back to article So phar, so FUD: PHP flaw puts WordPress sites at risk of hacks

A newly discovered WordPress flaw has left installs of the ubiquitous content management system potentially vulnerable to hacking. A security shortcoming within WordPress's PHP framework can be leveraged by logged-in non-admin users to run arbitrary malicious code and commands on the host servers, infosec consultancy Secarma …

  1. Anonymous Coward
    Anonymous Coward

    Does anybody use phar://?

    It should be disabled by default.

    1. DJV Silver badge

      Does anybody use phar://?

      Not me. I program in PHP but prefer never to touch the creaking behemoth that is WordPress.

      1. Donn Bly

        Re: Does anybody use phar://?

        Since phar:// is a PHP construct, not a Wordpress one, whether or not you touch the GOLIATH that is WordPress is immaterial. Like it or hate it, WordPress is the most commonly used CMS on the web and we all have to deal with it on occasion even if we don't want to do so -- even if just as a website visitor.

        The framework itself is actually audited and pretty stable, but I shudder whenever one of my clients wants to add a plugin.

        Haven't looked at this announced vulnerability yet, but since it requires users to be authenticated AND have the ability to upload a file (presumably an image since thumbnail generation is mentioned), the vast majority of sites aren't going to be affected.

        1. macjules Silver badge

          Re: Does anybody use phar://?

          Quite so. WordPress is (almost) ok to use and pretty amazing in its more developer-friendly decoupled state. The problems start when you add any one of the thousands of plugins, many of which seem to completely bypass such simple PHP things as private or public protection.

          And then you take a look at Drupal security and gently start to weep ..

          1. Pascal Monett Silver badge

            Re: And then you take a look at Drupal security . . .

            Um, nope. Won't do that.

            I intend to die with my sanity intact, thank you.

  2. wolfetone Silver badge

    Water continues to be wet then I guess.

  3. Maelstorm Bronze badge

    This smacks of a security flaw caused by a lazy programmer. In fact, either it's someone who is lazy, doesn't care, or they do not know how to fix the problem since it was first reported to Wordpress Feb 2017.

    The simple fix is do not allow regular users to upload. Leave that for an administrator. Problem solved.

  4. Anonymous Coward
    Anonymous Coward

    Good alternatives to WordPress?

    Part of the problem with WordPress is that it is so well-known that it is pretty much the default option for many people wanting to fling together a simple (or, worse, not quite so simple) website without very much effort. If it didn't have a long history of security problems, this might not be such a bad thing, but...

    The next most well-known alternative is perhaps Drupal, which is rather more complicated (and so perhaps less suitable for people who just want an "easy to run" website/CMS) and has its own share of careful hand-holding required.

    Does anyone have any good suggestions for other alternatives (that don't require a full-time sysadmin to run them)?

    1. disk iops

      Re: Good alternatives to WordPress?

    2. Anonymice

      Re: Good alternatives to WordPress?

      "If it didn't have a long history of security problems, this might not be such a bad thing, but..."

      Don't conflate reported issues found because of good auditing, with weak security. For the majority of cases, using a lesser audited or DIY platform attempting the same level of functionality as WP will run the risk of having *more* bugs & holes. The problem is when you start running all sorts of poorly audited third-party plugins.

      As a SysAdmin, I've had far more issues with developers' in-house DIY CMS than I have with a properly configured WP.

    3. bombastic bob Silver badge

      Re: Good alternatives to WordPress?

      well here's what I do: I have local copies of everything and web servers handy to test stuff if I need to. Then you use scp or sftp or some other means to copy files onto the actual web server. In one case, for a customer site, it used a private github repo [which is extremely convenient that way - test on another server, then do pull request to main repo, then 'git pull' on the server plus whatever other post-pull stuff you gotta do and it's automatically backed up in the cloud].

      Some of these solutions require shell access. In the case of my company web site, which I've had since the mid 90's, I use sftp to transfer files from my local repo to the server. [then I only have to use their 'control panel' stuff to manage things like e-mail addresses and DNS entries].

      *REAL* html coders can do it with pluma. Or vi. (and without ANY scripting!)

    4. Pomgolian

      Re: Good alternatives to WordPress?

  5. heyrick Silver badge

    are a load of tribble's testicles

    Thanks. That made my Monday.

    (summer break is over, back to work, wah)

  6. Peter X

    Disable "allow_url_fopen"?

    So another case for disabling "allow_url_fopen"?

    And on a related note, it is **utterly ridiculous** that the PHP developers add features that extend the functionality of existing functions without requiring them to be explicitly enabled. Even the default Debian PHP production options are far too liberal for my liking.

    /me adjusts my evil sysadmin hat for comfort.

  7. holmegm

    The WordPress hatin' is a bit out of date.

    It's actually been pretty secure the last few years.

    Meanwhile, we've have to contact Drupal clients and tell them "er, you know that Drupalgeddon thing a couple weeks ago? Well, there's been another one ..."

    1. Anonymous Coward
      Anonymous Coward

      Generally it's the plugins that are written by morons and assume that letting the user specify the source to read from and the destination to write to isn't going to result into people writing arbitrary code into imagethumbnailcache/gimme-remote-access.php

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021