jormaggio

Drupalgeddon Redux (2018)

In 2014 there was a large issue in the popular Drupal web platform / framework known as Drupalgeddon. The system is popular tool used for creating web sites but now many use it for building sophisticated applications. This means that it has a large surface area because it can do anything.

The original Drupalgeddon (SA-CORE-2014-005) was caused by SQL injection. This allowed attackers to craft SQL queries to read anything from the database or alternatively modify it at free will. Now there is a new issue that is a simple sanitation issue with input parameters.

This issue (CVE-2018-7600, SA-CORE-2018-002) affects at least Drupal 7.57, with the patch coming in 7.58, with the fact that it simply does not sanitize unsafe values. The change is shown in the code below, within the core bootstrap (includes/bootstrap.inc):

drupalgeddon-2018

This comes from the batch shown on GitHub here: SA-CORE-2018-002 by Jasu_M, samuel.mortenson, David_Rothstein, xjm… The SA-CORE-2018-002 has a lot more issues that mate upgrading Drupal 7.x and Drupal 8.x releases ASAP: Drupal Critical Vulnerabilities (SA-CORE-2018-002)

Best reception smartphone

The company Zero Reception is developing a smartphone with maximum cellular network smartphone. The device is runs Android, and the improved cell reception promises a fourfold improvement over other cellphones.

The device is known as Certum Phone and it is being developed in Finland by antenna specialists that have have extensive industry experience in the field:

The Radientum crew hails from Tampere. The former Nokia/Microsoft engineers who founded the company in 2015 have over 15 years of experience in network simulation. The design of the “super antenna” in the Certum Phone is not a new innovation, it simply has not been applied optimally before. The Certum Phone has been designed “reception first” from the ground up.
– Certum Phone Android smartphone to provide the best signal reception

Improvements in cell reception allow better connectivity for all purposes. Less dropped calls and improved data transfer over 3G and 4G networks in the wild or challenging city spaces such as the subway. The Certum Phone is a crowdfunded project, with a project on Indiegogo.

90 Million Eurojackpot lottery win still not claimed in Finland – coupon lost?

In February 2018 a 90 Million euro win was won in the town of Loimaa in Finland. None of the 16,000 residents of Loimaa has yet to claim the win a month later. If the winners do not make them selves heard within a year, the prize will be lost. The unclaimed win does not affect any ongoing Eurojackpot games.

The European wide EuroJackpot lottery has prizes ranging from 10-90 Million Euro. Countries participating in the lottery are: Croatia, Czech Republic, Denmark, Estonia, Finland, Germany, Hungary, Iceland, Italy, Latvia, Lithuania, the Netherlands, Norway, Slovakia, Slovenia, Spain, Sweden and Poland.

So far the maximum wins of 90 M€ has been won by players in the Czech Republic, Finland and Germany. Currently it is speculated that the winning coupon for the massive win is lost, and it has even spurred some locals to post a humorous ad in the local Loimaa region newspaper:

Lost: game coupon; Eurojackpot for round 6/18. Fell on the Prisma parking lot on 8.2-18. Finders fee, if the found coupon is the one having significant sentimental value.

Source: Record 90 Million Eurojackpot prize remains unclaimed a month later

Massive WordPress keylogger snooping highlights the risks of using malicious Plugins

WordPress is the most popular tool for building marketing websites and even fully fledged web applications like social networks using BuddyPress and eCommerce sites using WooCommerce. Unfortunately the sprawling ecosystem is an issue that the WordPress community finds hard to contain.

With immense popularity, a large user base and somewhat shoddy architecture WordPress is a tempting target for foul play. The core software has automatic updates, that properly used would have prevented the Mossac Fonseca leak where WordPress had a part to play.

Avoid excessive use of WordPress plugins for security

Whether or not unmaintained Open Source was a reason for the Panama Papers leak does not mitigate the fact that the ecosystem of WordPress is a bit of a wild west. The secure core of WordPress does not do good if insecure third party plugins are used. The plugins are the real strength of WordPress, but also it’s biggest weakness.

Now there is a report that over 2,000 WordPress installations admin interfaces are compromised according to Ars Technica:

More than 2,000 websites running the open source WordPress content management system are infected with malware, researchers warned late last week. The malware in question logs passwords and just about anything else an administrator or visitor types.- More than 2,000 WordPress websites are infected with a keylogger

This is a follow up to the cleanup done of some 5,500 malicious plugins together with Sucuri and CloudFlare in December 2017. With the rise of Blockchain based cryptocurrencies, the current flavour of attacks also use users’ browsers to mine Bitcoin for a direct financial gain.

In 2018 WordPress remains as dominant as ever, but users should take care of keeping their installation up-to-date and avoid installing WordPress Plugins that are not well known and acknowledged. Especially illegally obtained commercial plugins are very likely to contain malicious code.

Police raid OneCoin HQ in Bulgaria

Police have raided the headquarters of the OneCoin organisation in Bulgaria. OneCoin is a suspected Ponzi scam that is disguised in the veil of the blockchain technology. Since the meteoric rise of Bitcoin, Litecoin and other Cryptocurrencies, the market is attractive to scammers.

