20170407 Vulnerable Plugins/Themes Report and PSA

just beautiful mountains in new zealand

This week’s report.

Wanted to do a couple of quick PSA’s. First, SiteLock disclosed earlier this week that they are starting to see backdoor scripts masquerading as a legitimate SEO plugin.  This isn’t a particularly new attack method as we’ve seen it quite a few times in the past.  However, it’s a good reminder that you should be intimately familiar with the plugins you have installed.  If there’s one there you don’t remember installing or know nothing about, that’s a red flag.  In addition, you should be monitoring your site and have alerts enable for plugin installations and activations.

Second, start preparing for the WordPress v4.7.4 update.  The core team has been hard-at-work fixing bugs that will be bundled up into the 4.7.4 update.  4.7.4 is currently scheduled for release the first week of May.

Third, the results of the WordPress Editor Experience survey have been published.  Highlights, IMO are:

  • Half of the respondents use the Text editor at least sometimes
  • But almost half never use the markup buttons
  • 76% never use the distraction free option (I never use it)
  • Just under a third have added a shortcodes plugin (ugh) to extend the editor
  • 90% of respondents who use a screen reader felt the editor experience is sufficient or better

Fourth, Wordfence released their Attack Report for March yesterday.  Interestingly, WP Mobile Detector has jumped back up to the #3 spot in most attempted exploit for a plugin.  Also, Really Simple Guest Post jumped into the top 10.  Otherwise, the other 8 are pretty much the same from the top 10 in February.

FifthWordCamp Kansas City is in just a couple of weeks (28th and 29th).  If you haven’t purchased your tickets yet, you need to get on that before they sell out!  $40 for two days of professional development. Forty sessions in total.  Lunch (and coffee+snacks for breakfast) provided for both days.  That’s an incredible value. If you are in Columbia, MO and want to carpool, let me know.

Last, if you live in Columbia, MO Steve Struemph and I are in the beginning stages of starting a WordPress meetup for Columbia. If you are interested in joining, or helping us, please get in touch with one of us!

WordPress table_prefix Variable Isn’t Just for Prefixing Your Tables

Had a fellow developer contact me today who was running into an issue.  He was in the process of migrating his sites from one server to another, and upon finishing the move and attempting to login, discovered his administrator account no longer had permissions to do anything, and appeared to have a subscribe  role.  My first thought was possibly a cookie issue, so he tried deleting cookies, and using a different browser.  No progress.

My second thought was that perhaps his user IDs got messed up when he migrated the database and that the IDs from *_users no longer matched up to to the user_id field in *_usermeta.  He sent me a screenshot of his record from *_users and matching records from *_usermeta to show me that they all matched.  That’s when I noticed that the meta_key foo_capabilities wasn’t wp_capabilities.  “Is your $table_prefix variable still set to ‘foo’?” I asked. “Oh, no. I changed it to ‘bar’, but I changed all of the table names when I migrated the database.”

I had him change the meta_keys from ‘foo_capabilities’ to ‘bar_capabilities’ and ‘foo_user_level’ to ‘bar_user_level’ and BOOM! Everything started working again.

So it turns out $table_prefix, despite the variable’s name, is used for more than just prefixing the database tables.  It’s used for several meta_keys in the *_usermeta table:

  • *_capabilities
  • *_user_level
  • *_dashboard_quick_press_last_post_id
  • *_user-settings
  • *_user-settings-time

And it’s also used in option_name *_user_roles in the *_options table.

My WordCamp Miami 2017 Experience, Part 2

The moment Paul fell in love with cuban espresso

Part 2 of 2.

Paul at the Sucuri boothI will mention briefly that I sat in a couple of sessions over the course of the weekend where presenters gave bad advice, security-wise.  I didn’t say anything at the time because I didn’t want to be “that guy” who interrupts and contradicts a speaker.  I don’t particularly like it when I’m presenting and not every speaker is confident enough to handle an interruption. Just remember that nothing from the client is safe, nothing from the client-side can be relied upon.  If you didn’t generate it in your code, the data is tainted and you need to treat it as untrusted.  If you have to use the data, verify the data is what you expect it to be and escape it before you send it back to the user.  PLEASE.

