WordPress Vulnerability: Hear from a Developer

5 September 2018 by Jenn Granger

Recently we brought you the breaking news story of the new WordPress vulnerability. The flaw was discovered by Sam Thomas, Director of Research at Secarma, and was announced at Black Hat in Las Vegas, as well as the BSides MCR event last month.

The vulnerability, which is used within the current WordPress PHP framework, can affect almost 30% of all sites on the web and is not currently being addressed. Watch the full Secarma talk here.

But what steps could you take to minimise the risk of a breach to your site?

We spoke to UKFast CTO Neil Lathwood, who gives you his thoughts on the glitch and adds some advice for those wishing to protect themselves against the dangerous flaw.

Neil, can you explain exactly what the vulnerability is?

The PHP vulnerability allows attackers to exploit flaws within WordPress’ PHP framework, which could result in a complete system compromise. The vulnerability is not limited to WordPress sites and can affect others that use this same PHP framework. However, WordPress accounts for 26% of the entire web’s eCommerce sites, with 30% of the world’s top 1000 websites vulnerable to hacking and data breaches as a result.

The exploit offers a previously undiscovered way to expose “unserialization” in the platform’s code using eXternal Entity (XXE – XML) and Server Side Request Forgery (SSRF).

An attacker uploads a specially crafted file onto the target application, posing as a normal picture or document file, for example. The hacker then triggers a file operation through a crafted file name –which accesses the file through the “phar://” stream wrapper – causing the target application to “unserialize” metadata contained in the file. Unserialization of attacker-controlled data is a known critical vulnerability, potentially resulting in the execution of malicious code.

WordPress was informed of the issue in February 2017 but has yet to take action.

Who could be affected by this PHP flaw?

Basically, anyone who runs a WordPress site. While this vulnerability requires a login to WordPress, weak passwords and phishing mean that your user accounts could be compromised. However, the flaw is not limited to WordPress and affects other websites that use this structure.

How can techies and eCommerce websites avoid the hackers looking to exploit this vulnerability?

The usual security advice is paramount here and needs to be applied rigorously to avoid any problems to your site when it comes to this vulnerability:

• Don’t give out user accounts to people who don’t need it – keep access limited to those who need to access the site daily for their work
• Ensure that people use strong passwords, consider a 2FA plugin for WordPress so you can ensure stolen passwords are useless to hackers or malignant users
• Only allow file uploads to users who really need it; this vulnerability relies on a user having file upload permissions.

Is anything being done by the industry to stop future vulnerabilities like this?

This is a constantly changing landscape and known vulnerabilities are being addressed by vendors and the open source community daily. Things like WAFs (Web Application Firewalls) can help mitigate against vulnerabilities yet to be discovered, and if you are not running a WAF in front of your web application then you should consider doing so.

WordPress is actually a lot more secure today than it used to be and the core code is audited to identify issues like this. WordPress plugins on the other hand are where users need to be concerned.

How can techies and developers use PHP to put a stop to this?

• Stay up to date with security best practice around the programming language you use. PHP has had some bad press in the past but, again, this is constantly being addressed. Secure coding standards are publicised in a variety of places and these will help you ensure you aren’t introducing potential vulnerabilities into your applications.
• Sanitise user input everywhere; this should be covered in the coding standards for your language but it can’t be stressed enough that you should never trust the input from a user.
• Get your web application penetration tested and have a code audit done. Others will most likely think of more ways to use your application than you expected, so it’s good to get an outsiders perspective on things, especially from a company that specialises in code auditing.
• Don’t forget the stack around your application. Make sure your OS and packages are up to date. It might not be your PHP app someone exploits, it could be Apache first but then they can use your app to hop to your database server.

Speak to a UKFast security expert to find out more on protecting your solution

OR

Download the Secarma whitepaper here