Compromised WordPress Blogs Poison Google Image Searches 87
Orome1 writes "Google Image Search has for some time been littered with images that lure users to compromised sites that serve as doorway pages to other malicious sites. Part of the problem is that these compromised sites often use the WordPress publishing platform, which is infamous for the great number of security bugs that make it such a preferred target. This fact has been proven once again by security researcher Denis Sinegubko, who has pinpointed 4,358 WordPress blogs hijacked by unknown attackers and pumped full of popular search keywords and images, which redirect users to sites that try to scare them into buying a fake AV solution."
Re: (Score:1)
Re: (Score:3)
Or, you know... don't use Wordpress...
Is there a free CMS which offers the same balance of simplicity, usability and extensibility, and that can run on most shared hosts? I'm genuinely curious.
Re: (Score:2)
Let's assume we're programmers, not graphic designers.
Re: (Score:3)
In that case, you have to write your own http server, too.
And text editor.
And compiler.
Re: (Score:3)
Fail to see how that helps, although it would be more fun. :)
Wordpress lets you slap together a site that looks nice and is functional, and do it very quickly and without (or with little) graphic design skill, and is open source. If you write the site from scratch, it is substantially harder to have a site that looks nice and is functional.
Re: (Score:2)
Yes, that obviously would be one solution. It would not be appropriate if you want something to look nice, however.
The question which the poster asked, and which people have just bashed rather than answering, is what good alternative solutions are out there? Specifically, "Is there a free CMS which offers the same balance of simplicity, usability and extensibility, and that can run on most shared hosts? I'm genuinely curious."
Re: (Score:1)
That's easy to say from your basement .. to your imaginary clients in the "tissue bucket".
Wordpress is fine if you don't install every single fucking shitty plugin that crosses your screen. Or the plugin that's too cool to be in the official repository.
By your logic all webdevs should be doing sites ala Geocities, it's record in security is what took them to this century as the leading provider of personal web publishing... Oh wait.
IANAWD but I know WP can be a pretty good platform beyond it's circlejerking
Re: (Score:2)
In that case, you have to write your own http server, too.
And text editor.
And compiler.
Those first two usually come right after hello world in programming books... ok.. maybe not RIGHT after, but I've definitely gone through both scenarios in several languages while running through a programming manual.
Re: (Score:2)
Yeah, it's called "write the website your goddamn self", and the only dependencies are an httpd and a text editor.
That obviously becomes untenable once you accumulate more than a page or two worth of content. Or do you fancy updating all your index pages manually every time content rolls off the homepage? Also, how does your 1995-model Web page support visitor comments?
Re: (Score:1)
Also, how does your 1995-model Web page support visitor comments?
Thanks, but I'll post the link on Usenet and we can comment it there...
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Or, you know... don't use Wordpress...
Is there a free CMS which offers the same balance of simplicity, usability and extensibility, and that can run on most shared hosts? I'm genuinely curious.
Let's say, just for the sake of argument that the answer is "no". The solution is still the same -- use a different CMS. If you have to use something that isn't free or that doesn't offer the same features, that's the price you pay for not having a website full of security holes that is used to pollute the Internet with shit.
Re: (Score:2)
Or maybe having the internet full of websites full of security holes that is used to pollute the Internet is the price of not having such a CMS.
Re: (Score:1)
The hosting company I use supports Joomla, Drupal, Concrete5 and GetSimple as one click installs..
If you want to start with a framework and add your own CMS on top of that I am liking CodeIgniter.
Re: (Score:2)
The hosting company I use supports Joomla, Drupal, Concrete5 and GetSimple as one click installs..
Thanks for the pointers! Concrete5 looks nice, gonna try taking it for a spin.
Re: (Score:1)
Re: (Score:1)
But WP isn't the issue here. Basically every web app implemented using PHP and JS will be full of security holes. The GP is right; the problems are PHP and JS. Sure, you can use some other blog system written in PHP, but it'll have all sorts of security holes, too! You'll be just as likely to be exploited!
