Are Your Websites Up to Date?You can keep track of what versions of concrete5, Drupal, Joomla, Magento, MediaWiki, Moodle, PrestaShop, Revive Adserver, TYPO3, SPIP, WordPress, and Zen Cart are running on all of the websites you manage with our Up to Date? Chrome app.
Search This Blog
- McAfee and PathDefender Shouldn’t be Making It Easier For Hackers To Disguise Malicious Code
- It Appears That FTP Login Credentials Provided To Cart2Cart Were Compromised
- “Very Important Security Fix” Coming For Joomla On Thursday
- Hacking Team Failed To Take Basic Security Measure With Their Website
- Security Company with WordPress Security Plugin Doesn’t Keep Their Own WordPress Installation Up to Date
Web Software Updates
WordPress VersionWe are running WordPress 4.4.2 and despite what many supposed "security experts" claim letting you know what version we are running does not make us less secure.
Did We Make a Mistake?While it seems to be acceptable for blogs discussing web security to contain numerous factual mistakes, we hold ourselves to a higher standard. We only write about things that we actually understand and only after we have double checked the information. So if you see a mistake in one of our posts please leave a comment on the post or contact us so that we can add a correction.
Category Archives: Bad Security
When it comes to keeping websites secure, keeping the software on them up to date is one of the basic measures that needs to be taken. We know that web hosts are aware of this because they will often tell people when their websites have been hacked that it was due to outdated software (since this usually isn’t based on any actually evidence, it often is wrong). Unfortunately we continue to find that web hosts don’t bother to make sure that they are not distributing outdated software to their customers.
Recently while doing some work on a web site hosted with InMotion Hosting, we noticed that in the website’s cPanel control panel that the option to install Joomla 2.5 was being prominently displayed:
That should not be happening since support for Joomla 2.5 ended back on December 31. Not only does that put websites at risk if a security issues is found in Joomla 2.5, but it can cause unnecessary trouble down the road because upgrading from Joomla 2.5 to 3.x is not always the one-click upgrade it is a promoted as.
On the installation page they do provide the option to install the currently supported version of Joomla, 3.4.1, as well. But you would have to select that version from a drop down box:
The problems don’t stop there. On the main page for their software installing service the ninth slot is Moodle 2.0:
Support for Moodle 2.0 ended nearly three years ago, in June 2012.
As with Joomla, they do also offer supported versions, but you would have to select those from a dropdown where 2.0 is the default:
Installing this version now will lead to otherwise unnecessary work down the road because Moodle will have to be upgraded to version 2.2 before it can be upgraded to a version 2.3 of higher.
The WPScan tool is “black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations”, which is described as being intended “for security professionals or WordPress administrators to asses the security posture of their WordPress installations.” We find that claim somewhat odd since it scans a WordPress website from the outside of the website, which not only isn’t necessary if you have admin access to the website (which anyone involved with the security of website should have), but is also an inefficient way of doing a security scan when you have that access. While doing some research for another post we identified another problem that makes the tool bad for use by a security professional: their data indicates that plugin vulnerabilities have been fixed as of versions of the plugin that still in fact contain the vulnerabilities. Since this gets to a larger problem we have been seeing, we though it would make sense to take a look at this.
In WPScan’s vulnerability data for a a vulnerability in a plugin named Ajax Search Lite it says that the vulnerability impacted versions at or below 3.1 and that the vulnerability was “fixed in version 3.11”. The first claim is wrong and the second claim was wrong as of the date their data was last updated, March 21. We know this because we help to get the plugin fixed after that.
As part of the process of adding WordPress plugin vulnerabilities to our Plugin Vulnerabilities plugin, we check to make sure the claimed vulnerabilities actually exist (which they sometimes don’t) and we try to determine all of the version that are vulnerable. Knowing what versions are vulnerable is important when trying to determine how a WordPress website was hacked (as we do when cleaning up Hacked WordPress websites), as you can rule out a plugin’s vulnerability if the installed versions is not vulnerable. In adding data for over 225 vulnerabilities to our plugin so far, we have found that while some vulnerabilities have existed in every version of a plugin, many impact less versions, in some cases only one version has been impacted. What has been more surprising in working on the plugin is how often we find that even though a vulnerability has been listed as fixed, it hasn’t been. That was the case with Ajax Search Lite.