Welcome to WordCamp MiamiAs I mentioned in part 1, Fernando was kind enough to swing by and pick up Shilpa and myself for day 2 of WordCamp.  While Shilpa headed into the conference area to get set up and prepped for her presentation, I volunteered to help Fernando get that morning’s breakfast all set up.  Of course, this also meant I had an early jump on the coffee.  😀 After grabbing a couple of cups, I went in to the vendor area to make sure Victor and Sal had survived the various events from the night before.  After visiting for a few minutes, I went back over to the main venue to make sure I had a good spot for Shilpa’s presentation, Lessons From Marketing Disasters.

Email Marketing Rookie MistakesMarketing isn’t what I do on a daily basis, so normally I wouldn’t have attended this track at all, but I wanted to be there as moral support for Shilpa, and as I suspected, it was a fantastic presentation.  She did a great job of going through the trials and tribulations they faced at her company; the assumptions they made and how they were incorrect, the actions they took on those incorrect assumptions and the outcomes that came from it.  She then explained how they adjusted course using data and smart decisions based on industry best-practices.  I sincerely wish that some key people on my campus would have seen this presentation.  She covered using surveys, exit pop-ups, A/B testing, funneling and iterative changes to both the process and the site.  I would definitely suggest checking out the slidedeck as well as the recorded session (starts at roughly 00:27:00).

Nizar Khalife IglesiasFrom there I jumped back over to the Learning Javascript Deeply track which was what I had been looking forward to diving into. First session I attended was Nizar Khalife IglesiasCallbacks, I Promise to Explain.  While I can’t say I learned anything new, Nizar did a splendid job explaining callbacks in a way complete novices should be able to understand.  It is most definitely obvious that he teaches these concepts.  In fact, I might have to steal some of his slides if I ever find myself needing to teach javascript. OF course, I’d have to swap out his pizza examples with coffee. If you are new to javascript, or have ever wondered what callbacks are, how they work, WHY javascript uses callbacks, or need clarification on why javascript is asynchronous and what that means, definitely check out his slides and the recorded session (starts at 1:31:00).

Michael Dyer presentingInterestingly, the next speaker never arrived.  I have no idea what happened.  I was bummed too because I really was interested in learning more about the Angular Ecosystem.  However, the next speaker, Michael Dyer, was available and agreed to start early. For me, this turned out to be a blessing in disguise as Intro to GraphQL for REST developers ended up being one of my, if not THE, favorite session.  In a nutshell, GraphQL is a query language for APIs. Instead of having to perform multiple API calls to gather all the data on the page, you can query GraphQL (running on the server) for exactly what you need even if it spans multiple endpoints in the API.

Mind blown
Mind. BLOWN!
Val's Son, a little Sucuri Ninja
Val’s son Matthew who I had the pleasure of meeting. Has nothing to do with this post, but look at how cute he is!

But Wait! It gets even better! By adding resolvers you can query across APIs! Have a faculty member who writes posts (one API), but you want to include the classes they teach (second API) and some biographical information from their faculty180 profile (third profile)? You could get it all, and only what you need, with one call! My mind was racing with all of the possibilities and use-cases.  Interestingly, everyone else in the audience seemed to be struggling with why you would use GraphQL at all.  I was stunned that they weren’t able to see the potential. Instead of wasting processing time and expensive calls to the API, and receiving data pieces you don’t need, you can make one call to the API and let the server handle gathering everything for you and receive only what you need.

I grabbed Michael after the presentation and discussed it with him some more.  Turns out, Michael is an incredibly smart guy as well as really nice.  He was more than happy to dig into it more with me and show me some of the other stuff it can do. He even showed me how easy it is to set up a resolver.  We ended up having lunch together to discuss it further, as well as reminisce about the good old days of the internet back in the nineties.

Before the afternoon session, I headed back over to the Sucuri booth, and that is when I fell head over heels in love.Victor and Sal introduced me to Cuban espresso.

Seriously, this is the best coffee I have ever tasted.  I was hooked.  And I was wired. I all set for the afternoon sessions.

I really wanted to see the afternoon sessions in the Learning Javascript Deeply track, but I had volunteered to be the room MC in the User Track.  Users Track definitely isn’t normally a track that I would be drawn to, but ended up having some really interesting sessions.  First up was Dr. Nancy Richmond  (she teaches classes on Social Media at FIU) on Does Social Media Make You Happy? Answer?  Yes and No. You’ll have to watch her session to find out why, but one thing she mentioned is that people are happy when taking selfies.  And she made us take some.

Turns out we’re even happier when we take selfies with other people so she instructed us to take a selfie with some other people.  I didn’t know anyone else in the room, so I had to grab some random people for my group selfie.

