Part of the EllisLab Network

Home

Overview

Showcase

Downloads

Support

Services

Blog & News

Contact Us

Sales

Buy Now

Blog & News

Derek Jones
Derek Jones
Chief Technology Officer, EllisLab, Inc.

Danger! Danger! Danger! Three warnings!

May 02, 2007     Permalink     Discuss

Someone’s been on a rampage going through Wordpress plugins this week.  Yesterday there was [4/5] WordPress myGallery Plugin “myPath” File Inclusion, a highly critical security hole in the myGallery plugin.  Today there are two more, in the wordTube plugin and wp-Table plugin:

[4/5] WordPress wordTube Plugin “wpPATH” File Inclusion
[4/5] WordPress wp-Table Plugin “wpPATH” File Inclusion

Now before you jump to the conclusion that I’m knocking Wordpress’s security, well, just don’t jump to that conclusion.  Because I’m not.  In all three cases, the security flaw came not from Wordpress, but from third-party plugins.  The myGallery plugin isn’t even listed or available for download on Wordpress’s official plugin repository.  The author of the other two, not surprisingly, gives thanks to the creator of myGallery for giving him “a lot of education.”  Since he based his code on the former, it’s not a shock that his two plugins share the same security flaw.

I have empathy for the crew of Wordpress, I really do.  This is bad [go for the pun, Derek…] press [yes, you nailed it!] for them, and most of their users will not really understand that the flaw was in the third party plugin and not the application.  We repeatedly see people experiencing general problems in the support forums, thinking that it is ExpressionEngine, and it turns out to be plugins, modules, extensions, or other customization causing the trouble.  It’s very difficult as a user to make that distinction between where the application stops and their modifications begin.  We have been fortunate thus far to not have had any reports such as these, where a third party add-on led to a critical security hole.  But it’s going to happen.  It’s inevitable as the ExpressionEngine community of developers grows.  This is one reason we have such a time consuming and rigorous process of add-on approval.  We certainly don’t want an add-on that’s available for download on our site to be the source of potential problems.  But we are not the only place one can go for ExpressionEngine add-ons, and we do not “police” the add-on forums where people post code, plugins, and extensions for one another.  So to think it won’t happen would be foolish.

The three warnings mentioned in the title of this post are not referring to the three security advisories linked above, nay.  I leave you with these:

Users:
Be wary of using third-party add-ons, especially if you get them off-site.  Popularity does not mean safety.  Take the time to seek advice of an experienced developer to examine add-ons before using them on a production site.  Commercial third-party add-ons are generally safer bets.  At the very least, a business selling add-ons has a vested interest in their product not causing problems for you, and when issues do arise, you can typically expect prompt response and support.

Tinkerers:
Be wary of copying code from third-party developers.  Be aware that by doing so, you are sharing any problems and vulnerabilities their code may have.  See the Users’ warning.

Developers:
Be doubly sure that you are not doing silly things like including files based on unsanitized and unvalidated variables, using unvalidated and unescaped strings in queries, and so on.  And never use an implementation that does an end-run around ExpressionEngine.  Our code can protect you and your users from many types of attacks and flaws, but you cannot bypass portions of the system and still have that protection.

If everyone follows these three warnings, we can continue to enjoy relative freedom from these obnoxious and serious problems, and that’s good for everyone.