Sloppy patching, insecure plug-ins made Panama Papers leak possible

WordPress, Drupal, Joomla, and PHP developers need to get their security acts together

Time and time again, data-breach headlines illustrate the cost of ignoring basic security. Regularly updating software is Security 101, especially if the application in question is public-facing or accessible over the Internet.

For content management systems such as WordPress, Drupal, and Joomla, you have to update the core. More important, you have to update the modules and plug-ins. Having the latest software is not going to mean much if the attackers can waltz through security holes in plugins and third-party modules.

The Panama Papers leak, exposing how politicians and the wealthy hide money from being taxed, may have been made possible because the law firm that was hacked didn't do that Security 101.

Whoever was behind the Panama Papers leak had to first gain access to the Mossack Fonseca firm's network, then somehow transfer out 2.6TB worth of emails, documents, images, and database information. The Panamanian law firm claimed the attackers hacked the email server, and while that may still be true, it appears the attackers could have just as easily strolled in through vulnerable CMS software.

Mossack Fonseca uses WordPress on its main website and Drupal on the customer portal for sharing sensitive information, and both Its Drupal and WordPress sites were outdated, according to an extensive analysis by the team behind WordFence, a WordPress security plug-in. WordPress was three months out of date, and Drupal was almost two years out of date.

It gets worse. Mossack Fonseca was running Revolution Slider, "one of the most common WordPress vulnerabilities," WebFence reported, and WebFence believes the Web server was not behind a firewall at the time of the attack.

"In this case, the site owners did not update for some time, and it resulted in world leaders being toppled and the largest data breach to journalists in history," said Mark Maunder, CEO of Feedjit, the company behind WordFence.

An outdated plug-in opened the WordPress door

Mossaca Fonseca was running Revolutions Slider version 2.1.7. The latest available version is currently 5.2. Revolution Slider versions 3.0.95 and older have a vulnerability that lets unauthenticated users remotely upload files, such as a Zip file containing PHP source code, to a temporary directory in the plug-in directory. A working Revolution Slider exploit was published on exploit-db back in October 2014, making it “trivially easy” for a remote attacker to gain shell on the Web server, Maunder wrote.

It appears the law firm put its website behind a firewall within the last month, so the Revolution Slider vulnerability now cannot be exploited directly. But it doesn't appear that the plug-in has been updated yet. Even if the core WordPress installation had been up to date, the WordFence team found that it could still exploit the vulnerability if the outdated plug-in was installed.

The law firm's Drupal site had issues, too

The problem wasn't with the WordPress site alone. Mossaca Fonseca was running Drupal 7.23 for its secure portal, which let customers log in and submit sensitive business information. In October 2014, Drupal released version 7.32, warning about critical vulnerabilities in the earlier software. The vulnerabilities were so severe that automated attacks began compromising Drupal 7 websites that were not patched or updated within hours of the new version's release.

Security experts recommended assuming the site was compromised and starting over with a fresh install. "You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15, 11pm UTC; that is, seven hours after the announcement," the Drupal Security Team said at the time.

Mossaca Franseca's customer portal could have been vulnerable to attack, and likely backdoored, for more than a year, which would have given the leakers ample time to grab 11.5 million documents.

The Web server was also on the same network as the email server, and the company used the Drupal site for sensitive customer data. The audacious attack may have succeeded because the adversaries were able to pivot from the vulnerable WordPress site to where the corporate assets were stored to the email server to download all the emails, Maunder said.

WordPress, Drupal, Joomla, and PHP developers need to get their acts together

Mossack Fonseca isn't the first company to get tripped up by outdated software. An attacker recently breached the Los Angeles Times website through the the Advanced XML Reader plug-in for WordPress, which lets sites display XML files, and offered to sell access to the site. The LA Times said that the issue has since been resolved.

Attacks targeting sites running outdated versions of a CMS or using vulnerable plug-ins are getting more and more common. Security experts point at the plug-in ecosystem, with poorly coded and maintained plug-ins, as the culprit, but the core developers need to shoulder some of the responsibility. It's not only WordPress -- other popular CMS software such as Drupal and Joomla also need to consider how third-party software is affecting their platform and provide better mechanism to secure their customers' sites.

There is currently no process to vet plug-ins or automatically update outdated plug-ins. Although WordPress and Drupal have made it easier to search and update some third-party plug-ins directly from the administrator dashboard, the core team can -- and should -- explore ways to keep the entire platform secure, instead of focusing on the core codebase alone.

Of course, part of the problem may lie with the culture of PHP development, which prides itself on being hacky and a quick and dirty way to get things done. PHP's historic focus on getting something half-assed that works out the door means -- no surprise -- that security is going to fall by the wayside. Now all these websites are paying the price.

For website administrators, the lesson is clear: Patch, update, and stay on top of the latest versions of the CMS software and related software. Update the core application, plug-ins, and themes whenever there is an update available. If the changelog file says the new version is a security update, make updating a high-priority task.

For PHP developers -- especially those who work with WordPress, Drupal, Joomla, and other CMS software -- it's time to start doing something about the security of the software that powers so many applications on the Web.

Copyright © 2016 IDG Communications, Inc.