Sorry random people for not getting your names so I could tag you, and for the horrible picture. I blame the Cuban coffee! 😉

She briefly covered disclosing too much information about yourself online.  I wish I had had the opportunity to discuss OSINT with her and how social media is a huge tool in gathering intelligence on a target.

I’m not sure why I have my arms raised

After that was Rachel Lucas (from WPBICO) to discuss Zero to Zen and Naomi Bush (from gravity+ Pro) on How We Built a Custom WordPress Site and No Custom Code. I’ll mention quickly that after seeing Naomi’s presentation I get why people like gravity forms, but I just can’t get over their less-than-ideal history with security issues and that they make it too easy for people to collect data they really shouldn’t be collecting.   When you collect data, you take on the responsibility of protecting that data.  You become the steward of that data.  And people far too often collect everything just in case, when they don’t really need to.  Rule of thumb: you can’t leak it if you don’t have it.  😉

Last up was Adam Soucie to discuss Getting Back Up Again – Developing with Mental Illness (starts at 00:03).  Just go watch it.  Seriously.  Incredibly moving. As someone who has also struggled with mental illness since my teenage years, I applaud his courage to get up and discuss his struggles in front of an audience and for bringing attention to those who suffer.

Last everyone headed back over to the main convention area where we did 80’s and WordCamp trivia and giveaways.

And just like that, WordCamp Miami 2017 was over.  People said their goodbyes, hugs were given, and Fernando gave me a ride to the airport.  I had an amazing time. I didn’t meet a single person I didn’t like, and I hope I made some connections that last much longer than the short time we were together.

Thanks again to Victor and Sal from Sucuri for letting me hang out with them. And the cuban espresso! I sincerely hope we get a chance to hang out again in the future.

Victor, Sal and myself hanging at the Sucuri booth

My WordCamp Miami 2017 Experience, Part 1

Speaker tag and card for WordCamp Miami 2017

Part 1 of 2.

TL;DR – WordCamp Miami is an AMAZING conference, but we still have lots to do educating people on security.

preparing to board the planeI’d be remiss if I didn’t start this post with acknowledging the incredible work and effort put in by David Bisset, Ptah Dunbar and all of the other organizers for this year’s WordCamp Miami.  With the exception of a couple of very minor hiccups, the event went off without a hitch. I can’t thank the organizers enough for everything they did to make WordCamp Miami 2017 a success.

Started Friday morning by meeting and sharing a ride with the wonderful, talented Shilpa Shah, cofounder of Hummingbird Web Solutions. Shilpa flew for 27 hours to come to WordCamp Miami! She reminded me immediately of why I love attending WordCamps: incredibly intelligent, kind, helpful people coming together to share their knowledge.  I was honored to be able to get to know her, and will most definitely be taking her up on her offer to come visit India.

Tara Claeys channeling her inner Jane Fonda

I decided to attend the BuddyPress/REST API pre-conference workshop.  We don’t use BuddyPress but I was interested in learning more about it, and definitely wanted to dig more into the REST API.  David Laietta did a great job introducing us to what BuddyPress is, and what it isn’t, and when it can be a good fit in his BuddyPress 101 talk.  Next up, I have to give Tara Claeys major props for embracing the 80’s theme and her inner Jane Fonda to share how her firm used BuddyPress to power a wellness challenge.  I really wish I had taken a photo of Tara’s outfit! UPDATE: Erica Lynn saves the day! Erica had the photo I was wishing I had taken and was kind enough to let me post it here!

Me receiving my speaker name tagAfter lunch was Andrew Taylor from Pantheon to discuss the REST API. The most exciting piece from this talk was that I learned of some undocumented “features” of the REST API that I believe are exploitable.  For now that’s all I’ll say until I can dig into them further, and report to the appropriate parties.  Besides that, I learned that WordPress has added quite a few capabilities in the REST API for custom post types simply by setting show_in_rest to true when registering a new post type.

Brian Messenlehner made a great Axl Rose, and did a good job of introducing people to his service AppPresser.  John James Jacoby‘s presentation was equally intriguing as he discussed the current state of BuddyPress and his plans for its future.

Speaker Card and name tagFriday night was the speaker dinner.  I had a wonderful time hanging out with Jonathan Brinley and Mike Herchel, and then playing Cards Against Humanity with Mike, Kimberly Lipari, David Laietta, Scott Mann and several other people. I got to experience my first plantain and had a thoroughly engaging conversation with Mike and his buddy Kyle on Drupal, how Drupal is changing the update process, the current controversy and the future of Drupal.

