Feeds

back to article US Dept for Homeland Security shafted by trivial web bug

A US government website was broken into by hackers exploiting a directory traversal vulnerability, according to security researchers. Hacktivist group NullCrew announced it compromised studyinthestates.dhs.gov, a US Department of Homeland Security website, on Friday. The site advises foreigners seeking permission to study at …

COMMENTS

This topic is closed for new posts.

You can't trust version numbers

You report that the site is running RHEL with apache 2.2.3 and php 5.3.3 and say that both should be upgraded but RHEL does not use standard version numbering so 2.2.3 could already be the latest apache version on RHEL5 with all known security bugs fixed. Likewise for php 5.3.3, if they're running the RH supplied php53 packages then they could already be patched to date.

https://access.redhat.com/security/updates/backporting/

Never trust a version number.

2
1
Silver badge

Re: You can't trust version numbers

Also it is possible to make it respond with pretty much anything you want. My ftp server was lotus amipro 3.1 for years. It's not rocket science nor is it a perfect defense but it does help muddy the waters a little and deter some of the less experienced script kiddies.

3
1
Bronze badge
Facepalm

Re: You can't trust version numbers

Indeed if it's RHEL it's probably got backported fixes. Actually tbh if it's anything there's a solid chance it does.

0
0
Bronze badge

Never trust a version number.

Or an elf.

1
0

Re: Never trust a version number.

Or Greeks bearing gifts.

0
0

Surely if the permissions were properly set on the file system, requesting wp-config.php would have been denied?

Can PHP totally undermine a file systems permissions?

Anyway it's a fail for running old versions.

0
0
Gold badge

But wouldn't the webserver / php script processor need to be able to read wp-config.php in order to serve the wp blog?

1
0
Bronze badge
Boffin

"Can PHP totally undermine a file systems permissions?"

No.

"Surely if the permissions were properly set on the file system, requesting wp-config.php would have been denied?" - then how would wordpress be able to read it to get it's config?

2
0
Silver badge
Devil

It's OK.

They turned it off and on again.

1
1
Bronze badge
WTF?

PHP? Really?

Holy crap - they are using PHP?

I'm language agnostic but PHP while has session support, it has no application-scope variables. Application-scope variables are invaluable in advanced hardening of high traffic websites.

I have ASP and ASP.NET websites and almost all hack attacks I log are people attempting PHP exploits.

1
10

Re: PHP? Really?

PHP can be very secure indeed. It was lazy development that caused this not PHP.

The reason for your log being full of PHP style hack attempts its more to do with the pervasiveness of PHP rather than any inherent vulnerabilities.

Modern PHP by a competent developer can be as rock solid as any platform.

4
2
Anonymous Coward

Re: PHP? Really?

"Modern PHP by a competent developer can be as rock solid as any platform."

Except when it's WP + plugins. There's more holes there than any sieve can handle. Disgraceful track record, past and present.

4
0
Silver badge

Re: PHP? Really?

Holy crap - they are using PHP

You can write bad, insecure programs in practically any language.

6
0
Bronze badge
FAIL

Re: PHP? Really?

These are people who touch your junk to make sure it's real. You'd think they would know that about programming languages ... Ah, there's the flaw, DHS is a think-free zone.

1
0
Bronze badge
FAIL

Double slap required

This was doubly insecure. Even though PHP allowed upward-leading filenames, the OS could have prevented this happening if the directory ownership and permissions were set right. But they evidently weren't.

1
0
FAIL

Re: Double slap required

As someone else pointed out above, this was on a site running wordpress. It's pretty much a given that Wordpress needs to read it's own config in order to run, so 'preventing' this by using chmod would also break the site.

The fact that the attackers _only_ seem to have managed to compromise a file that is meant to be readable to PHP would suggest that permissions were set correctly for the rest of the heirachy (only an idiot wouldn't try to get something of higher value as well).

