14 DAY TRIAL // The reason for a recent mass compromise of WordPress blogs hosted at Network Solutions has been tracked down to a file permission issue. Experts suggest that WordPress' method of storing database login credentials is insecure for shared hosting setups.
Late last week, a developer of Web-based integrity monitoring solutions called Sucuri Security Labs, reported that hundreds of WordPress-based blogs had fallen victim to an unusual attack, which involved unauthorized database access. The company mentioned that all compromised blogs were hosted at Network Solutions, a claim later denied by representatives of the hosting provider.
According to a follow-up by Sucuri, Network Solutions' investigation into the matter revealed that the problems resulted from improper permissions being set for the critical wp-config.php file that contains database login credentials. "This configuration file should only be read by Apache, but some users (well, lots of users) left it in a way that anyone could read it (755 instead of 750 in Linux slang)," Sucuri's David Dede explains.
This apparent security oversight allowed an ill-intent individual with a hosting account on the same Network Solutions server to launch attacks against his "neighbors" using automatic scripts. First, he most likely identified WP blogs with a readable wp-config.php, then he harvested database login details from these files and finally used the credentials to inject malformed information into the "siteurl" database field.
Meanwhile, Denis Sinegubko, the creator of the Unmask Parasites Website analysis service, claims this issue goes far beyond simple human error and describes it as a WordPress design flaw. His reasoning is that the wp-config.php file can only be protected through special file permissions (chmod 640) for certain server setups.
"Unfortunately, this trick will only work on servers with suPHP. On other servers where web server executes PHP scripts with its own rights, this trick will complete [sic] break WordPress blogs […]. This means that WordPress blogs on most shared servers are vulnerable to this sort of attack," Mr. Sinegubko writes.
It is worth mentioning that other Web applications, which store database login credentials in plain text, are also vulnerable to similar "neighborhood spying" when deployed in shared hosting environments.