First up in the morning scheduleI was the first session in the morning on Saturday.  I left the hotel early with plans to get some coffee and a bagel on campus before heading over to the auditorium.  Much to my disappointment, I discovered that there aren’t any coffee shops on the FIU campus open on Saturday mornings.  WHAT?! What kind of campus doesn’t have coffee regularly available on the weekend?  Luckily, my man Patrick Alexander hooked me up with some cuban coffee (though not the cuban espresso that I would fall in love with later).  With my caffeine firmly taken care of, I headed back over to the vendor area to meet up with Victor Santoyo from Sucuri.  Absolutely incredible guy.  Wicked smart.  From there I headed back over to get set up for my talk.

Be Paranoid

Not sure how many people were in my session, but all-in-all, I think it went pretty well.  The presentation is normally an hour in length so I had to trim quite a bit out and talk a bit faster than I would have liked in order to squeeze it into the 30 minutes I had available.  People seemed to appreciate the information I shared with them, and I ended up having numerous conversations with people later on the subject of securing their site.  From there I headed back over to the Sucuri booth to hang out with Victor and discuss things further with people that had attended my talk.

Victor Santoyo
Victor Santoyo, Sucuri

By this point Sal Aguilar had arrived, so he and I manned the booth while Victor went over to do his AMA talk.  Sal is also an incredibly talented security analyst for Sucuri.  Not only does he work for Sucuri but he’s also the organizer of WordCamp Nicaragua 2017!  Sal and I discussed the state of security on the web, the acquisition of Sucuri by GoDaddy and what that means for the future of Sucuri, and the history of WordCamp Nicaragua and challenges he has faced in trying to make sure WordCamp Nicaragua 2017 happens.  Sal is a hard worker, and I have no doubt #WCNI2017 is going to be a huge success.

Victor and SalNext up was Mike Herchel’s presentation on WordCamp & Drupal: Community and Contribution Differences and Lessons.  As I had suspected, there are many more similarities between the two camps than I think most people are willing to admit. Ended up eating lunch with Mike and Kyle where discussed some of the challenges organization face in trying to keep their tech stacks up-to-date.

Chris WeigmanAfter lunch was Chris Wiegman‘s extremely fast session on Securing Your Webserver.  I really think the track chairs did a disservice relegating Chris’ presentation to an 8-minute lightning talk.  TONS of good information, but only enough to leave you wanting more information.  As I had suspected, he discussed php-fpm (something I strongly encourage you to implement if you run your own webserver) and firewalls, but he also covered fail2ban and chrooted jail, two topics that I really wanted more information on.  Specifically, I’d like to implement fail2ban in our own environment combined with the network restrictions we’ve added.  Chroot jail I was unfamiliar with and now am digging into.  Luckily, I know Chris so I’ll just bug him directly.

YHou still need to be paranoidI spent the remainder of the day hanging out in the Sucuri booth and in the happiness bar.  I helped several people with issues on their sites ranging from simple CSS issues to a site that had been compromised.  It was my experience that afternoon (and a few sessions on Sunday) that made me realize that those of us in the infosec space still have a long way to go in terms of educating everyone on proper site security.  I’m not throwing shade at any person, and especially not anyone that I assisted in the happiness bar.  On the contrary.  Everyone has to be new at some point, and we can’t expect everyone to be knowledgable on security right from the beginning.  What we need to do is make sure securing their site is intuitive and easy.  We need to make sure that we make products that are secure to begin with and stay secure with little-to-no-effort on the part of the end user.  And we need to make sure there are plenty of talks, sessions, articles, etc. for anyone who has questions or wants to dig in deeper.

At this point, I need to give major props to Fernando Polania. Not only did he offer to give me a ride back to the hotel Saturday afternoon, he also came back Sunday morning to pick me up AND took me to the airport Sunday evening.  Oh, and he also organized all the food at WCMIA.  All of it.  Seriously, this dude is amazing.  Super nice guy.  Fernando, if you’re reading this post, I’m buying you dinner next time I see you.