Operating since 2015 the OneCoin is estimated to have attracted some 3 Million investors. The scheme has faced action from the authorities before. But the joint raid between Bulgarian and German police as well as the Europol is the most significant so far. The leadership of the scheme has reportedly fled the country before.

Bulgarian police has released a Youtube video of the seized materials from the OneCoin raid.

Best Open Source Contentful CMS Alternatives in 2018

Contentful is a popular content management tool. It is a fully managed service, where the whole technical development and maintenance is handled by the company for a fixed fee. This takes some fixed cost related to hosting and developer investment from the equation.

Contentful and other Headless CMSes offer flexibility for developers to create uncompromised online experiences with the best suitable technology. As opposed to previous generation monolithic CMSes this opens up new possibilities, but can also add complexity when constructiong decoupled sites with Next.js or other universal JavaScript Frameworks.

The traditional Open Source CMS market is quite well established with a few leading global players like WordPress and regional champions like TYPO3 in Germany. For Open Source Headless CMSes the market is much more in flux, so far there are no clear leaders in the market place. The convenience of Contentful and other proprietary CaaS (Content as a Service) providers is tempting.

Open Source Headless CMSes market still maturing

Limitations in integrations and sky rocketing costs when dealing with large volumes of content are a deterring factor for some companies. This is why there is a clear demand for Open Source CMS and there are already some enticing options available on the market.

Directus – A next generation PHP based headless CMS
GraphCMS – A proprietary CaaS in the process of Open Sourcing
Gentics Mesh – A feature rich Java based headless CMS

Each of the above options have their own strengths and weaknesses, with some interesting details discussed in the following links:

Open Source GraphQL Backend as a Services

Most of the recent entrants to the market are starting to boast GraphQL as their interface, as REST APIs remain common but less ergonomic for site building. For developers looking for an Open Source GraphQL BaaS (Backend as a Service), there are now new interesting options that use a relational database features to create a thin GraphQL layer on top.

Two notable option in this space are Prisma and PostGraphile, with a brief introduction available online:

Matt Mullenweg to make WordPress great again – puts releases on hold

In his State of the Word 2016 speech Matt Mullenweg, the project lead for the WordPress project announced that there will be no releases of WordPress in the upcoming future. Development on the project will continue, but before a new official version is released – there will need to be significant improvement in key areas.

Matt will not sign off any new releases before the community addresses three key areas in WordPress that he identifies as which could become a hindrance as WordPress reaches for higher market share and even wider popularity in it’s task for world domination to democratise publishing of content in the Internet:

It is best in life to crush your enemies with marketshare, to see them driven before you, and to hear the lamentations of their proprietary CMS.
– Conan the Mattarian

The three areas that the great leader sets his target to are:

The WordPress REST API: The WordPress REST API has been in development for a number of years, but continues to lack many key functionalities, including authentication. WordPress 4.7 adds more endpoints to core, but this is not sufficient according to Mullenweg.
The Editor: The rich text editing functionalities provided in the default editor are lacking behind the competition. He would like the community to reimagine the editing experience and embrace the poetry of the code. This is partially already happening in the Automattic built JavaScript shell for WordPress, Calypso.
The Customizer: The customizer allows live-previewing to configuration changes done to a WordPress installation. It enables handy previews of theme changes, color changes and widget placement to provide a basic WYSIWYG preview. Competition like Wix and Squarespace are more advanced and for WordPress to stay relevant and remain number one most popular publishing tool it needs to catch the proprietary pair.

With these targets set the project should be well set to continue dominating and even expanding it’s market share and reach. This is key in battling proprietary corporations that have the funding to run multimillion dollar marketing campaigns of their products, where as WordPress is an effort of love and devotion for many – a true community effort!

Let’s Make WordPress Great Again!

A tale of WordPress, Wix and Open Source Licensing

On October 28th the Automattic CEO Matt Mullenweg published a blog post accusing that Wix, a provider of competing services, has stolen code from the WordPress codebase. To be specific, it was about the use of a rich text editing component in the Wix mobile app:

If I were being charitable, I’d say, “The app’s editor is based on the WordPress mobile app’s editor.” If I were being honest, I’d say that Wix copied WordPress without attribution, credit, or following the license. The custom icons, the class names, even the bugs. You can see the forked repositories on GitHub complete with original commits from Alex and Maxime, two developers on Automattic’s mobile team.
– The Wix Mobile App, a WordPress Joint

There were some claims that Wix had not respected the GPL licensing in place for the component. They may or may not be valid, but what Matt is claiming about it being a copy is just what is going on with Open Source. It is supposed to be the exact same code, warts and all…

But with Matt Mullenweg being no stranger to petty litigation, it seemed like FUD driven by jealousy over use of Automattic code in a competing product. Wix CEO Avishai Abrahami soon replied, making it clear that it is the exactly the same code that is being used. And that component is available as open source on GitHub:

Yes, we did use the WordPress open source library for a minor part of the application (that is the concept of open source right?), and everything we improved there or modified, we submitted back as open source, see here in this link – you should check it out, pretty cool way of using it on mobile native.
– Dear Matt Mullenweg: an open letter from Wix.com’s CEO Avishai Abrahami

What Avishai fails to address are some of the accusations Matt Mullenweg makes against Wix and that the whole mobile application should be made available by complying to the terms of the GPL license. This is interesting, but the saga continues.

