back to article US Dept for Homeland Security shafted by trivial web bug

A US government website was broken into by hackers exploiting a directory traversal vulnerability, according to security researchers. Hacktivist group NullCrew announced it compromised studyinthestates.dhs.gov, a US Department of Homeland Security website, on Friday. The site advises foreigners seeking permission to study at …

COMMENTS

This topic is closed for new posts.
  1. TrevorH

    You can't trust version numbers

    You report that the site is running RHEL with apache 2.2.3 and php 5.3.3 and say that both should be upgraded but RHEL does not use standard version numbering so 2.2.3 could already be the latest apache version on RHEL5 with all known security bugs fixed. Likewise for php 5.3.3, if they're running the RH supplied php53 packages then they could already be patched to date.

    https://access.redhat.com/security/updates/backporting/

    Never trust a version number.

    1. Rampant Spaniel

      Re: You can't trust version numbers

      Also it is possible to make it respond with pretty much anything you want. My ftp server was lotus amipro 3.1 for years. It's not rocket science nor is it a perfect defense but it does help muddy the waters a little and deter some of the less experienced script kiddies.

      1. streaky
        Facepalm

        Re: You can't trust version numbers

        Indeed if it's RHEL it's probably got backported fixes. Actually tbh if it's anything there's a solid chance it does.

    2. Great Bu

      Never trust a version number.

      Or an elf.

      1. Euripides Pants

        Re: Never trust a version number.

        Or Greeks bearing gifts.

  2. b166er

    Surely if the permissions were properly set on the file system, requesting wp-config.php would have been denied?

    Can PHP totally undermine a file systems permissions?

    Anyway it's a fail for running old versions.

    1. BristolBachelor Gold badge

      But wouldn't the webserver / php script processor need to be able to read wp-config.php in order to serve the wp blog?

    2. streaky
      Boffin

      "Can PHP totally undermine a file systems permissions?"

      No.

      "Surely if the permissions were properly set on the file system, requesting wp-config.php would have been denied?" - then how would wordpress be able to read it to get it's config?

  3. NoneSuch Silver badge
    Devil

    It's OK.

    They turned it off and on again.

  4. BillG
    WTF?

    PHP? Really?

    Holy crap - they are using PHP?

    I'm language agnostic but PHP while has session support, it has no application-scope variables. Application-scope variables are invaluable in advanced hardening of high traffic websites.

    I have ASP and ASP.NET websites and almost all hack attacks I log are people attempting PHP exploits.

    1. Nic 3

      Re: PHP? Really?

      PHP can be very secure indeed. It was lazy development that caused this not PHP.

      The reason for your log being full of PHP style hack attempts its more to do with the pervasiveness of PHP rather than any inherent vulnerabilities.

      Modern PHP by a competent developer can be as rock solid as any platform.

      1. Anonymous Coward
        Anonymous Coward

        Re: PHP? Really?

        "Modern PHP by a competent developer can be as rock solid as any platform."

        Except when it's WP + plugins. There's more holes there than any sieve can handle. Disgraceful track record, past and present.

    2. A Non e-mouse Silver badge

      Re: PHP? Really?

      Holy crap - they are using PHP

      You can write bad, insecure programs in practically any language.

      1. Gannon (J.) Dick
        FAIL

        Re: PHP? Really?

        These are people who touch your junk to make sure it's real. You'd think they would know that about programming languages ... Ah, there's the flaw, DHS is a think-free zone.

  5. Evan Essence
    FAIL

    Double slap required

    This was doubly insecure. Even though PHP allowed upward-leading filenames, the OS could have prevented this happening if the directory ownership and permissions were set right. But they evidently weren't.

    1. Ben Tasker
      FAIL

      Re: Double slap required

      As someone else pointed out above, this was on a site running wordpress. It's pretty much a given that Wordpress needs to read it's own config in order to run, so 'preventing' this by using chmod would also break the site.

      The fact that the attackers _only_ seem to have managed to compromise a file that is meant to be readable to PHP would suggest that permissions were set correctly for the rest of the heirachy (only an idiot wouldn't try to get something of higher value as well).

      Pretty embarrassing for the DHS, but no double-slap required (well unless you want to give them one for using Wordpress and one for failing to run checks on it)

  6. Will Godfrey Silver badge
    Unhappy

    No Hope

    After the almost endless history of past vulnerabilites, and poor system implementation you'd think they would have made a little progress by now.