At least languages like Perl, Python, Java, and C#, along with the web app frameworks built around them, promote good programming practices that make it a lot more difficult for developers to write insecur
Re: (Score:2)
Re: (Score:1)
Re: (Score:3)
Not always. This guy is talking specifically about self-hosted WordPress sites, as opposed to the ones on WordPress.com. The vulnerabilities exist mainly in sites that don't keep up with the latest bugfixes, or potentially, sites that are hosted by shared hosting providers who leave stupid PHP options enabled, leading to the vulnerability. There are various reasons why any site might be compromised. There are plenty of sites running technologies other than PHP that have been compromised. The bottom line is
What did you mean by basically? (Score:4, Interesting)
Basically every web app implemented using PHP and JS will be full of security holes.
Wikipedia is implemented in PHP and JavaScript. If it's been compromised, I haven't heard about it. So I must have misunderstood what you meant by "basically".
Re: (Score:2)
Wikipedia is compromised by DESIGN. It is a spectacularly noble effort and it is a miracle that it hasn't been rendered a shambles just by punk minded users doing what users are SUPPOSED to do - write content.
Re: (Score:2)
Wikipedia is compromised by DESIGN.
Then why hasn't it also been compromised to redirect people to sites selling fake AV?
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
While sanitising inputs is laudable, PHP programmers should be using bind variables.
PHP, MySQL and PostGreSQL all support them, now.
Prevents most SQL injection, improves performance, results in cleaner and more readable queries.
Re: (Score:2)
The widely-lauded readability of bound-variable SQL queries prompted me to write a Perl script that moves every other noun in my e-books to the footnotes. Much more readable now :)
Re: (Score:1)
More readable than the string concatenation (especially if escapes and other functions are embedded). And much less painful if you need to copy the query out and run it elsewhere.
Less to clean up.
And if the query is so long (like more than a half dozen bind variables) that you are seriously going to have trouble remembering that user_name = ? is matched to the variable user, then maybe you should add a few comments inside the query near those binds.
Hopefully you are doing that long query on multiple lines
Re: (Score:2)
And if the query is so long (like more than a half dozen bind variables)
Like any big INSERT or UPDATE.
that you are seriously going to have trouble remembering that user_name = ? is matched to the variable user, then maybe you should add a few comments inside the query near those binds.
So how do I ensure that the "few comments" next to the ? placeholders don't get out of sync with the actual variables in the bind?
Re: (Score:2)
PHP programmers should be using bind variables.
I use bind variables in my PHP code in all but two cases [pineight.com] that MySQLi's $stmt->bind_param() makes overly cumbersome. To handle these, should I be switching from MySQLi to PDO already?
Re: (Score:2)
Personally, when it comes to long lists, I tend to push them in a temp table.
But then, the two times I've needed to do that, I needed to run a series of queries on them anyway, so a temp table was an easy choice.
Re: (Score:2)
Should *also* be using bind variables. Bind variables alone don't protect you or your visitors from XSS attacks from user content, for example.
Re: (Score:2)
Absolutely, or other exploits of your framework. All inputs are evil.
I wasn't saying to ignore those, was just that many PHP developers seem to think that sanitising inputs is the way to write safe queries.
Escaping isn't that easy, especially with unicode.
Heck. Escaping is non-trivial with javascript too. Many common escape routines will be helpless if you're writing directly into JSON for use by JSON.parse (much less eval).
And then there's silly code that tries to strip out tags, and forgets about
Re: (Score:1)
That should have read:
forgets about <s0x00cript>
json_encode() (Score:2)
Many common escape routines will be helpless if you're writing directly into JSON for use by JSON.parse (much less eval).
Who would generate JSON in PHP without using json_encode() [php.net]?
Re: (Score:1)
*shrug* I don't do much in PHP so wasn't aware of the function, was just agreeing with him and noting general stuff people forget to do. Initial comment about bind params was more based on PHP I'd read/seen exploits for anyway. Is something PHP is notorious for, but is fortunately avoidable now.
Re: (Score:2)
The weakness of the languages is also touted as a strength. Both PHP and Javascript are very easy to pick up by newbies and start dishing out code.
