Compromised WordPress Blogs Poison Google Image Searches 87
Orome1 writes "Google Image Search has for some time been littered with images that lure users to compromised sites that serve as doorway pages to other malicious sites. Part of the problem is that these compromised sites often use the WordPress publishing platform, which is infamous for the great number of security bugs that make it such a preferred target. This fact has been proven once again by security researcher Denis Sinegubko, who has pinpointed 4,358 WordPress blogs hijacked by unknown attackers and pumped full of popular search keywords and images, which redirect users to sites that try to scare them into buying a fake AV solution."
Re:Blame PHP. Blame JavaScript. (Score:4, Insightful)
PHP does everything in its power to make safe and secure software development damn near impossible.
There's a saying about whether good craftsmen blame their tools...
It's not PHP's fault that the designers of WordPress are about as competent as I was a year out of college. Everything is global, global functions, global variables, all over the place. If it was possible to use a global variable or a global function instead of something sane like a class, then by god they're going global. WordPress altogether just reeks of amateurish practices. Hell, in order to embed the thing on an existing page you include a file called "wp_blog_header" or something. But, it's not a header, and may not even result in a "header" being printed, it's basically all of WordPress. There's another include file called "wp_settings", which is great except it doesn't contain a single setting, it contains only function definitions. There are exit and die statements all over the include files, so if you pull up the page and it's blank, good luck finding out which condition in which include file got triggered to make the thing bail.
The global nature of everything makes it nearly impossible to embed in various template engines, and I hope your own applications aren't defining global functions with the same generic names that WordPress uses. One of PHP's more insecure options, register_globals, is also implemented in WordPress. No idea why they think they need that option, but if it's disabled in PHP then they go through and define all of those global variables anyway. The entire application looks like it was conceived by a fresh college graduate who recruited his younger brothers to actually build it. It's like the MySpace of CMS applications, the only reason it got big was because it filled a need when the need was there. Not because it's good, but because it was available. If there was ever an application in need of a ground-up, compatibility-smashing re-write, this is it.
Re:Blame PHP. Blame JavaScript. (Score:4, Insightful)
IMO a good language makes the safe tools painless and the unsafe ones painful. A poor language makes the safe tools painful and the unsafe ones painless.
A web orientated language designed for security for example could have multiple string types and make it easier to apply appropriate conversion processing than to convert between them without doing the processing.