Posts Tagged ‘wordpress’

Large Wordpress Hack Hits Major Hosting Companies, twice.

Wednesday, May 5th, 2010

Users with Network Solutions and Go Daddy running WordPress are having a rough time recently. Some security analysts are saying they’re related. The exploit is now being seen on other open source applications.

On April 11th Network Solutions posted an entry that the issue has been resolved and laid blame to a hole in Wordpress. A dev over at Wordpress quickly blasted back at Network Solutions, which made me chuckle.

A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.

I’m not even going to link any of the articles because they have so many inaccuracies you become stupider by reading them.

If you’re a web host and you turn a bad file permissions story into a WordPress story, you’re doing something wrong.

A few days later Go Daddy was hit and less than a week later hit again. The issue is still unresolved at this time. Whats more interesting is its effecting other applications such as Joomla. There was even some speculation that US Treasury websites have been hit with the same attack.

What it does

In all cases so far the database is left untouched. Malicious javascript is injected into .php files that infects the visitors machine. Fresh installs of WordPress will clean up the mess but the site gets reinfected. Users have reported even changing FTP passwords doesn’t stop the attackers from gaining access.

Who it effects

So far its been Linux servers running php on virtualized accounts. Not sure if the Treasury websites are virtualized or not.

How I deal with this

First if your paying $5/month for a hosting service don’t expect allot of support. For starters all of my clients use Liquid Web either on their own account or through me. Having a good data center is key and the guys at Liquid Web are awesome.

The biggest complaint you read about is the tediousness of going through all of your php files looking for some sort of injection. Most of these account holders are actually looking at every single file. Digging through a few hundred files does not sound like fun. Since I run Subversion on everything I touch its pretty simple. Just SSH in and enter. 

svn status

Thats it. If anything has changed I’ll see it. There are other security issues for running SVN on a production site but if you don’t store your passwords in the open and use .htaccess to block any requests for .svn files you’ll be fine.

The cause

Sounds like they still don’t have a good grasp on what is going on here. My guess is it has to do with the server or even the OS setup on these accounts. For now the entrance vector remains in question.

The Solution

Its too early to lay blame on the hosting providers for a bad configuration. Right now it seems like they are just the biggest targets. However, don’t expect quality support from discount providers. They just don’t have the resources to respond to all of their customers. For now their customers are left frustrated with little help or recourse. Its even worse for the development companies that host their clients websites with Go Daddy and Network Solutions.

Given the amount of time this has gone on I would grab my data, clean it and move to another hosting provider.

Tags: , ,
Posted in Security | 2 Comments »

Logging Emails Sent Through Wordpress

Saturday, February 13th, 2010

Ever have the need to log emails from a contact form inside of of wordpress? Here’s my solution.

The Problem

The client uses the Contact Form 7 wordpress plugin for events, registrations and subscriptions. Up until this point all the emails needed to be cut and pasted manually into a master list for marketing or other action items.

Specific actions are taken with each contact form. Some are simply added to a master email list while others are used to send content through snail mail. The need for more forms over the next few months will be increasing. These forms are very time sensitive so the solution must be dynamic enough to preclude more than a few hours in turnaround.

The Solution

If resources were unlimited (time and budget) this would be a great place to implement pre-built CRM (customer relations mangment) system. There are plenty of open source and commercial applications that would work well.

The biggest limiting resource here is time. The client knows how use wordpress and the current site is already well established with content. So we’ll hack it.

Logging Emails

Logging outgoing emails from any type of contact form is essential. This could be as simple as storing them in a database or even writing to a flat file. Logging emails will help you pick up security issues as well as troubleshooting.

The solution is pretty simple. Every email sent out through wordpress uses the wp_mail() function, including forms through Contact 7. All we need to do is capture the $_POST variables when a call is made to wp_mail().

We can use the add_action() hook from wordpress to accomplish this.

A simple example

We’ll insert our hook in the functions.php page for the theme. For this example I’ll use a theme called custom.

wp-content/themes/custom/functions.php

We’ll create a function to capture the posts. This function won’t really do anything but you’ll get the point. Then we’ll hook the function into wp_mail().

function saveContact() {
    // all of our post variables are in the $contact array
    $contact = $_POST;

    // now would be a good time to clean and filter
    foreach( $contact as $key => $value ) {
        // trim it, escape ... it you know the drill
    }

    // insert into the database or save a flat file

}

// hook it
add_action( 'wp_mail', 'saveContact' );

Now anytime wordpress sends an email it will call our saveContact() function. This is fine to just capture the data but we want to do something with it. Keep in mind Contact 7 adds in some of its own post variables so you may want to pop those off before processing the data.

If you want to echo anything back to test this turn off your javascript otherwise Contact 7 will send an ajax call behind the scenes.

An advanced example (go cURL yourself)

Wordpress is great but I want to use a MVC framework to handle all of the the different actions. I want to know what form was sent and use the information to populate various tables. I use Kohana but any of the popular frameworks can handle this in the same way. The benefit here is I can use the framework’s built in cleaning and database helpers. We’ll use cURL to send the post variables to our controller.

I’ll send the data to a controller in public_html/example. So the domain www.mydomain.com has a standard wordpress install but we have a kohana controller living in www.mydomain.com/example. I’ll also send along the URI where the form originated. We’ll take care of all the data inside the framework. Clear as mud?

Wordpress by the way does not like putting this source code inside the post. You can check it out here.

For security you can make sure the cURL posts are only sent from your domain.

With permalinks enabled you can differentiate between forms posted from something like www.mydomain.com/contact and www.mydomain.com/contact/subscribe.

Tags: , ,
Posted in php | No Comments »