This past week has brought up some very interesting illustrations of just how careful you have to be when downloading or purchasing software off of the Internet. Everyone knowns not to download “too good to be true” free programs to their computer, and almost everyone now runs virus and malware scanners for their desktop to protect their computer from a wrong decision. Can the same scheme that infects your computer infect your site?

You bet.

Just this week, it was discovered that a massive number of Wordpress Blogs were hacked by an organized scheme, including installations at ZDNet, utilizing an xml-rpc vulnerability. Some of the hacks also came in through users downloading Wordpress themes that were infected (likely deliberately, but maybe not). Remember the old Lost Boys vampire thing where you have to invite him in for the vamp to be able attack you in your own home? Yep, same thing.

Frankly, we here at DrakNet are not immune to this - this past week, I was toying around with the idea of installing a directory of Soholaunch hosts. I had looked at this software and when I tried to order, it checked me out at a different site - which should have been my first clue. $90 later I had software that I hadn’t checked out, and the awakening came only after I purchased it.

When I unpacked it, there were immediate indications that something was amiss - the files provided were all dated May of 2005. “Good” PHP practices in May of 2005 compared to April of 2008 have changed significantly, and what everyone thought it was a-ok to do back then in the intervening years has been shown in some cases to be insecure and downright dangerous, so I began to do the due diligences that I should have done before I plunked down my money.

What I discovered was that multiple XSS And SQL Injection Vulnerabilities were found in the software in May of 2006 - a year after all the files provided me were created. Checking their web site, I found that the company advertised that their last update to the files was in December of 2006, implying that the software had been updated after these vulnerabilities were found - and yet as I searched through the installation I had downloaded, there wasn’t a single file provided that was dated after 08-18-2005, two days before it’s first official release date, and a year before it’s landing on multiple security advisory lists.

Had I done a search for the company, I would have seen that their company name and the word “nightmare” comes up multiple times on their first search page and I would have gotten some indication that, perhaps, this software wasn’t exactly my best choice. Had I simply done a search for their company name and the word vulnerability, I would have seen that there were 9,390 entries. I was in a hurry, and I didn’t - it was my own fault, and I admit it. I do know better, but I was in a hurry, and skipped that part.

As a consequence, I’m now arguing for my $90 back. I first went to the company who, of course, doesn’t do refunds and offered to work out what the issue was. When I outlined and detailed what I perceived as a suspicion that the company fraudulently advertised an update that didn’t take place to make it seem that they had patched insecure software that they hadn’t, suddenly, they were silent.

I then went to their payment processor for a refund, and thusfar the company has refused to speak to them, either. I will likely wind up having to drive to my bank, fill out paperwork, print out all of this evidence, and file a chargeback. Lesson learned… again.

So, how do you not fall into a trap like this?

Remember that old software is usually insecure - there’s even a term for it. Abandonware. Abandonware is old software, no longer maintained by the company or creator, and is no longer updated or patched when security issues are found within it. Microsoft FrontPage is actually now abandonware - as of late 2006, it is no longer supported, updated, or patched. There are thousands of scripts like this floating around on the Internet.

Google the script and the company with the word vulnerability and security. See if problems have been found with the programs, and whether the software developers are actually paying attention to the security community - good software companies (or good open source software developers) will jump when a vulnerability is found in their software, and will report back to the alert lists that it’s been patched after they release that patch to protect their users. If they don’t, that should be a red flag.

Google the script and the company to see what people are saying about them - everyone that does business on the Internet is going to aggravate someone, and finding something negative isn’t always a reason to run. You should, though, find more good opinions than bad opinions about the software and the company, and if you don’t find any opinions the software may not be widely used enough to have had it’s vulnerabilities discovered. This is the Internet - people talk. If they aren’t talking about you… well…

Don’t download Wordpress Themes, scripts, and so on from spammy looking sites. Get it from spammy sites, get a spammy product. Realize that anything that you put on your site is potentially open door to the developer and/or anyone else if there’s a hole - make sure that developer is trustworthy insofar as you can both not to take advantage, and to stand behind what they created with a sense of responsibility towards the people that use their software.

Remember that your web site is a veritable playground of mischief, and be as selective as you can in what you decide to snag and put on there - any program has the ability to put a back door into your site and subvert your site for its own ends. Do as much as you can to make sure that it doesn’t happen - and don’t get lazy like we did - because it’s the one time when you decide to just hurry up and do it that you may get burned.