  7. David Dawson
    Facepalm

    obligatory xkcd ref

    http://www.xkcd.com/932/

    1. Gannon (J.) Dick
      Joke

      Re: obligatory xkcd ref

      Perfect.

      Obviously CIA Posters are very "well hung" and no doubt the DHS would love to get their hands on them.

      Government Transparancy flies Commercial I always say.

    2. Yet Another Anonymous coward Silver badge
      Coat

      Re: obligatory xkcd ref

      They have a security solution in place:

      Everybody accessing their website now has to remove their shoes and outer coat.

    3. amanfromMars 1 Silver badge

      Re: obligatory xkcd ref

      Hi, David Dawson,

      I hope you realise what you have started with that obligatory xkcd ref

      Here's news of a colossal virtual computer keyboard with myriad inputting devices ...... http://www.xkcd.com/934/

      The browser and a smarter computer with its running programs and instruction sets gives keyboard access to any and all internetworking channels of information/communications, and allows one to leave leading questions a message which always best warrants an equally unequivocal and quizzical reply ..... which is akin to a challenging parry and/or engaging foreplay.

      Which would be your preferred leading position for vital first contact with SMARTR Beings in Internet Control Centres?

  8. Franklin
    Thumb Down

    About what I'd expect, really

    Writing code in PHP is easy. Writing secure code is harder. Government departments hire the lowest bidder, who probably doesn't even think about security, much less know security best practices. If you put in a higher bid because your proposal considers security, well...let's just say you'll likely be disappointed in the outcome.

    1. Anonymous Coward
      Meh

      Re: About what I'd expect, really

      The lowest bidder is still informed of the requirements. It isn't who can just flat out do it cheaper, it is who can do it cheaper meeting X, Y and Z requirements. Then there is confidence issues to be addressed, after that the "favorites" game happens...don't want to appear to be playing favorites!

      It is possible that the scripter (scripter a word?) that was in charge of this scripting was reading a requirement sheet that read, in a way, that this was an actual requirement. Scripting languages like ASP, PHP, Python etc. are easy to throw together with or without security in mind, but that doesn't mean your boss knows how to. Between your boss, requirements, and a lethargic "team response" from the government, a lot of dangling holes appear and remain. Think spaghetti code put into a high heat spin cycle...results may vary.

      The problem isn't that this bug was present, the problem is that no one knew this bug was a problem. Code auditors are extremely scarce around the DHS...apparently.

      P.S. I don't understand if "scripter" is a word or not, seems legit.

      1. Anonymous Coward
        Anonymous Coward

        Re: Re: About what I'd expect, really

        Unfortunately the lowest bidder is often surprisingly reluctant to point out that their bid is low because they'll do a shoddy job. So it's probably more a case of who can do it cheaper while *saying* they can meet X, Y and Z requirements (which are probably too vague to tell whether they were actually met afterwards).

      2. Franklin

        Re: About what I'd expect, really

        The lowest bidder is still informed of the requirements...which likely don't mention security at all. It's amazing (and depressing) how many job specifications I've seen that don't say boo about security requirements...often from clients who really ought to know better.

      3. streaky
        Terminator

        Re: About what I'd expect, really

        "P.S. I don't understand if "scripter" is a word or not, seems legit."

        Bash is a scripting language, PHP, Python, ASP etc aren't. I prefer 'developer' over the passé 'programmer' but each to their own. Just because it is an interpreted language doesn't make it a scripting language IMHO. PHP has some of the features of a scripting language but these days it's too complicated to be called one tbh.

  9. Anonymous Coward
    Anonymous Coward

    what is there to say...

    Wordpress? Really?

  10. Anonymous Coward
    WTF?

    1992 called, they want their bugs back

    Directory traversal? Really? It's been many years since I noodled in the world of web servers, but: what kind of site or platform allows this sort of thing by default in this day and age? Isn't all that URL munging automatically normalized and junked as early in the request cycle as possible?

  11. beep54
    Joke

    We need to start calling this by its more correct name: The Department of Homeland Insecurity. Which happens to reside next to the Department of Redundancy Department.

This topic is closed for new posts.