The Insecurity of WordPress and Apache Struts

Interesting data:

A study that analyzed all the vulnerability disclosures between 2010 and 2019 found that around 55% of all the security bugs that have been weaponized and exploited in the wild were for two major application frameworks, namely WordPress and Apache Struts.

The Drupal content management system ranked third, followed by Ruby on Rails and Laravel, according to a report published this week by risk analysis firm RiskSense.

The full report is here.

Tags: , , ,

Posted on March 18, 2020 at 7:45 AM18 Comments

Comments

Hugo March 18, 2020 8:21 AM

WordPress, the remote access tool with blog functionality.

That people keep on using it, amazes me. And it isn’t that hard to write a secure website framework or CMS.

Alejendro March 18, 2020 10:17 AM

My small and pretty crummy personal website is constantly attacked for WordPress logins and other wp files even though I don’t use it. I can’t imagine what it’s like for those who do.

I use Cloudflare CDN/DNS which has a marvelous firewall system as well as other very effective security apps that keeps almost all the bad stuff away.

Everyone says WordPress is “free”. But, not really. The better extensions cost $ and to have a really nice site you can get snookered into paying a lot of fees which eventually can add up to very serious $$$.

ivanhoe March 18, 2020 11:06 AM

These are also like 95% of all web, so it makes sense that hackers will invest most of their time in searching for exploits for them. There’s zero exploits for some random dude’s custom framework, not because it’s perfect but simply because no one ever heard of it.

dj March 18, 2020 12:05 PM

Some local governments use WP as their public website and do not keep it up to date. As a result they host porn, including apparent child porn, and scam ads that are visible on their RSS feeds. Seems WP can also be leveraged to access the Windows local network and cause problems. They keep those things a secret. When they go after anyone who even barely hints they have a problem, how do you let them know without being accused and raided?

David Leppik March 18, 2020 2:30 PM

With WordPress, it’s designed to be easy to administer, which just about necessitates some pretty awful compromises in terms of security updates. Having a WordPress site is a real pain if you add content about as often as they churn out updates.

As for Struts, that had its heyday in the early 2000s, and is still used by companies that don’t think too hard about which framework to use. They added an ill-conceived language for adding script parameters into URL parameters. Ill-conceived in that it was too complex to keep all the bugs at bay and made it too easy for hackers to construct queries. That’s what the Equifax exploit used.

I’m actually not at all surprised about WordPress; in terms of exploits-per-deployment, it’s not out of line—particularly since it’s made to be administered by rank novices. Struts, on the other hand, is something I hadn’t heard about for years (except for the tiny part of one of my websites that used it safely) until the Equifax thing blew up. It’s clearly very buggy.

Paul Mikol March 18, 2020 2:41 PM

I love Hugo’s comment: “WordPress, the remote access tool with blog functionality.” Now that is funny stuff.

Yes WP is a mess, Hugo is also right about how it’s really not that hard to write a CMS type app without templates and frameworks and all of that nonsense that is just ripe for evil manipulation.

As a developer of 25+ years back from when SQL Server was actually a Sybase product, the first time I saw the genericWP database structure with all of the columns named “cryptically” so that they could be used in a generic “OO” type manner (entities basically given surrogate names), I was like WTF are you kidding me with this here now…?!!

All that aside I wanted to use this as my first blatant hats-off and personal thank you to Bruce Schneier. Bruce as a professional developer of over 25 years I was to the point a couple of years ago where I was so disgusted and disappointed and dismayed at the state of computer security that I was so very close to just kissing the whole $60/hr. industry goodbye and going like veterinary medicine or something. Totally disgusted at all of ’em: Microsoft, Spectrum, T-Mobile, Apple, Qualcomm, Google, Mozilla, Amazon, Charter, Comcast, Samsung, Huweii, Sprint, AT&T oh yeah and the NSA because I blame all of em for their shady underhanded profit-mongering freedom-choking poor-ass greedy and evil decisions they’ve collectively made, shoving unwanted and unwarranted “features” down our throats…. DON’T GET ME STARTED.

Long story short at my lowest point, right in the middle of the whole Windows 10 Build 1803 fiasco, thank God I discovered you and Krebs and got bolstered up by you guys and am back full-force learning what I need to do to migrate my specialty from software analyst/engineer to security analyst/engineer to help fight the good fight because if you can’t already tell I’m f’n sick of the Internet being ruined for good people with good thoughts and good words and good deeds by Legions of thugs and punks and hoods.

So thanks schneier.com and krebsonsecurity.com, you guys are both bonafide Cyberheros, the good people of the Internet owe y’all more than most of them know….

David Leppik March 18, 2020 2:43 PM

RiskSense doesn’t know what it’s talking about:

“Node.js had a notably higher number of vulnerabilities than other JavaScript frameworks with 56 vulnerabilities, although only one has been weaponized to date,” RiskSense said.

ALL server-side JavaScript frameworks are built on top of Node.js. It’s the runtime environment. By definition, it has the most surface area.

Actually, JavaScript is an interesting case. Because of its ubiquity in the browser, everything is security-first, with the assumption that other parts of the runtime have been compromised. The JavaScript runtime is branching out into WebAssembly, which intends to provide all the features and nearly all the speed of a desktop application, but with a security model designed for running in browsers.

