In February, we wrote about a vulnerability on three shared hosting services. Following our Vulnerability Disclosure Policy, we had alerted them about vulnerable permissions on shared drives on their servers. They fixed the problem, making things safer both for their customers and for their customers’ site visitors.
During the past month we noticed the same kind of attacks happening on websites hosted with MelbourneIT (and NetRegistry.com.au, which they own). We were able to verify the same vulnerability on their platform, and we disclosed it to them. We’re happy to say they moved quickly to fix it as well.
A Note on Disclosure and Responsible Vendors
It’s important to note that vulnerabilities are a fact of life in any service, system or software. Finding, confidentially disclosing and fixing vulnerabilities is how our industry works with the information security community to improve the products and services we all use and to keep the public safe. The process that we use is well-established, and widely used by organizations that include Google’s Project Zero.
When we find vulnerabilities and vendors are responsive, you benefit as a customer of those vendors and can know that your vendor reacts quickly to fix security problems and will likely do so long term, keeping you and your data safe.
A disclosure like this is not an opportunity for “vendor shaming” or a witch hunt. All developers who write enough code will write vulnerabilities at some point in their career. Instead, it’s a moment to celebrate responsive vendors and a well-handled incident that left customers and the online community safer.
At Wordfence, we are excited when a vendor works closely with us to fix a vulnerability, and responsive vendors garner the greatest respect from our engineering team.
Customer files on MelbourneIT cloud hosting are housed in a couple of different shared drives, and the directory names follow a set pattern. For example:
As in the platforms we wrote about in February, all of the folders down to /clientdata/apache-www/e/x belonged to the root account, and did not permit directory listing to other users. But they were all world-traversable, and the directories containing the site files were world-readable (along with the files themselves). So any user who knew the full path to a site root directory could list and read the files in it.
For example, a hacker could take over example.com.au. Then, using DNS tools, they could find other WordPress sites running on the same IP address. They might find otherexample.com.au and correctly guess that it was stored in /clientdata/apache-www/o/t/otherexample.com.au/www. Knowing that full path, they could read the wp-config.php file and use the credentials in it to tamper with the database of otherexample.com.au.
As in the previous cases, there was little anyone could do to prevent exploitation. Thankfully, the team at MelbourneIT took the issue very seriously, and moved quickly to fix it. Our disclosure to their security team was on March 6. They notified us on March 14 that they were rolling out a patch, and notified us on March 19 that deployment was complete.
What You Need to Do
If you use the cloud hosting service on MelbourneIT or Netregistry.com.au, use Wordfence to check your site for issues. In particular, there may be rogue administrator accounts created, or passwords changed on existing administrator accounts. The attackers are also adding malicious scripts and cloaked spam into posts and pages. If your site has these issues, we recommend our comprehensive learning center resources to help you resolve them.
We are pleased with the positive impact adding service vulnerabilities to our Vulnerability Disclosure Policy is already having. The hosting companies we have worked with have been generally responsive, deploying fixes to issues that were leaving many WordPress sites vulnerable to hacking.
With the popularity of WordPress today, the security of the WordPress community at large is critically important. We are pleased to see that our new approach is working to support that need and bringing about an improved overall security posture for the community.
Our Security Services Team continues to analyze hundreds of hacked websites each month, so we expect to find more of these on an ongoing basis. We will continue to provide updates here on the blog.
Note: All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.