Security 101 - 3rd Party Components

At Far Edge we've been working with a client who had a compromised website (not because of our software). He'd been blacklisted for sending spam among other things. After our sys-admin guys had tidied up the server itself, I was asked to take a look through the web application source code for security problems.

3 presented themselves.

  1. Insecure 3rd Party Components
  2. Unsanitised User Input
  3. Webserver not Running with Minimal Permissions

#1 - Insecure 3rd Party Components

This was the most likely way the box was compromised: some script kiddie finding a known exploit and trying it against every site Google knows about.

Wordpress, 2 different real time chat applications, PhpCaptcha and CodeIgniter were all used on the site. And a simple Google search for " security vulnerability" turned up potential issues with almost all of them and known exploits for several.

3rd party components help make developers more productive. They also represent an easy target for script kiddies:

foreach (var url in aFewMillionWebSites)
    foreach (var exploit in assortedExploits)
        if (exploit.success) {
             // You loose.

You must keep an eye on your 3rd party components. Subscribing to a security mailing list is probably the easiest way to keep on top of this issue. Yes, this is a pain, but unpatched vulnerabilities is the most common way for a site to be broken.

Magento: First Impressions
Security 101 - Unsanitised User Input

Related Posts


No comments made yet. Be the first to submit a comment
Mobile Version | Desktop Version