The problem with this is that you have newbies with minimal computer knowledge slapping together lousy code. Years ago, people had the exact same gripes about Visual Basic and the laughably crappy applications put out by people who called themselves 'programmers'. This is the exact same thing, with the difference being the crappy results are exposed to the wor
Re: (Score:1)
So like... a web license? Totally not retarded at all.
Re: (Score:2)
So like... a web license? Totally not retarded at all.
Though I agree with GP that IT employment would be a lot more rewarding for "the few" that would qualify in a world were medicine and IT were equally licensed, web licenses pose a huge problem for the hobbyist.
I spent a couple hours desiging and posting 30 lines of shell code online for unknown guy on a public forum the other day. It's probably someone incompetent at his job who will never learn about shell scripting, loops and anything as long as they're a websearch or forum question away from the answer t
Re: (Score:3)
PHP does everything in its power to make safe and secure software development damn near impossible. Add in some JavaScript, and an already bad situation gets much worse. It, too, is a horrible language for writing safe, secure software.
It seems to me you've just made the case for not writing your own Web software at all, but instead choosing a well-established, well-maintained open source project -- such as WordPress. TFA is surprisingly short on what versions of WordPress are vulnerable to the exploit (and there are many versions). I'm willing to bet, however, that people running the most up-to-date version are not vulnerable.
I don't think JavaScript is as shitty as you claim, but I'm no fan of PHP. Still, A.) It is very easy to find che
Re: (Score:1)
The syntax is a shitty imitation of C. The semantics, even for basic things like boolean values and comparisons, are extremely fucked up.
And yet you are posting on a website coded in Perl which, no one will argue with, is a pretty f**ked up language but a powerful one. And Slashdot even use Javascript. Is this site insecure?
A language, in itself is just an abstraction for machine code. Assembler code is just a literal version of machine code. C is a the closest language to machine code and the primary one used everywhere like core OS components to video game. A language in never secure or unsecure, it's its interpretation in machine code tha
Re:Blame PHP. Blame JavaScript. (Score:4, Insightful)
PHP does everything in its power to make safe and secure software development damn near impossible.
There's a saying about whether good craftsmen blame their tools...
It's not PHP's fault that the designers of WordPress are about as competent as I was a year out of college. Everything is global, global functions, global variables, all over the place. If it was possible to use a global variable or a global function instead of something sane like a class, then by god they're going global. WordPress altogether just reeks of amateurish practices. Hell, in order to embed the thing on an existing page you include a file called "wp_blog_header" or something. But, it's not a header, and may not even result in a "header" being printed, it's basically all of WordPress. There's another include file called "wp_settings", which is great except it doesn't contain a single setting, it contains only function definitions. There are exit and die statements all over the include files, so if you pull up the page and it's blank, good luck finding out which condition in which include file got triggered to make the thing bail.
The global nature of everything makes it nearly impossible to embed in various template engines, and I hope your own applications aren't defining global functions with the same generic names that WordPress uses. One of PHP's more insecure options, register_globals, is also implemented in WordPress. No idea why they think they need that option, but if it's disabled in PHP then they go through and define all of those global variables anyway. The entire application looks like it was conceived by a fresh college graduate who recruited his younger brothers to actually build it. It's like the MySpace of CMS applications, the only reason it got big was because it filled a need when the need was there. Not because it's good, but because it was available. If there was ever an application in need of a ground-up, compatibility-smashing re-write, this is it.
+1 on /. (Score:4, Informative)
Global (Score:2)
Everything is global, global functions, global variables, all over the place.
What is the difference among a global function, a static method of a class, and a method of a singleton object? What is the difference among a global variable, a static field of a class, and a field of a singleton object?
Re: (Score:1)
Re: (Score:2)
I misspoke about register_globals, I didn't have a copy of the source in front of me (I avoid it as much as possible). It is magic_quotes that they force on, not register_globals, in the wp_magic_quotes function in load.php. The register_global option gets "reverted" by unsetting any global variable that has a key in one of the superglobals.I also misspoke about the wp-settings file, which executes functions instead of defining them (but still doesn't define any settings). The load.php is what contains o
Re: (Score:3)
A Singleton is Global State in Sheep’s Clothing. [hevery.com] Static methods are also as problematic as globals. It's just that some people don't see the problems with them when they're not labeled "globals".
