Nearly 1% of websites built with a content management system (like WordPress or Joomla) are unknowingly exposing their database password to anyone who knows where to look.
Big mistake • Config files sit in a publicly accessible folder • Easier to set up this way, but less secure • All sensitive info is between tags • Demo: http://feross.net/wordpress/wp-config.php
What’s wrong here? • There may be temporary files which contain sensitive info floating around in publicly-accessible folders. • If temp file gets requested, most servers will return the plaintext, skipping the PHP pre-processor. • .php
What I did • Wrote program to test top 1 million websites • It issues GET requests to a site to test for the presence of temporary backup files with common CMS config filenames
Results: • Tested the 216,391 most popular websites (according to Quantcast). • Found 230 config files visible in root of site. • Thus, 230 / 216391 = 0.11% of all websites are vulnerable. • Latest stats say that about 13.8% of the top 10,000 websites run CMSs. If we just focus on CMS-powered websites (and extrapolate), then the percentage of vulnerable sites is: • Thus, 230 / (216391 * 0.138) = 0.77% of websites running a CMS are vulnerable.
What I did • Didn’t try logging in with any of the passwords. • Responsible disclosure to top sites. • Submitted a vulnerability report with US- CERT. (They ignored it)
Email to top sites To whom it may concern: I believe that I have discovered a security issue with the ________.com website. If you'd like to know more, I can disclose the full details of the issue to an engineer or software developer on your website team so the issue can be fixed. Respectfully, Feross Aboukhadijeh Stanford University, Computer Security Lab
Complaints From: ****@us.pgds.com To: [email protected] To whom it may concern, Our organization has detected suspicious traffic originating from boxxy.stanford.edu (128.12.188.246) against the web site of one of our affiliated companies. The request URL for some of that traffic was to /wp-config.php~ The traffic occurred at 5 Oct 2011 11:48:26 GMT and 5 Oct 2011 12:22:50 GMT. We would appreciate it if you would investigate and resolve this matter. Thank you, ******** ******* Senior IT Security Administrator Prudential Global Data Services (PGDS-US)
From: Information Security To: [email protected] We're forwarding a complaint about a machine registered to or administered by you. Unless you're aware of this, it indicates the machine has been broken into or otherwise compromised. When a system has been compromised at the system privilege level, rebuilding the system, applying current patches, and setting good passwords on all accounts, is the recommended way to repair the machine.
from: [email protected] to: [email protected], [email protected], [email protected] cc: [email protected] Hi there, I first alerted you to miscreant behavior coming out of boxxy on 10/6. Please let me know that you have either remedied the problem or disconnected the machine today. If we continue to get abuse complaints, I will have the machine disabled. I've copied your RCC in case you need help cleaning the machine. Thanks,
Lesson learned • When scanning / attacking 200,000 websites, don’t do it from your own IP address • Use Tor (https://www.torproject.org/) • Or a VPN / server in another country
Worst offenders “dbdbdb” for an online magazine “patrick” for an online newspaper “Summ3r” for a summer camp program “FuckYou4231” for a horror movie site “c0d3b3tt3r” for a site about coding better “usernamehere” “yourpasswordhere” “abc123456” “root” “root” <-- probably disallow remote DB connections
Other resources • Original blog post (feross.org/cmsploit) • Reddit discussion (goo.gl/3kAI2) • DEFCON: Pillaging distributed version control system repos for fun and profit (goo.gl/IevyF) • Attack against wp-config.php~ (goo.gl/i381Q) • WordPress security thoughts (goo.gl/0K8Bg)
feross
yusukebe
codemountains
texmeijin
akkyie
mugi_uno
uhooi
irof
doggy
hiroisojp
antyadev
afilina
pylapp
aki_iinuma
davidbonilla
philnash
chrislema
sachag
caitiem20
eitanlees
frogandcode
mraible
pauljervisheath
aleyda
marcduiker