Bugs exist in every piece of code. It is suggested that for every 1,000 lines of code, there are on average 1 to 5 bugs to be found.
Some of these bugs can have security implications. These are known as vulnerabilities, and they can be used to exploit and compromise your server, your site and your users.
As long as there are people involved in the process of writing code and setting up systems, mistakes will happen as it is part of human nature. As such, security problems will always be something we have to deal with.
Impact of Vulnerabilities on Websites
Why does it matter that much? Last week, both WordPress and Drupal released new versions of their Content Management System (CMS) to patch important security vulnerabilities. Other popular WordPress plugins also released updates to fix their vulnerabilities.
Once a vulnerability is found and a patch is available, the solution is simple: Apply the patch (by doing an update) and you are now protected. It is the endless cycle that is known as software development. A bug will be found, a patch will be available, the patch is applied, another bug is found, a new patch is available, the patch is applied. Every time a new feature is introduced, new bugs are also introduced with it.
It seems like a simple process for a webmaster that as long as he is updated, he is safe.
However…
How do you protect against unknown software vulnerabilities?
What if you do not know about a specific vulnerability, how do you patch and protect your website?
What if an update goes out over a long weekend? A 0-day gets disclosed before an update is available? Or what if a vulnerability is discovered by the bad guys and they start using it without telling anyone?
- The latest SQL injection vulnerability in the Drupal platform was being exploited within 7 hours of it’s disclosure.
- Websites were being compromised via TimThumb before the public knew about it and a patch was available
- We have hits in our logs from days before the latest XSS vulnerability in WordPress was disclosed.
So the question is, how do you increase your security so that you can minimize the risk and the chances of being compromised when (not if) someone tries to attack your site misusing an unpatched / unknown vulnerability?
You have options:
- Restrict who can access parts of your site to minimize the attack footprint.
- Employ prevention solutions that try to block exploit behaviors (generally called WAF’s or IPS’s).
- Harden parts of your stack to minimize the effect of an exploit.
- Constant network and log monitoring to identify Indicators of Compromise (IoC).
These are just some examples. They may sound hard or too advanced, but they are actually doable and every website owner should look into it.
Think about your desktop / notebook computer for a second. Why does every (or almost every) desktop have a personal firewall, an anti-virus, a spam filter and other similar tools? Yes, even Macs have them as well.
Why do most networks (including home networks) run behind a router with basic / advanced firewalls working to filter and prevent attacks from the Intranet?
The reason is simple: minimize the footprint and options for an attacker.
Now think about your website[s]. Let’s look at a few examples into how that can be applied to your Website security:
WordPress 4.0 Long Password DOS
Both Drupal and WordPress had a vulnerability disclosed last week that allowed an attacker to DoS (Denial of Service) a site by sending many, very long passwords in the login requests.
Prevention: Access Restriction / Reduced Footprint.
Block wp-login and wp-admin access only to authorized IP addresses. If an attacker can’t reach your login page, he won’t be able to exploit this vulnerability.
Simple solution that anyone can do by adding an .htaccess to your wp-admin allowing just a few IPs. We find this feature important enough that we employ it to our stack by default and set it as default for all users of our Website Firewall product.
Paid Memberships Pro Path Traversal
Paid Memberships Pro is a popular WordPress plugin that had a path transversal (arbitrary file download) vulnerability disclosed last week. The exploit is possible by accessing: wp-admin/admin-ajax.php and passing a file to be downloaded via getfile:
wp-admin/admin-ajax.php?action=getfile&/../../wp-config.php
Prevention: Access restriction / reduced footprint.
The same as before, restrict access to only whitelisted IPs.
Prevention 2: WAF/IPS.
Even if the previous restriction was bypassed, an Intrusion Prevention System (IPS) or Web Application Firewall (WAF) would prevent it from being exploited through generic Local File Inclusion / Remote File Inclusion (LFI/RFI) rules.