When we starting looking into the security advisory for Ajax Search Lite we figured that the vulnerability had probably been fixed in version 3.11 of the plugin based on the changelog entry for that version, “A possible security issue fix”, and the release date. After confirming that vulnerability existed in the prior version, 3.1, we checked to make sure it was fixed in 3.11, but it wasn’t. Looking at the changes between 3.1 and 3.11 we didn’t see anything that looked like the security fix. We then took a look at another plugin from the same developer Related Posts Lite that was reported to have the same issue. In that case the vulnerability had been fixed, so it looked to as if the developer simply forgot to include the fix in Ajax Search Lite. We notified the developer on March 26 of the issue; they then promptly responded and fixed the vulnerability. They still haven’t increased the version number so that anyone who got version 3.11 before that happened is still vulnerable. Because WPScan doesn’t do what we do, with their tool you wouldn’t know that you could still be running an insecure version.
What has made the issue of unfixed vulnerabilities even more surprising to us is that organizations that would think would be careful about this sort of thing, haven’t been. Take for instance another vulnerability we looked at recently. High-Tech Bridge, a security services provider, put out a security advisory for a vulnerability in the Easing Slider plugin. In it they stated that the vulnerability was “Fixed by Vendor” and indicated that the fix occurred in version 188.8.131.52. When we went to check on the vulnerability we found that it still existed in that version. In the changelog for that version it was listed that “Fixed some $_GET input validation security issues.”, which would appear to relate to the security issue identified, but they had not in fact done that to inputs that were the root of this vulnerability. It appears that High Tech Bridge didn’t actually test out their sample exploit in the new version, since it was obvious that it wasn’t fixed if you did that. We alerted the developer to the issue and the locations of the vulnerable code, which lead to the vulnerability actually being fixed in version 2.2.1. Once again if you are relying on WPScan you would be in trouble since they indicate the vulnerability impacted versions at or below 184.108.40.206 and that the vulnerability was “fixed in version 220.127.116.11”.
While this highlights the problem of relying on WPScan for security purposes, it also points to any area where the security of WordPress plugin could be improved. If WordPress provided a process where a plugin is reviewed after a security vulnerability is supposed to have been fixed then these types of issues could be quickly caught and fixed. As to who would provide the funding for this, we already have a good idea.
For years we have discussed the fact that in many cases with publicly disclosed security vulnerabilities in WordPress plugins, no one bothers to notify the developer or WordPress.org about them (that includes organizations selling WordPress security services like WordFence and WPScan). In many cases if this was done that would be enough to get them fixed. In other cases, when the vulnerability does not get fixed, the plugin will be pulled from the WordPress.org Plugin Directory and that will prevent more websites from adding the vulnerable plugins (alerting people that they are using plugins that have been removed from the directory is something we have been pushing for for years).
We have more than enough time taken up looking into to security issues in plugins, so we rarely look into security issues with themes, but we happened upon one last week that shows the lack of reporting extends to theme issues. Back on February 13 an authenticated arbitrary file upload vulnerability was disclosed in the current version of the Fusion theme, which was available on the WordPress.org Theme Directory. After confirming that the vulnerability existed we reported it to WordPress.org and then within an hour it was pulled from the directory.
What was troubling is that we don’t appear to have been the only people that had taken a look. Here is a screenshot of the graph of downloads from right before the theme was taken down from the Theme Directory:
We are pretty sure that spike in downloads shortly after the disclosure is related to people looking into the vulnerability and yet no one else looking at the issue bothered to report it. That includes the people at WPScan, who again included a vulnerability in their vulnerability database, but didn’t report it.
On March 8 an arbitrary file upload vulnerability, which would allow anyone to upload any kind of files to a website, was disclosed in the Reflex Gallery plugin. This type of vulnerability is probably the most serious vulnerability for a website since, unlike many types of vulnerabilities that rarely get exploited, it is question of when, not if, it will be exploited on websites. This is due to the fact that a hacker can use the vulnerability to upload a .php backdoor script, which will give them remote access to the website without having to interact with the software already running on the website. The only good news in this case it that the plugin is not very popular, the WordPress Plugin Directory lists as having 2,000+ active installs.
