Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Database Passwords Everywhere!

Database Passwords Everywhere!

Nearly 1% of websites built with a content management system (like WordPress or Joomla) are unknowingly exposing their database password to anyone who knows where to look.

Feross Aboukhadijeh

January 22, 2012

More Decks by Feross Aboukhadijeh

Other Decks in Programming


  1. Database Passwords Everywhere! Feross Aboukhadijeh feross.org

  2. CMSploit Definition: Security scanner that tests websites built with content

    management systems for temporary files that contain sensitive information.
  3. None
  4. 0 1,250,000 2,500,000 3,750,000 5,000,000 18,819 334,408 1,656,021 4,485,142 Number

    of sites Data from BuiltWith (http://trends.builtwith.com/cms/)
  5. Vulnerable sites

  6. perezhilton.com

  7. indianapublicmedia.org

  8. lsc.org

  9. su.pr

  10. marginalrevolution.com

  11. futuremark.com

  12. openculture.com

  13. scobleizer.com

  14. rovio.com

  15. How CMSploit works

  16. 1. Config files 2. Text editors

  17. 1. Config files 2. Text editors

  18. Typical config file <?php /**  Name  of  WordPress  database  */

    define('DB_NAME',  'my_secret_database'); /**  MySQL  database  username  */ define('DB_USER',  'secret_agent_1'); /**  MySQL  database  password  */ define('DB_PASSWORD',  'you_will_never_guess_this'); /**  MySQL  hostname  */ define('DB_HOST',  'mysql.mysite.com');
  19. Typical config filenames • wp-config.php // Wordpress • config.php //

    phpBB, ExpressionEngine • configuration.php // Joomla • LocalSettings.php // MediaWiki • mt-config.cgi // Movable Type • settings.php // Drupal
  20. Big mistake • Config files sit in a publicly accessible

    folder • Easier to set up this way, but less secure • All sensitive info is between <?php ?> tags • Demo: http://feross.net/wordpress/wp-config.php
  21. 1. Config files 2. Text editors

  22. 1. Config files 2. Text editors

  23. Recipe for disaster + Text Editor Config files

  24. Temporary Files • For a file wp-config.php, text editors will

    create: • Backup files • wp-config.php~ // Vim, Gedit • #wp-config.php# // Emacs • wp-config.php.save // Nano • Swap files • wp-config.php.swp // Vim • wp-config.php.swo // Vim
  25. 1. Config files 2. Text editors

  26. What’s wrong here? • There may be temporary files which

    contain sensitive info floating around in publicly-accessible folders. • If temp file gets requested, most servers will return the plaintext, skipping the PHP pre-processor. • .php Content-Type: text/html; charset=UTF-8 • .php~ Content-Type: text/plain • etc... Content-Type: text/plain
  27. Temporary Files • For a file wp-config.php, text editors will

    create: • Backup files • wp-config.php~ // Vim, Gedit • #wp-config.php# // Emacs • wp-config.php.save // Nano • Swap files • wp-config.php.swp // Vim • wp-config.php.swo // Vim
  28. How prevalent is this problem?

  29. What I did • Wrote program to test top 1

    million websites • It issues GET requests to a site to test for the presence of temporary backup files with common CMS config filenames
  30. Results: • Tested the 216,391 most popular websites (according to

    Quantcast). • Found 230 config files visible in root of site. • Thus, 230 / 216391 = 0.11% of all websites are vulnerable. • Latest stats say that about 13.8% of the top 10,000 websites run CMSs. If we just focus on CMS-powered websites (and extrapolate), then the percentage of vulnerable sites is: • Thus, 230 / (216391 * 0.138) = 0.77% of websites running a CMS are vulnerable.
  31. 230 config files total • E-commerce (cc #s) • Churchs

    • Fire department in a really large U.S. city • Porn sites • Lots of WordPress blogs...
  32. What would you do?

  33. None
  34. What I did • Didn’t try logging in with any

    of the passwords. • Responsible disclosure to top sites. • Submitted a vulnerability report with US- CERT. (They ignored it)
  35. Email to top sites To whom it may concern: I

    believe that I have discovered a security issue with the ________.com website. If you'd like to know more, I can disclose the full details of the issue to an engineer or software developer on your website team so the issue can be fixed. Respectfully, Feross Aboukhadijeh Stanford University, Computer Security Lab
  36. .htaccess rule <Files ~ “(^#.*#|~|\.sw[op])$”> Order allow,deny Deny from all

  37. Complaints From: ****@us.pgds.com To: abuse@stanford.edu To whom it may concern,

    Our organization has detected suspicious traffic originating from boxxy.stanford.edu ( against the web site of one of our affiliated companies. The request URL for some of that traffic was to /wp-config.php~ The traffic occurred at 5 Oct 2011 11:48:26 GMT and 5 Oct 2011 12:22:50 GMT. We would appreciate it if you would investigate and resolve this matter. Thank you, ******** ******* Senior IT Security Administrator Prudential Global Data Services (PGDS-US)
  38. From: Information Security <security@stanford.edu> To: feross@stanford.edu We're forwarding a complaint

    about a machine registered to or administered by you. Unless you're aware of this, it indicates the machine has been broken into or otherwise compromised. When a system has been compromised at the system privilege level, rebuilding the system, applying current patches, and setting good passwords on all accounts, is the recommended way to repair the machine.
  39. from: security@stanford.edu to: nettrouble@rescomp.stanford.edu, security-nr@stanford.edu, feross@stanford.edu cc: mirrielees-rcc@rescomp.stanford.edu Hi there,

    I first alerted you to miscreant behavior coming out of boxxy on 10/6. Please let me know that you have either remedied the problem or disconnected the machine today. If we continue to get abuse complaints, I will have the machine disabled. I've copied your RCC in case you need help cleaning the machine. Thanks,
  40. from: security@stanford.edu to: nettrouble@rescomp.stanford.edu, security-nr@stanford.edu, feross@stanford.edu cc: mirrielees-rcc@rescomp.stanford.edu Dear res-net

    folk, We are continuing to receive complaints against boxxy. Please disable the machine until it can be cleaned. Thanks,
  41. from: ***@stanford.edu to: security@stanford.edu cc: nettrouble@rescomp.stanford.edu, security- nr@stanford.edu, feross@stanford.edu, mirrielees-

    rcc@rescomp.stanford.edu All: Changed Netdb record to 'vile' state for host
  42. Lesson learned • When scanning / attacking 200,000 websites, don’t

    do it from your own IP address • Use Tor (https://www.torproject.org/) • Or a VPN / server in another country
  43. Passwords • Tons of people used “wordpress” or the name

    of their site as DB name, username, AND password. • Lots of 1337speak p@ssw0rds
  44. Worst offenders “dbdbdb” for an online magazine “patrick” for an

    online newspaper “Summ3r” for a summer camp program “FuckYou4231” for a horror movie site “c0d3b3tt3r” for a site about coding better “usernamehere” “yourpasswordhere” “abc123456” “root” “root” <-- probably disallow remote DB connections
  45. Final thought • Lots of sites put their CMS in

    a subfolder/ subdomain • /blog/, /wiki/, /forums/ • blog.mydomain.com
  46. Other resources • Original blog post (feross.org/cmsploit) • Reddit discussion

    (goo.gl/3kAI2) • DEFCON: Pillaging distributed version control system repos for fun and profit (goo.gl/IevyF) • Attack against wp-config.php~ (goo.gl/i381Q) • WordPress security thoughts (goo.gl/0K8Bg)
  47. Thanks! Feross Aboukhadijeh feross.org