Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Database Passwords Everywhere!

Database Passwords Everywhere!

Nearly 1% of websites built with a content management system (like WordPress or Joomla) are unknowingly exposing their database password to anyone who knows where to look.

Feross Aboukhadijeh

January 22, 2012
Tweet

More Decks by Feross Aboukhadijeh

Other Decks in Programming

Transcript

  1. CMSploit Definition: Security scanner that tests websites built with content

    management systems for temporary files that contain sensitive information.
  2. 0 1,250,000 2,500,000 3,750,000 5,000,000 18,819 334,408 1,656,021 4,485,142 Number

    of sites Data from BuiltWith (http://trends.builtwith.com/cms/)
  3. Typical config file <?php /**  Name  of  WordPress  database  */

    define('DB_NAME',  'my_secret_database'); /**  MySQL  database  username  */ define('DB_USER',  'secret_agent_1'); /**  MySQL  database  password  */ define('DB_PASSWORD',  'you_will_never_guess_this'); /**  MySQL  hostname  */ define('DB_HOST',  'mysql.mysite.com');
  4. Typical config filenames • wp-config.php // Wordpress • config.php //

    phpBB, ExpressionEngine • configuration.php // Joomla • LocalSettings.php // MediaWiki • mt-config.cgi // Movable Type • settings.php // Drupal
  5. Big mistake • Config files sit in a publicly accessible

    folder • Easier to set up this way, but less secure • All sensitive info is between <?php ?> tags • Demo: http://feross.net/wordpress/wp-config.php
  6. Temporary Files • For a file wp-config.php, text editors will

    create: • Backup files • wp-config.php~ // Vim, Gedit • #wp-config.php# // Emacs • wp-config.php.save // Nano • Swap files • wp-config.php.swp // Vim • wp-config.php.swo // Vim
  7. What’s wrong here? • There may be temporary files which

    contain sensitive info floating around in publicly-accessible folders. • If temp file gets requested, most servers will return the plaintext, skipping the PHP pre-processor. • .php Content-Type: text/html; charset=UTF-8 • .php~ Content-Type: text/plain • etc... Content-Type: text/plain
  8. Temporary Files • For a file wp-config.php, text editors will

    create: • Backup files • wp-config.php~ // Vim, Gedit • #wp-config.php# // Emacs • wp-config.php.save // Nano • Swap files • wp-config.php.swp // Vim • wp-config.php.swo // Vim
  9. What I did • Wrote program to test top 1

    million websites • It issues GET requests to a site to test for the presence of temporary backup files with common CMS config filenames
  10. Results: • Tested the 216,391 most popular websites (according to

    Quantcast). • Found 230 config files visible in root of site. • Thus, 230 / 216391 = 0.11% of all websites are vulnerable. • Latest stats say that about 13.8% of the top 10,000 websites run CMSs. If we just focus on CMS-powered websites (and extrapolate), then the percentage of vulnerable sites is: • Thus, 230 / (216391 * 0.138) = 0.77% of websites running a CMS are vulnerable.
  11. 230 config files total • E-commerce (cc #s) • Churchs

    • Fire department in a really large U.S. city • Porn sites • Lots of WordPress blogs...
  12. What I did • Didn’t try logging in with any

    of the passwords. • Responsible disclosure to top sites. • Submitted a vulnerability report with US- CERT. (They ignored it)
  13. Email to top sites To whom it may concern: I

    believe that I have discovered a security issue with the ________.com website. If you'd like to know more, I can disclose the full details of the issue to an engineer or software developer on your website team so the issue can be fixed. Respectfully, Feross Aboukhadijeh Stanford University, Computer Security Lab
  14. Complaints From: ****@us.pgds.com To: [email protected] To whom it may concern,

    Our organization has detected suspicious traffic originating from boxxy.stanford.edu (128.12.188.246) against the web site of one of our affiliated companies. The request URL for some of that traffic was to /wp-config.php~ The traffic occurred at 5 Oct 2011 11:48:26 GMT and 5 Oct 2011 12:22:50 GMT. We would appreciate it if you would investigate and resolve this matter. Thank you, ******** ******* Senior IT Security Administrator Prudential Global Data Services (PGDS-US)
  15. From: Information Security <[email protected]> To: [email protected] We're forwarding a complaint

    about a machine registered to or administered by you. Unless you're aware of this, it indicates the machine has been broken into or otherwise compromised. When a system has been compromised at the system privilege level, rebuilding the system, applying current patches, and setting good passwords on all accounts, is the recommended way to repair the machine.
  16. from: [email protected] to: [email protected], [email protected], [email protected] cc: [email protected] Hi there,

    I first alerted you to miscreant behavior coming out of boxxy on 10/6. Please let me know that you have either remedied the problem or disconnected the machine today. If we continue to get abuse complaints, I will have the machine disabled. I've copied your RCC in case you need help cleaning the machine. Thanks,
  17. from: [email protected] to: [email protected], [email protected], [email protected] cc: [email protected] Dear res-net

    folk, We are continuing to receive complaints against boxxy. Please disable the machine until it can be cleaned. Thanks,
  18. Lesson learned • When scanning / attacking 200,000 websites, don’t

    do it from your own IP address • Use Tor (https://www.torproject.org/) • Or a VPN / server in another country
  19. Passwords • Tons of people used “wordpress” or the name

    of their site as DB name, username, AND password. • Lots of 1337speak p@ssw0rds
  20. Worst offenders “dbdbdb” for an online magazine “patrick” for an

    online newspaper “Summ3r” for a summer camp program “FuckYou4231” for a horror movie site “c0d3b3tt3r” for a site about coding better “usernamehere” “yourpasswordhere” “abc123456” “root” “root” <-- probably disallow remote DB connections
  21. Final thought • Lots of sites put their CMS in

    a subfolder/ subdomain • /blog/, /wiki/, /forums/ • blog.mydomain.com
  22. Other resources • Original blog post (feross.org/cmsploit) • Reddit discussion

    (goo.gl/3kAI2) • DEFCON: Pillaging distributed version control system repos for fun and profit (goo.gl/IevyF) • Attack against wp-config.php~ (goo.gl/i381Q) • WordPress security thoughts (goo.gl/0K8Bg)