When we started to take a look at the vulnerability report to include it in our plugin that notifies of known security vulnerabilities in WordPress plugins we noticed that this plugin had previously had another arbitrary file upload vulnerability that existed in versions 1.0-3.0. The proof of concept for the previous vulnerability looked similar to the new one, both of them targeted the file /admin/scripts/FileUploader/php.php in the plugin. The main difference between them was that second included a couple of URLS parameters in the request, ?Year=2015&Month=03. Our first thought was that new vulnerability might somehow be related those URL parameters, though as we dug in we found what was really going on.
In version 3.0.1 the first vulnerability was fixed by changing the line
$allowedExtensions = array();
$allowedExtensions = array(“jpeg”, “gif”, “png”);
in the file /admin/scripts/FileUploader/php.php.
That restricted what file extensions could be uploaded, so that .php files could not be uploaded. While this provided basic protection, it was less than should have been done. Since the front-end of the plugin’s upload functionality is only accessible admin users the underlying upload function should have also been restricted to admin users. That way if there were some other vulnerability in it only admins would be able to exploit it, which really isn’t much of a problem. There are a couple of other potential issues that come from allowing anyone to upload files. First, you have the chance for denial of service (DOS) attack from someone filling up all of the websites disk space with uploaded files. Second, since only the file extension is limited, it is still possible to upload files with PHP code, which could be combined with a local file inclusion (LFI) vulnerability to exploit a website.
We then looked at what changes were made in the most recent version, 3.1.3, and that showed what happened with the second vulnerability. In the file /admin/scripts/FileUploader/php.php the line
$allowedExtensions = array(“jpeg”, “gif”, “png”);
was changed to
$allowedExtensions = array();
So for some reason the fix that was put in place before was removed, which re-opened the vulnerability. What makes this seems odder is that the changelog for 3.1.3 list only two changes made:
- Fixed issue of gallery info not updating on Edit Gallery page
- Additional security fixes
Last Monday, after looking into the vulnerability we attempted to notify the developer of the plugin about the disclosure of the vulnerability and the underlying cause. Were not sure if they got because when we submitted a message on their website’s contact form it didn’t provide any indication that message had been successfully sent. If we can’t reach a developer or they don’t respond our next step with a vulnerability that exist in a plugin that is available in the WordPress Plugin Directory is to report to the people running it. We originally planned to do that on Friday as that would have give the developer four days to deal with it first, but then on Thursday while reviewing our log files to see what WordPress plugin vulnerabilities there had been recent exploit attempts for we saw that there was attempt to exploit this vulnerability. It was done during a series of requests (shown below) that included trying to exploit some rather old vulnerabilities so it is likely that was not an attempt based on the recent disclosure, but the previous one.
18.104.22.168 – – [12/Mar/2015:02:07:37 -0400] “GET /blog/2010/11/19/oscommerce-2-3-includes-fixes-for-security-vulnerabilities-and-security-enhancements//xmlrpc.php HTTP/1.1” 301 567 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
22.214.171.124 – – [12/Mar/2015:02:07:38 -0400] “GET /blog/2010/11/19/oscommerce-2-3-includes-fixes-for-security-vulnerabilities-and-security-enhancements/xmlrpc.php HTTP/1.1” 404 6349 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
126.96.36.199 – – [12/Mar/2015:02:07:41 -0400] “GET //xmlrpc.php HTTP/1.1” 200 439 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
188.8.131.52 – – [12/Mar/2015:02:07:42 -0400] “GET / HTTP/1.1” 200 11041 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
184.108.40.206 – – [12/Mar/2015:02:07:52 -0400] “GET //wp-content/themes/vip/includes/uploadify/upload_settings_image.php HTTP/1.1” 404 5838 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