Update: It has now been confirmed that Wix will release the full source code to their mobile application:

Wix to release full mobile app source code, including the GPL disputed WordPress Rich Text Editor

Automattic themselves fail to comply MIT licensing

From a more technical post by the lead developer of the mobile app at Wix, it seems that the component that Mullenweg and Wix are quarrelling over is itself a wrapper for another Open Source project, ZSSRichTextEditor, licensed under the MIT license:

The WordPress GPL Rich Text component in question, is actually a wrapper around another Rich Text component named ZSSRichTextEditor which is licensed MIT. In retrospect it would have been easier to use it directly.
– How I Found Myself Accused of Stealing Code from WordPress

Now it is no longer clear whether the WordPress editor component itself has a valid license, at least when it comes to the iOS version of the Rich Text Editor. This is because on March 20th 2015, the Automattic team proceeded with removing the MIT license from ZZRichTextEditor and replacing it with a GPL one:

This is a violation of the MIT license terms from Automattic. So as it stands it seems quite unclear who actually has the right to do what as the MIT license requirement is no longer respected by the Automattic editor component:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
– ZZRichTextEditor MIT license

Maybe in the future it would be good not to shoot first and ask questions later. But I guess this is how they do it in Texas.

The only person who has not gotten credit for work is the original creator of the ZZRichTextEditor, Nic Hubbard. If this case moves beyond throwing words on the web, only one thing is for sure: Lawyers will be making a killing off it.

So for sure Open Source licensing continues to be a tricky subject, with keeping in mind that the underlying React library from Facebook has some unclear licensing itself.

UPDATE: Wix has now abandoned their work on the WordPress editor and are focusing on a direct fork of the ZZRichTextEditor: Wix abandons WordPress GPL editor fork in favour of original MIT library

WordPress Calypso and GraphQL

GraphQL is a communication protocol that allows web applications to communicate. It is similar to the much hyped REST APIs, but is more uniform and thus more universal. This makes GraphQL usable across CMS products.

Which takes us to the gamble that WordPress and the Automattic corporation behind it have taken with the Calypso initiative. It’s a JavaScript powered shell for the WordPress PHP CMS.

Calypso is heavily built on technologies that come from the world of Facebook, especially the combination of React.js UI library and the Redux Flux architecture implementation.

GraphQL is also a Facebook initiative, so one would think it’s a drop-in-replacement for the WordPress REST API. But currently as of June 2016 the effort is in so much work that there are no visible signs of WordPress Calypso for taking GraphQL into use.

Instead WordPress continues to utilise it’s own communications library, WPCOM, that uses a custom version of the REST API that is currently only available to users of the proprietary hosted WordPress.com content platform similar to Medium.

In the future WordPress may well choose to go with GraphQL, but it using Facebook technologies does not guarantee this as the communication layer is separate from the UI. In addition it’s worth noting that the WordPress REST API itself is not progressing as smoothly as it could.

Mossack Fonseca trusted WordPress

An incredibly large number of WordPress sites run a large parts of the web. From one hobby blogs to code boutiques to enterprise blogs, everyone is running an own copy of this popular Open Source blogging platform turned Content Management System.

The problem with WordPress is not that it’s inherently insecure, it’s just that it’s become so very popular that it’s become a tempting target for hackers to exploit. The codebase dating from the early 2000’s does not help. Neither do the thousands of the amateur level plugins people blindly install to create the functionalities they want to their site.

This issue has been largely ignored by many audiences, even if their site keeps getting all kinds of “skulls and crossbones” popping up in the admin every once in a while. If it’s a marketing site that you’re running it may seem like a reasonable compromise that you need to handle for a free Open Source product and cheap custom implementation. With nonexistent maintenance.

But WordPress and other similar tools are now widely employed in all kinds of environments. Usually the hacks don’t yield much damage for individual site owners as it’s much more beneficial for the attackers to use them for Distributed Denial of Service attacks (DDoS) than deface them.

In some cases such a vulnerable WordPress installation can lead to massive information breaches. This seems to be the case for Mossack Fonseca, the company that suffered from the largest information leak in history:

Maunder said his team assessed Mossack Fonseca’s IP history and discovered that the firm’s website IP was on the same network as its mail servers. The law firm’s website was wide open until a month ago and would have been “trivially easy” to exploit, he wrote on Wordfence.com, in a security update.
– Pros examine Mossack Fonseca breach: WordPress plugin, Drupal likely suspects

In this case tax evasion information was a juicy bit of information to leak out. But imagine, if hackers can attack such an organisation. What’s stopping them from using an insecure installation at some of the establishment that you trust with your private data like medical records or something.

Not long ago Ashley Madison, a dating site for example leaked large amounts of information that was very sensitive and harmful to many individuals. The minimum you should do in the future when deploying WordPress is to understand the dangers of blindly collecting a number of plugins and leaving your WordPress installation unmaintained.