My daughter loving on her PHP ElephantThe after party was fun.  David orchestrated a game of trivia via kahoot.it.  I ended up winning a PHP Elephant (donated by PHP Women) of which my daughter absolutely loves.  The mall where the event was held had a live latino band that was incredible.  It was at this point that I realized 1. I really wish I had taken more spanish in college, and 2. I really enjoy the latin culture.  The music, the atmosphere, the food, the language.  If I hadn’t been so exhausted I would have stayed later and soaked up more of it.

Continue to Part 2.


20170331 Vulnerable Plugins/Theme Report and WordPress.tv

Sorry I didn’t do a report for last week. I had the honor of speaking at WordCamp Miami last week so was a bit busy.  Speaking of which, if you weren’t there, or were but was at one of the other excellent presentations, they’ve now posted the recorded version (I start at roughly 0:33:00).  In addition, my talk from WordCamp St. Louis is now posted over at WordPress.tv.  And if you prefer to see it live, I’ll be presenting it again at WordCamp Kansas City on April 29th.

This week’s vulnerable plugins report.

You Can’t Run Hyper-V and VirtualBox at the Same Time

I recently purchased a new computer to replace my 10+ year old machine at home.  I’ve been using Hyper-V for virtualization because it was built into Windows 10 and allowed me to immediately use the Virtual Machines I had previously set up with VirtualPC under Windows 7.  However, Hyper-V’s features with Linux guest systems is extremely limited and since I use VirtualBox regularly on my Mac at work, figured I’d install it and move my Linux guests over to it.

I started off attempting to set up a Kali Linux VM in VirtualBox. I immediately noticed VirtualBox wasn’t recognizing my system as 64 bit, and wouldn’t let select more than one CPU. I have 12 cores, so I would think I’d be able to assign more than one.  Upon the first attempt at booting the VM I ran into a BSOD in Windows 10 (side note: at least the BSOD in Windows 10 is friendlier than in the past).  Subsequent attempts at booting the VM all ended with me staring at a BSOD in my host OS.

After a lot of experimentation and googling, you can’t have Hyper-V installed if you want to use VirtualBox on Windows 10.  You’ll need to remove Hyper-V completely before you can run a guest OS in VirtualBox.  I assumed you could have them both installed, but not run simultaneously.  Nope.  Hyper-V will need to completely removed before you can VirtualBox.  Once I removed Hyper-V, VirtualBox recognized my system as 64bit, and I was able to assign more than one CPU to the guest OS.  The VM booted right up.  And since I’m not planning on running any Windows VMs, I won’t miss any of the features that Hyper-V offers over VirtualBox.

Now, it’s possible that VMWare Workstation Player can run along side Hyper-V, or at least not cause a BSOD, but it’s also $150.

How to Change a Super Admin Account Name in a WordPress Multisite/Network

Occasionally I’ll find myself in a situation where I’ll need to manually change the login name on a user.  Normally, this is as simple as changing the user_login and user_nicename in the *_users table.  Recently I needed to change the login on an account that was also the Super Admin of a WordPress network (multisite).  I assumed that the flag for Super Admin was contained in the *_usermeta table.  After logging in to verify the account was working, I discovered the account no longer had access to the Network area, and no longer had access to any plugins.

Turns out the flag to denote a Super Admin is actually stored in the *_sitemeta table with a meta_key value of site_admins as a serialized array. Change the value to the revised login name, making sure to adjust the string length to match the new name.  Apply the changes (or run the update query) and log back in with the new login name.  Everything should be working as expected again!

20170310 WordPress Vulnerable Plugins/Themes Report

You should have already noticed that WordPress released version 4.7.3 update on Monday.  4.7.3 addresses six security vulnerabilities (one of which was discovered by my buddy Delta!) in addition to 39 bug fixes.  Equally important is that security patches were issued for all WordPress branches back to version 3.7.  If you are running any version of WordPress from 3.7 forward you should update immediately as there are now attacks in the wild targeting the vulnerabilities that were corrected.

If you are on an older version, please strongly consider upgrading to a more current branch. While I applaud the WordPress team for patching all branches back to 3.7, you can’t rely on them supporting those older branches moving forward.   Staying up-to-date is one of the most important ways to protect your site.  The WordPress development team has done an amazing job of ensuring backwards compatibility, so unless you have made changes to the core WordPress files, there is a strong chance you can update to the latest version without incident.  If you’re unsure of updating, please reach out to me and let’s see if we can get you updated.

I had hoped this week’s report would be quieter, but instead includes five unauthenticated arbitrary file upload disclosures.  PLEASE, remove or update these plugins immediately.

This week’s report.