220.127.116.11 – – [12/Mar/2015:02:07:58 -0400] “GET / HTTP/1.1” 200 11041 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
18.104.22.168 – – [12/Mar/2015:02:08:07 -0400] “GET /wp-content/themes//timthumb.php HTTP/1.1” 404 5838 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
22.214.171.124 – – [12/Mar/2015:02:08:10 -0400] “GET / HTTP/1.1” 200 11041 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
126.96.36.199 – – [12/Mar/2015:02:08:19 -0400] “GET /wp-content/themes//thumb.php HTTP/1.1” 404 5838 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
188.8.131.52 – – [12/Mar/2015:02:08:23 -0400] “GET /wp-content/plugins/woopra/inc/php-ofc-library/ofc_upload_image.php?name=joss.php HTTP/1.1” 404 5838 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
184.108.40.206 – – [12/Mar/2015:02:08:25 -0400] “GET /wp-content/plugins/wp-seo-spy-google/ofc/php-ofc-library/ofc_upload_image.php?name=joss.php HTTP/1.1” 404 5838 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
220.127.116.11 – – [12/Mar/2015:02:08:27 -0400] “GET /wp-content/plugins/invit0r/lib/php-ofc-library/ofc_upload_image.php?name=joss.php HTTP/1.1” 404 5838 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
18.104.22.168 – – [12/Mar/2015:02:08:29 -0400] “GET /wp-content/plugins/chart/php-ofc-library/ofc_upload_image.php?name=joss.php HTTP/1.1” 404 5838 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
22.214.171.124 – – [12/Mar/2015:02:08:31 -0400] “GET /wp-content/plugins/wp-slimstat-ex/lib/ofc/php-ofc-library/ofc_upload_image.php?name=joss.php HTTP/1.1” 404 5838 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
126.96.36.199 – – [12/Mar/2015:02:08:33 -0400] “GET /wp-content/themes/cameleon/includes/fileuploader/upload_handler.php HTTP/1.1” 404 5838 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
188.8.131.52 – – [12/Mar/2015:02:08:36 -0400] “GET /wp-content/themes/switchblade/framework/_scripts/valums_uploader/php.php HTTP/1.1” 404 5838 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
184.108.40.206 – – [12/Mar/2015:02:08:41 -0400] “GET /wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php HTTP/1.1” 404 5838 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
220.127.116.11 – – [12/Mar/2015:02:08:45 -0400] “GET /wp-content/themes/elemin/themify/themify-ajax.php HTTP/1.1” 404 5838 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
18.104.22.168 – – [12/Mar/2015:02:08:49 -0400] “GET /wp-content/plugins/front-file-manager/upload.php HTTP/1.1” 404 5838 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
22.214.171.124 – – [12/Mar/2015:02:08:52 -0400] “GET /wp-content/plugins/complete-gallery-manager/frames/upload-images.php HTTP/1.1” 404 5838 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
126.96.36.199 – – [12/Mar/2015:02:08:56 -0400] “GET /wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();eval(base64_decode(JHM9cGhwX3VuYW1lKCk7CmVjaG8gJzxicj4nLiRzOwoKZWNobyAnPGJyPic7CnBhc3N0aHJ1KGlkKTsK));error HTTP/1.1” 404 5838 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
188.8.131.52 – – [12/Mar/2015:02:09:00 -0400] “POST /wp-content/plugins/radykal-fancy-gallery/admin/image-upload.php HTTP/1.1” 404 5864 “-” “libwww-perl/6.08”
184.108.40.206 – – [12/Mar/2015:02:09:02 -0400] “POST /wp-content/plugins/mm-forms-community/includes/doajaxfileupload.php HTTP/1.1” 404 5864 “-” “libwww-perl/6.08”
220.127.116.11 – – [12/Mar/2015:02:09:05 -0400] “POST /wp-content/plugins/html5avmanager/lib/uploadify/custom.php HTTP/1.1” 404 5864 “-” “libwww-perl/6.08”
At that point we immediately sent an email to the people running the Plugin Directory alerting to the vulnerability and the fact that it was currently being exploited (along with details on three other vulnerabilities). In most cases in the past when we having reported vulnerabilities to them in this way they have quickly responding by taken the plugin down until a fix was released, so that no additional websites would made vulnerable. Unfortunately, as of posting this on Monday morning the plugin has not been updated or pulled from the plugin directory.
Improving The Handling of Plugin Vulnerabilities
This situation highlights a couple of serious problem that come with the current handling vulnerabilities in WordPress plugins, but also points to where improvements can be made.