Re: (Score:2)
The problem with their use of global functions is the namespace issue. The problem is because they use generic names for a lot of functions, and then expect their software to work well with other software. The problem with their use of global variables is that sometimes they're not global. They don't explicitly declare them in the global space (through $GLOBALS), they just declare them in the local scope (which they assume to be the global scope). When that code is being run in another scope then all of
Re: (Score:2)
Re: (Score:2)
WordPress does use "wp_" as a prefix for a lot of things, but not all of them. It also uses classes for some things, but not everything. Just from looking at the code, it looks like people have been trying to improve it without breaking compatibility. It really just needs a rewrite.
Another thing: I've been using the global statement instead of the $GLOBALS superglobal array; is that bad?
It's not necessarily "bad", but it doesn't lend itself well to playing nice with other applications. Just to be clear, the problem is how the variable is originally defined, not how it's used in the function. This is the rea
Re: (Score:1)
A good craftsman knows to use good tools, and to avoid bad ones. PHP is not a good tool. PHP is a bad tool. It's a very, very terrible tool. That's why all good software developers refuse to use PHP. That's why all PHP code is written by people who are not good software developers. That's why all PHP code is shitty. All of it.
Re:Blame PHP. Blame JavaScript. (Score:4, Insightful)
IMO a good language makes the safe tools painless and the unsafe ones painful. A poor language makes the safe tools painful and the unsafe ones painless.
A web orientated language designed for security for example could have multiple string types and make it easier to apply appropriate conversion processing than to convert between them without doing the processing.
Fake AVs? (Score:4, Funny)
pumped full of popular search keywords and images, which redirect users to sites that try to scare them into buying a fake AV solution
It takes them to McAfee's website?
Re: (Score:2)
Yeah, fake AV is a bit like fake alternative medicine. How can you tell?
Fake alternative meds? Easy: they heal you for real. Fake AV? Trickier...
The Right Wing has Taken Control (Score:1)
I prefer the good old days when poisoned image searches would lure old people (that is, people over 29 years of age) to goatse sites. This would really freak out the older generation and their conservative ways.
Those were the good old days. Now its all about money -:(
FUD (Score:2)
No data released on the actual WP installations but it does provide GREAT FODDER for haters who gotta hate here on /. whining on about designers, html coders, etc... trying to swing big wood when in fact they too are just a bag of water.
Anyway.
I'd like to see data on the WP installations. What versions, what plugins, where any of the very basic security measures taken (strong password, file level permissions, proper .htaccess).
And then I'd like to learn if they are installations which are manually installed
Re: (Score:2)
Re: (Score:2)
More haters gotta hate with the belittling speech codes. "precious designers"
Who the frack said they were precious?
Why do you suppose they are precious?
Why do you presume they will automatically screw up?
I've known people from all stripes of ambition and career to screw up, none inherently more than another.
I'd go into stories of monumental screw ups specifically regarding networking crew, application programmers, or systems admins I've worked with but to what end?
Take your bulloney elsewhere.
What is a Recommended Alternative? (Score:2)
The FAIL is strong in this thread (Score:2)
Hey dipshits - the "timthumb.php" thing TFA is talking about isn't part of the wordpress core. All the wordpress bashing is pretty much irrelevant because we're talking about vulnerabilities in third-party software.
Re: (Score:2)
For exapmple, many of the hacked sites (not all though) use themes that include a timthumb.php file that is known to have a security hole that allows attackers to upload .php files to a server.
Emphasis added to make it clear: timthumb is NOT the source of the fail if it's not present on all the infected sites, or at least it's not the ONLY source.
Nastiest one I saw... (Score:2)
True story: my wife found an image when searching for "purple bedroom set" that, when you clicked on it, took you to a Bing search for same. Now that was scary!
maybe... (Score:1)
google ad a search filter for bad sites (Score:2)
google could add search filters that excludes any site that is known to be poisoned, or maybe even a manual list edit that allows a more knowing person to filter out such sites.
Crrrrazy hacking rate (Score:1)