Major PHP/MySQL Site Security Issue

原文的标题是关于 WordPress 的,然而,这样的潜在安全问题在每一个? PHP/MySQL 应用都可能存在。主要是系统管理员缺乏对文件系统的安全管理缺少足够的安全意识造成的。对于那些主机共享的服务器上,对存放数据库用户名和明文密码的应用配置文件必须设置足够安全的权限。

Yesterday we reported of a mass infection of WordPress blogs that were hosted at Network Solutions.

First of all, I must say that the response from Network Solutions was very good. They were active on the forums, responding to users via Twitter and really trying to find and fix the problem. They even send me an email just after my first post went live to get more information and share notes. That’s what I like to see from a hosting company.

Anyway, we discussed via the phone yesterday and after a long analysis they have nailed the cause of the problem. This is what happened:

  1. WordPress stores the database credentials in plain-text at the wp-config.php file.
  2. This configuration file should only be read by Apache, but some users (well, lots of users) left it in a way that anyone could read it (755 instead of 750 in Linux slang).
  3. A malicious user at Network Solutions creates a script to find those configuration files that were incorrectly configured.
  4. This same malicious user finds hundreds of configuration files with the incorrect permissions and retrieves the database credentials
  5. Yes, he again (the bad guy) launches an attack and modify the database for all these blogs. Now the siteurl for all of them just became networkads.net/grep. Easy hack.

So, at the end anyone can be blamed. At WordPress for requiring that the database credentials be stored in clear-text. At WordPress again for not installing itself securely by default. At the users for not securing their blogs. At Network Solutions for allowing this to happen.

I also have to agree with Network Solutions that this problem can happen at any shared host site. Not only for WordPress, but for any CMS out there that store the passwords in clear-text. For anyone affected with this problem (or anyone at a shared server), change your database credentials ASAP and make sure your configuration file is not readable by everyone else.