Does anybody use phar://?
It should be disabled by default.
A newly discovered WordPress flaw has left installs of the ubiquitous content management system potentially vulnerable to hacking. A security shortcoming within WordPress's PHP framework can be leveraged by logged-in non-admin users to run arbitrary malicious code and commands on the host servers, infosec consultancy Secarma …
Since phar:// is a PHP construct, not a Wordpress one, whether or not you touch the GOLIATH that is WordPress is immaterial. Like it or hate it, WordPress is the most commonly used CMS on the web and we all have to deal with it on occasion even if we don't want to do so -- even if just as a website visitor.
The framework itself is actually audited and pretty stable, but I shudder whenever one of my clients wants to add a plugin.
Haven't looked at this announced vulnerability yet, but since it requires users to be authenticated AND have the ability to upload a file (presumably an image since thumbnail generation is mentioned), the vast majority of sites aren't going to be affected.
Quite so. WordPress is (almost) ok to use and pretty amazing in its more developer-friendly decoupled state. The problems start when you add any one of the thousands of plugins, many of which seem to completely bypass such simple PHP things as private or public protection.
And then you take a look at Drupal security and gently start to weep ..
This smacks of a security flaw caused by a lazy programmer. In fact, either it's someone who is lazy, doesn't care, or they do not know how to fix the problem since it was first reported to Wordpress Feb 2017.
The simple fix is do not allow regular users to upload. Leave that for an administrator. Problem solved.
Part of the problem with WordPress is that it is so well-known that it is pretty much the default option for many people wanting to fling together a simple (or, worse, not quite so simple) website without very much effort. If it didn't have a long history of security problems, this might not be such a bad thing, but...
The next most well-known alternative is perhaps Drupal, which is rather more complicated (and so perhaps less suitable for people who just want an "easy to run" website/CMS) and has its own share of careful hand-holding required.
Does anyone have any good suggestions for other alternatives (that don't require a full-time sysadmin to run them)?
"If it didn't have a long history of security problems, this might not be such a bad thing, but..."
Don't conflate reported issues found because of good auditing, with weak security. For the majority of cases, using a lesser audited or DIY platform attempting the same level of functionality as WP will run the risk of having *more* bugs & holes. The problem is when you start running all sorts of poorly audited third-party plugins.
As a SysAdmin, I've had far more issues with developers' in-house DIY CMS than I have with a properly configured WP.
well here's what I do: I have local copies of everything and web servers handy to test stuff if I need to. Then you use scp or sftp or some other means to copy files onto the actual web server. In one case, for a customer site, it used a private github repo [which is extremely convenient that way - test on another server, then do pull request to main repo, then 'git pull' on the server plus whatever other post-pull stuff you gotta do and it's automatically backed up in the cloud].
Some of these solutions require shell access. In the case of my company web site, which I've had since the mid 90's, I use sftp to transfer files from my local repo to the server. [then I only have to use their 'control panel' stuff to manage things like e-mail addresses and DNS entries].
*REAL* html coders can do it with pluma. Or vi. (and without ANY scripting!)
So another case for disabling "allow_url_fopen"?
And on a related note, it is **utterly ridiculous** that the PHP developers add features that extend the functionality of existing functions without requiring them to be explicitly enabled. Even the default Debian PHP production options are far too liberal for my liking.
/me adjusts my evil sysadmin hat for comfort.