WordPress 3.9.x stored XSS
WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported and patched last week as well.
This vulnerability abuses the core commenting system, an attacker is able to craft a simple comment to send a malicious payload that when viewed by the administrator, allows the attacker to take over the site. This explains it’s severity.
Prevention: Reduced footprint.
First, if your site does not need or use comments, why leave it open? You can block any access to wp-comments-post via .htaccess and be covered right away. If you do need comments, you can use external commenting systems that keep untrusted (user data) away from your trusted data (posts, pages, etc).
Prevention 2: Prevention technology.
Even if you do allow comments, employing a WAF or IPS would probably have blocked this XSS via generic XSS signatures that most good prevention products have.
WP-Statistics XSS
Our research team found a stored XSS in the very popular wp-statistics plugin.
Prevention: WAF/IPS.
This is where having a good WAF / IPS solution in place becomes a must. A WAF have (or should have) a XSS detection that will block this attack generically, without even knowing about this specific vulnerability. On our own WAF, we were blocking it automatically before even knowing about this bug, in a way that we did not even need to write a virtual patching for it.
Staying ahead of Unknowns
Last weeks releases are growing in number each month, as they do the importance of being able to tackle the problem of unknowns grows. Following some of the steps above would improve your over Security posture allowing you to better recognize and respond to these issues, reducing your overall risk footprint.
We offer a product that can do this all, but many of the recommendations you can employ on your own by leveraging open technologies and .htaccess changes:
- Restrict access to wp-admin/wp-login (and any other access point) only to authorized IPs.
- Limit footprint. Do you need comments? Do you use XMLRPC? Blocking everything and only allowing what you really need.
- Leverage a WAF / IPS and you can do this with products like Modsecurity and OSSEC.
We’ve obviously built a technology that automates all these things for you, allowing you to get back to running your business, but you can see there are various options available to you. If you’re interested in a free trial, ping us at info@sucuri.net.
Marc-Alexandre Montpas
Ben Martin
Antony Garand
Luke Leal
Alycia Mitchell
Cesar Anjos
David Dede
Ashley Sand
Pilar Garcia
Peter Gramantik
4 comments
This is an enlightening article that really gives you some initial clues. But i would like to mention that i strongly disagree with statements like
“don’t allow comments via your main website’s core commenting system”
and
“It seems like a simple process for a webmaster that as long as he is updated, he is safe.
However…”
WordPress for example updated overnight on all my websites and this ensured me that i was safe, of course i am certain that zero-day vulnerabilities are yet there but adding something else on the server does not mean you are safe from them.
First of all the ones that find the zero-day vulnerabilities are not newbies or anything similar so if they want to they can probably find another vulnerability (outside XSS and so on). The bottom line is that you can never be safe from zero-day vulnerabilities no matter what you do. You can protect your site in general from XSS that is the the most widely used attack nowadays but that is all but who guarantees you that you are not opening yourself to other vulnerabilities on the way, as you said yourself there is no perfect code :).
Hope i made myself clear on this long comment 🙂
I updated the post to explain a bit more what we meant there.
The idea is that if you do not use or allow comments, why leave it open? You can reduce your footprint by restricting access to features that you do not need.
Nothing against the core comment system, except that it mixes trusted and untrusted data together in the same database.
As for your other points, the XSS was just an example. You can block many classes of attacks via generic detection signatures (sql injections, XSS, LFI, RFI, RCE, etc).
thanks!
I completely agree with you on the comment’s system clarifications. While regarding the attacks what i wanted to clarify is: Zero-day vulnerabilities are not limited to the attack patterns/models we all are familiar with and as such there is no point in claiming that you can be protected against them.
This is my biased and personal opinion nevertheless and probably i am underestimating the solutions you mentioned, but i would personally not ever use such a tool :), once again this is my personal opinion and thumbs up for your great article 🙂
Can you provide the clarity information to us regarding this blog.
Comments are closed.