Making it Easier to Report Vulnerabilities
The current methods for reporting security vulnerabilities are lacking. You can try to contact the developer through their website, but isn’t also easy to find an email address or contact to do that. Some plugins have email addresses they specifically suggest you use to contact them about security issues, but they also can be hard to locate on their websites. You can try contacting the developer through the plugin’s support forum in the Plugin Directory, but not every developer monitors that closely and it is public so that can limit ability to safely disclose information. From what we have seen it appears that many people that are discovering vulnerabilities don’t know that the can also contact the Plugin Directory about the issue, which isn’t too surprising since it isn’t prominent displayed.
One possible solution for this would be to provide a mechanism on the plugin’s page on the Plugin Directory for security vulnerabilities to be reported, which would then send it along to the developer and the people running the Plugin Directory.
Checking on Fixes
What we see fairly often is that when developers attempt to fix publicly disclosed vulnerabilities they either only partially fix it or don’t fix it at all. In other cases the disclosed vulnerability is only part of a wider security issue. Putting a place a process where a review by someone with a better understanding of security is done after the developer thinks they have fixed the vulnerability could go a long way to improving the security of plugins. We already have a good idea of who could provide the financial supports this (in the meantime our checks during the process of adding the vulnerability to our Plugin Vulnerabilities plugin have lead to a number of these situation getting resolved).
In this case if the file uploading had been restricted to admins, then even with the undoing of the file extension restriction the security vulnerability would not have opened back up.
Auttomattic Sponsored WordPress Plugin Pods Still Hasn’t Fixed Publicly Known Security Vulnerability After Two Months
In discussing how the security of WordPress plugins could be improved we have put forward that Automattic, the company closely connected with WordPress, should have some responsibility for that. With a valuation of over billion dollars they certainly have the financial wherewithal to bear the burden of some responsibility. Shortly after putting forward that idea that we came across a security advisory for multiple vulnerabilities in Pods, a plugin that Automattic sponsors.
When we checked on the vulnerabilities to add them to Plugin Vulnerabilities plugin we found that despite the advisory saying that they were fixed in version 2.5, that in fact two reflective cross-site scripting (XSS) vulnerabilities listed still existed. Three days after the advisory was put out, January 15, we notified the Pods developers that vulnerabilities still existed. We promptly received a reply from them, but it didn’t seem like they really understood the situation.
A week later versions 2.5.1 and 18.104.22.168 were released, neither of which addressed the security vulnerabilities.
On February 5 and 9 we received emails from the developers that the vulnerabilities would be fixed in version 2.5.2. That version has yet to be released and it has now been two months that they have knowingly left the vulnerabilities in the plugin. Maybe this will be a wake-up call to Automattic that plugin security needs to be taken more seriously and that they can start playing a constructive role by improving the security of plugins they sponsor.
Back in September we looked at the fact that a website we were doing an upgrade of Magento on had a security seal from SiteLock claiming that the website was secure, despite the fact that it wasn’t since the website was running outdated software with known security issues. Fast forward six months and SiteLock is still labeling websites as secure when they are running outdated and insecure software.
Today’s case involves a website that we are doing an upgrade from Zen Cart 1.3.8a. That version is nearly five years out of date and there have been numerous releases with security improvements since then (due to its age, it isn’t clear exactly how many of those fix issues that existed in 1.3.8a). Despite that the website is labeled as being secure by SiteLock:
Not only does falsely claiming the website is secure mislead those visiting the website, but it also gives webmaster a false sense of security, which a security service shouldn’t do.
