Personalize

Text Size

Layout

Navigation Position

idunno.org

now with extra subtext goodness

<< DDD Down Under | Home | The Web Protection Library, plugins and naming >>

WordPress says the Network Solutions hack is not their fault.

This is fun. Network Solutions, not known for their wonderful hosting setup, messed up WordPress configuration, file permissions and basically allowed people hosting on their servers to read everyone else’s authentication information. When it was discovered NetSol tried to spin it as a WordPress problem. WordPress are pissed. But what’s amusing, to me anyway, is their talk of crappy configuration – which they justify with the following

WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn’t matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system — like they appeared to have in this case — it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?

Really? All other web applications? Funny - ASP.NET allows you to encrypt your web.config with keys that are only available to the hosting process and are not hosted on the file system, so it is non-trivial to retrieve them. Claiming all web applications have this problem is applying a PHP problem to other platforms and simply isn’t true.

You are encrypting your connection strings in your ASP.NET application, right? Heck there’s even a utility if you’re allergic to the command line, or I’m sure someone wrote a book detailing this sort of thing.

Technorati Tags: WordPress,Databases,Encryption

Tuesday, April 13, 2010 10:55 PM

Your Comments.

# re: WordPress says the Network Solutions hack is not their fault.
...or you could use Windows Auth and not put any credentials at all in there.

Left by Travis Illig at 4/13/2010 11:24 PM
# re: WordPress says the Network Solutions hack is not their fault.
True, but I've never seen a shared host offering Windows Auth.

Left by barryd at 4/13/2010 11:37 PM
# re: WordPress says the Network Solutions hack is not their fault.
From the little I've read, it seems the vulnerability was to *other* users on the same box[1].

Unless shared hosting providers use a different Windows identity for each app, ASP.NET encryption wouldn't help. (NB., I don't do shared hosting, so I'm not sure if separate identities are the norm. My guess is that they aren't, though). Unless you have a separate identity for each app, they'll all have access to the same machine and/or user keys to decrypt your web.config.

Oh, and the keys are actually stored on the filesystem[2]. Logically, there's nowhere else to put them (unless you use TPM[3], I suppose).

[1] "A properly configured web server will not allow users to access the files of another user, regardless of file permissions." - wordpress.org/.../file-permissions/

[2] "It is recommended that you only secure sensitive information using protected configuration on file systems formatted using NTFS, so that you can restrict access to encryption key information using ACLs." http://msdn.microsoft.com/en-us/library/f5cs0acs(v=VS.80).aspx

[3] en.wikipedia.org/wiki/Trusted_Platform_Module

Left by Mark Brackett at 4/14/2010 2:05 PM
# re: WordPress says the Network Solutions hack is not their fault.
Mark,

Well it's not such a bad assumption that providers do - you already get an FTP login (at least on everyone I've used), which is usually an NT account on the hosting box, which can then be used to configure the app pool. And everyone seems to get app pools, if only for process isolation.

True the keys are on the file system, but they're somewhere the OS can access and users cannot. Even accessing/importing/exporting the keys generally needs a command line rather than web access (although I wonder if interop would let you at the DPAPI stuff - and if any shared hosters allow unmanaged code *grin*)

Of course this is kind of theoretical - I've not seen a shared hoster offer support for encrypted configs, either via importing of RSA keys or using machine keys. My point was more to highlight that you don't have to use plain text connection strings at all, some platforms offer other options.

Left by barryd at 4/14/2010 2:41 PM
# re: WordPress says the Network Solutions hack is not their fault.
Don't blame it all on Shared Hosting providers. The bottom line is hackers are obviously targeting Wordpress and discovering vulnerability's.

End users shouldn't have to spend 24 hours a day constantly making sure their Wordpress is secure.

Left by Steve at 4/15/2010 5:19 PM
# re: WordPress says the Network Solutions hack is not their fault.
Hi Barry - hope all's well with you.

Your post is quite accurate and bang on.

Secrets should never be in plaintext.

I've been working for government and banking institutions for the last couple of years, spending a lot of time sorting these issues out.

It's fairly straightforward to securely encrypt settings in configuration files. whether you use Windows or Unix.

However, it's the Microsoft people who seem to understand secure configuration these days. I've lost count of the discussions I've had with Unix people trying to persuade them that their app shouldn't be running as root (it's secure because it's Unix - Ha!).

Cheers

Chris

Left by Chris Seary at 4/20/2010 1:04 PM
# word express 2.0
my message find to sort key word express 2.0 plz my solve problem

Left by ankur at 7/29/2010 7:43 AM

Your Reply.

Comment Form.

Fields denoted with a "*" are required.

*Your name:

*Subject:

You may also like to leave your email or website.

*Your message:

Please add 7 and 2 and type the answer here:

Enter the code shown above:

Preview Your Comment.