkit that left that backdoor.
(Score: 2, Touché) by Anonymous Coward on Tuesday February 19 2019, @03:32AM
To save editor time, can we just put this story back in the queue, to be rereleased every six months or so?
Sure the details change, but alter TFS a little and all y'all have to do is copy the new CVE in.
It's not as if you'll run out of just the stuff from their bug tracker.