It gets really interesting when you look at libraries and modules, which need to be at least as fast as system calls, but completely sandboxed.

La Abeja March 18, 2020 2:54 PM

Interesting.

Bruce uses Movable Type, a proprietary platform, for this blog.

It’s on GitHub,

https://github.com/movabletype/movabletype/blob/master/README.md

which would lead one to believe it is open source, but no.

Make sure that each .cgi file (e.g. mt.cgi, mt-search.cgi, etc.) found in the Movable Type directory has the execute permission enabled.

Freeware, shareware, payware? I don’t know.

Bruce’s competitor, Brian Krebs, runs a security blog on WordPress. I have been blogging “extreme-right” conspiracy theories and similar topics on WordPress. It can’t be that bad, given that it’s still up, even though certain very powerful and very resourceful people want it down. (I was able after much time and effort to recover my domain name from them and also register a new one.)

WordPress runs on PHP. Stefan Esser has blogged about PHP bugs and vulnerabilities in the past, much to the annoyance and perturbation of the German government.

I am not really crazy about MySQL or MariaDB for security, either. I tend toward PostgreSQL, which I’m more used to and find easier to work with.

I am not using Apache. There is something called “Tomcat.”

http://tomcat.apache.org/

It’s Java, which is supposed to be secure with the JVM, memory management etc., but I simply cannot stand that name “Tomcat.” There’s a stereotypical teenage boy surfing the web, and that is enough of that.

NGINX gets an A+ from SSL Labs.

https://www.ssllabs.com/ssltest/

La Abeja March 18, 2020 4:22 PM

@Hugo

WordPress, the remote access tool with blog functionality.

remote access tool = Rat.

People aren’t that technical here.

A “rat” is somebody blogging about something he’s supposed to shut up about. Let’s not be sexist. It’s almost always men who are told to shut up by that particular “ladies-first” crowd.

That people keep on using it, amazes me.

Yeah. I know. People blog about stuff and they’re still alive for all the cops want them dead.

And it isn’t that hard to write a secure website framework or CMS.

Yeah. It isn’t that hard, is it? Just maintain Omertà and don’t talk about stuff you’re supposed to keep quiet about.

So long, Month of PHP Bugs.

any arbitrary chap March 18, 2020 6:52 PM

@ivanhoe

There’s zero exploits for some random dude’s custom framework, not because it’s perfect but simply because no one ever heard of it.

Hist! Ixnay on the oxday, pal.

Paul Mikol March 18, 2020 9:36 PM

Back in the client/server days the term “framework” was a joke at best and frankly I haven’t seen much lately to convince me anything has changed

gggeek March 19, 2020 4:18 AM

“And it isn’t that hard to write a secure website framework or CMS.”

Lol. Nothing is hard for those who don’t have to do it.

Most CMS/web frameworks start out lean and mean.
Then they discover editors want multilingual content, content versioning with diff and rollabck, mass url aliasing, ability to upload images and attachments, insert in contents crazy html/js snippets to be able to monetize, do image-retouching and cropping within the cms, have google-like-magical (but fully customizeable) search and of course a noob-friendly wysiwyg editor.

I agree that WP started out as a pretty dumb piece of code (the very 1st time I looked into the codebase, I found comments revealing the fact that the devs had no idea how to escape single quotes to insert them in a database…). Its ubiquity and surface exposure has made it evolve a lot.

1&1~=Umm March 19, 2020 5:05 AM

@gggeek:

“I found comments revealing the fact that the devs had no idea how to escape single quotes to insert them in a database…). Its ubiquity and surface exposure has made it evolve a lot.”

You forgot to add ‘but the core is still rotten’.

Tom J Nowell March 19, 2020 12:40 PM

WordPress itself is pretty safe, unfortunately the first thing most people do is grab themes from theme forest or various plugins, which are generally of highly questionable quality and security.

Well maintained and built WordPress sites power some of the most trafficked sites on the web just fine without issues.

La Abeja March 19, 2020 1:11 PM

@ Tom J Nowell

themes from theme forest or various plugins, which are generally of highly questionable quality and security.

It seems very good to me to keep themes and plugins down to size and limited to what you actually need and use for your website.

Plugins offer arbitrary code, and of course they should be scrutinized for quality and security.

“Themes” or “skins” as they are called in some software packages, to me, seem like something very basic that should contain little if any executable code.

  1. Graphic layout
  2. Color scheme

Essentially, what CSS is for, but there’s a “feature creep” and themes have gotten more complicated than they need to be.

erik May 9, 2020 11:36 AM

What could mitigate all this is a move towards a headless CMS. There are other ones out there- they loose the plot- no writer/marketer wants to type in markup and do CLI things to get the website on the server. BUT-

If you could easily get a WP plugin, turn the site to a static one, and upload that.
I have tried with my WP site but the theme breaks and I don’t have enough traffic to justify the switch.

But if you had a site with a theme that can be ported over to static-

You have all (most, depending) the functionality of a WP site, its fast because its just static the the attack vector is limited to the underlying server software.

I am surprised Bruce doesn’t do this he is much more technical that myself.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.