If SiteLock was actually interested in security it would quite easy for them to make sure the software on websites is up to date. Our Zen Cart Version Check extension for chrome is able to correctly detect the version in use from outside the website in this case:
With access to the website’s file, as Sitelock does, it is even easier to do and more accurate. For Zen Cart the version number is listed in the file /includes/version.php, so all you would need to do is to check files matching that for the following lines and you would know whether an outdated version of Zen Cart is in use:
define(‘PROJECT_VERSION_NAME’, ‘Zen Cart’);
In a previous post we looked at the fact that MOJO Marketplace distributes outdated software with known security vulnerabilities. Their lack of concern for security doesn’t end there; they have not kept their WordPress installation up to date:
If they actually used their own service they could be up to date, because unlike other software they offer they actually provide the latest version of WordPress:
Not only have they not updated to the latest major release of WordPress, 4.1, they haven’t applied the “critical security release” for 4.0 that was released on November 20. That would have normally have happened automatically, so either they disabled automatic updates, which is bad idea if you are not going to be on top of updating WordPress, or they have some problem blocking that from happening. If there was a problem and they actually cared about WordPress security getting to the bottom problem would have been the right thing to do as it could possible help others as well. Their lack of concern for the security of WordPress on their own website hasn’t stopped them from feeling it is appropriate for them to sell a WordPress security service to others though.
If you are looking to improve the security of your WordPress website you should check out our free Plugin Vulnerabilities plugin, which warns if you are using WordPress plugins with known security vulnerabilities.
Last week we noted that web hosts should stop providing the SimpleScripts software installation service to their users since it hasn’t been supported for some time, leaving people with outdated and insecure software on their websites. As part of that we noted that it looks like their service was replaced with the MOJO Marketplace. We decided to take a quick look at that service to see if they were keeping the software provided though it up to date and the results show that they have some problems, though nowhere near as bad as we found with GoDaddy last November.
To start with, they are still offering Joomla 2.5, despite support for that version having ended in December:
Somewhat oddly they provide the latest version of Drupal 7, but they don’t provide the latest version Drupal 6, despite those being released together in November. That version of Drupal 6, 6.34, fixed a session hijacking vulnerability.
For Zen Cart they have missed version 1.5.3, which includes security improvements and was released last July, and 1.5.4, which was released at the end of last year.
Last Wednesday we discussed an ongoing issues where security journalist conflate WordPress plugin’s download count at WordPress.org with how many websites are using the plugin, making a vulnerability seem like it has much larger impact than it actual it does. In the case last week the headlines proclaimed things like “More than 1 million WordPress websites imperiled by critical plugin bug” about a security vulnerability that existed in older versions of WP Slimstat, beyond explaining the fact that the security vulnerability in question was unlikely to be widely exploited, we pointed out that the website count used was way off base. The journalist were taking the 1.3 million downloads the plugin had and using that to back up their claim on over 1 million websites impacted, which they shouldn’t have since it isn’t close to being appropriate substitute for an actual count of use.
Over the weekend WordPress.org made a change that should stop this, as they started displaying a count of Active Installs in addition to download counts for WordPress plugins. In the case of the WP Slimstat plugin the actual number of websites using it is much less than a million, with the Active Installs listed at 100,000+:
Hopefully this will be a wake-up call to some of those journalist that they need to stop taking so many liberties when reporting on WordPress plugin security issues, since this isn’t the only problem that there has been with their coverage of the issue (which could use more quality coverage).
When it comes to what needs to be done to improve the security of websites there are so many things that could and should be done, but certain of them stand out for various reasons. One of the issues that stands out for us is web hosts who are distributing outdated web software. Web hosts are quick to blame many hacks on outdated web software – usually without evidence to support the claim – so you would think they would be careful about making sure that when they distribute web software through one-click installers and other similar mechanism that they are keeping the version available up to date. Too often that isn’t the case, back in November we looked at GoDaddy’s distribution of quite old versions of various software. The other day we ran across another example worth highlighting involving the one-click installer SimpleScripts.
While doing a cleanup of a hacked WordPress website we logged into the web host’s control panel for the website and got a pop up that the WordPress installation needed to be updated. Following the link in that brought up the SimpleScripts upgrade page and on that there was obvious problem, it listed the current version of WordPress as 3.9:
Version 3.9 hasn’t been the current version since 3.9.1 was released on May 8, 2014. A quick look at the list of the software versions provided by SimpleScripts showed that WordPress wasn’t alone in having a very out of date version provided. As best we can tell SimpleScripts is not being supported anymore. The SimpleScripts website makes no mention of it, but it appears that the service might have been replaced with another one-click installer MOJO Marketplace.
If you use a web host that is still using SimpleScripts please let know that it is no longer being updated and should be replaced.