Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 21 Nov 2016 17:32:32 +0000
From: Ben Tasker <ben@...tasker.co.uk>
To: oss-security@...ts.openwall.com
Subject: Re: WordPress (all versions): SPOF, RCE, and Negligence

> Up the minimum PHP version to at least 5.6.0.

I assume you're talking about the PHP versions that Wordpress supports (as
opposed to on their update server?).

Such sweeping version checks do not work well with Stable distributions.
Given that most web hosts use stable distros, implementing such a
requirement would lock Wordpress out of a substantial proportion of their
target market:


CentOS 6 will continue to be supported until Q2 2017, with maintenance
releases until 2020. The version in the repos is 5.3.3 with security
backports

Debian Wheezy 5.4.45 (again with security backports) and will be supported
until 2018.


An important question, of course, is whether the issues fixed in PHP 5.6.0
were correctly marked as security fixes (and as a result backported by the
distro maintainers)

There was a similar issue a while back where Joomla! decided to run a
version check to ensure PHP version was >= 5.3.10. It broke a number of
sites, and the most common fix seems to have been a core-hack to disable
that check. The logic for inserting that check was reasonable, but lacked
consideration of who the market actually is.

The alternative is that hosters move onto more bleeding edge distro's, and
I'm not convinced that's good in the long term.

On Mon, Nov 21, 2016 at 4:54 PM, Scott Arciszewski <scott@...agonie.com>
wrote:

> This is the function that fetches downloads from the WordPress update
> servers: https://github.com/WordPress/WordPress/blob/
> f5b6731777bbd1dfe290867d2240a2a68e2f0cf1/wp-admin/includes/
> class-wp-upgrader.php#L252-L283
>
> The only verification it offers is an MD5 checksum, which is sent by
> the server that also serves the file:
> https://github.com/WordPress/WordPress/blob/eeefec932f3d4f3b50369f6523c2cd
> 8fad3d467f/wp-admin/includes/file.php#L482-L525
>
> At no point lower in the automatic update process is a cryptographic
> signature verified. The update server is trusted explicitly and
> implicitly by every WordPress website online.
>
> WordPress powers an estimated 26% of websites on the Internet.
>
> Consequently, the WordPress update server is one of the largest single
> points of failure (SPOF) on the Internet. If you manage to hack their
> infrastructure, you can push a false update to millions of WordPress
> blogs and get reliable remote code execution everywhere.
>
> They are aware of this issue, and have been for years:
> https://core.trac.wordpress.org/ticket/25052
>
> Additionally, PHP before 5.6.0 had terrible SSL/TLS support. It may
> also be possible to get targeted RCE out of a MitM condition due to
> their stubborn insistence on supporting PHP 5.2.4. I need to do more
> research here.
>
> The WordPress culture, for those who are not aware, prioritizes higher
> adoption rates over better security. They see backwards compatibility
> as a usability problem more than a liability.
>
> The WordPress team also promotes the use of the misnomer "responsible
> disclosure" over the more accurate "coordinated disclosure", and
> refuse to entertain suggestions to improve their vernacular.
>
> In short, WordPress is semi-toxic towards improving their own
> security-- mostly out of negligence and stubbornness rather than
> outright hostility (see: OpenCart).
>
> I don't believe there's much chance of fixing this, due to political
> problems rather than technological problems. The first step towards a
> reliable solution would look like this:
>
> 1. Up the minimum PHP version to at least 5.6.0.
> 2. Use openssl_sign() and openssl_verify() with an RSA keypair
> maintained by their team.
>
> A total solution would incorporate all of the elements listed here for
> both core updates and theme/plugin updates:
> https://paragonie.com/blog/2016/10/guide-automatic-
> security-updates-for-php-developers#elements-automatic-updates
>
> Should anyone wish to endure the steep uphill battle to try to get
> WordPress to fix this problem _before_ we see headlines titled
> "WormPress: How your blog was hacked" in the news, godspeed.
>
> Scott Arciszewski
> Chief Development Officer
> Paragon Initiative Enterprises <https://paragonie.com>
>



-- 
Ben Tasker
https://www.bentasker.co.uk

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.