Pretty embarrassing for the DHS, but no double-slap required (well unless you want to give them one for using Wordpress and one for failing to run checks on it)

0
0
Silver badge
Unhappy

No Hope

After the almost endless history of past vulnerabilites, and poor system implementation you'd think they would have made a little progress by now.

0
0
Facepalm

obligatory xkcd ref

http://www.xkcd.com/932/

1
1
Bronze badge
Joke

Re: obligatory xkcd ref

Perfect.

Obviously CIA Posters are very "well hung" and no doubt the DHS would love to get their hands on them.

Government Transparancy flies Commercial I always say.

0
0
Silver badge
Coat

Re: obligatory xkcd ref

They have a security solution in place:

Everybody accessing their website now has to remove their shoes and outer coat.

3
0
Silver badge

Re: obligatory xkcd ref

Hi, David Dawson,

I hope you realise what you have started with that obligatory xkcd ref

Here's news of a colossal virtual computer keyboard with myriad inputting devices ...... http://www.xkcd.com/934/

The browser and a smarter computer with its running programs and instruction sets gives keyboard access to any and all internetworking channels of information/communications, and allows one to leave leading questions a message which always best warrants an equally unequivocal and quizzical reply ..... which is akin to a challenging parry and/or engaging foreplay.

Which would be your preferred leading position for vital first contact with SMARTR Beings in Internet Control Centres?

0
0
Thumb Down

About what I'd expect, really

Writing code in PHP is easy. Writing secure code is harder. Government departments hire the lowest bidder, who probably doesn't even think about security, much less know security best practices. If you put in a higher bid because your proposal considers security, well...let's just say you'll likely be disappointed in the outcome.

0
0
Bronze badge
Meh

Re: About what I'd expect, really

The lowest bidder is still informed of the requirements. It isn't who can just flat out do it cheaper, it is who can do it cheaper meeting X, Y and Z requirements. Then there is confidence issues to be addressed, after that the "favorites" game happens...don't want to appear to be playing favorites!

It is possible that the scripter (scripter a word?) that was in charge of this scripting was reading a requirement sheet that read, in a way, that this was an actual requirement. Scripting languages like ASP, PHP, Python etc. are easy to throw together with or without security in mind, but that doesn't mean your boss knows how to. Between your boss, requirements, and a lethargic "team response" from the government, a lot of dangling holes appear and remain. Think spaghetti code put into a high heat spin cycle...results may vary.

The problem isn't that this bug was present, the problem is that no one knew this bug was a problem. Code auditors are extremely scarce around the DHS...apparently.

P.S. I don't understand if "scripter" is a word or not, seems legit.

0
0
Anonymous Coward

Re: Re: About what I'd expect, really

Unfortunately the lowest bidder is often surprisingly reluctant to point out that their bid is low because they'll do a shoddy job. So it's probably more a case of who can do it cheaper while *saying* they can meet X, Y and Z requirements (which are probably too vague to tell whether they were actually met afterwards).

0
0

Re: About what I'd expect, really

The lowest bidder is still informed of the requirements...which likely don't mention security at all. It's amazing (and depressing) how many job specifications I've seen that don't say boo about security requirements...often from clients who really ought to know better.

1
0
Bronze badge
Terminator

Re: About what I'd expect, really

"P.S. I don't understand if "scripter" is a word or not, seems legit."

Bash is a scripting language, PHP, Python, ASP etc aren't. I prefer 'developer' over the passé 'programmer' but each to their own. Just because it is an interpreted language doesn't make it a scripting language IMHO. PHP has some of the features of a scripting language but these days it's too complicated to be called one tbh.

0
0
Anonymous Coward

what is there to say...

Wordpress? Really?

2
0
WTF?

1992 called, they want their bugs back

Directory traversal? Really? It's been many years since I noodled in the world of web servers, but: what kind of site or platform allows this sort of thing by default in this day and age? Isn't all that URL munging automatically normalized and junked as early in the request cycle as possible?

1
0
Joke

We need to start calling this by its more correct name: The Department of Homeland Insecurity. Which happens to reside next to the Department of Redundancy Department.

1
0
This topic is closed for new posts.