Category: White Fir

Nov 24 2014

Magento Adds PHP 5.5 Support with Magento 1.9.1.0

Our previous posts about using Magento with PHP 5.5 continues to be one of our most visited posts, so there are sure to be lots of people interested to hear that with the release of Magento 1.9.1.0, Magento now officially supports PHP 5.5.

Magento continues to be rather slow in supporting new versions of PHP, as it took 17 months after PHP 5.5’s release for support to be added, but that was improvement from the 23 months it took for PHP 5.4 support to be added. PHP 5.6 was released at the end August, so they are still not up to date, but at this point we haven’t dealt with any one looking to use Magento with PHP 5.6, so it doesn’t seem to be much of an issue yet.

If you are need of a Magento upgrade to support PHP 5.5 or take advantage of the other new features, including security enhancements, in 1.9.1.0 we can take care of that for you.

Nov 13 2014

GoDaddy Distributing Software With Known Security Vulnerabilities

Oftentimes when a website is hacked the web host will blame the hack on outdated software running on the website. From our experience they often do this without any evidence to back that up and in some cases they obviously haven’t even checked if the website is running outdated software since the website in question was using up to date software at the time of the hack. Based on that you would think that web hosts would be very careful when distributing software to their clients that they make sure that it is up to date, but as we keep seeing that isn’t the case. The latest example this came up while we were looking into GoDaddy’s bad response to the Drupal 7 vulnerability. We noticed in their Hosting Connection, which they say has been used to install 6.9 million apps, that they were still installing Drupal 7.32:

GoDaddy's Hosting Connectin is installing Drupal 7.32

Drupal 7.33 was released last Friday and includes “numerous bug fixes”. Since the new version didn’t include any security fixes it wasn’t a huge issue that they hadn’t updated the version they installed yet. But then we started looking at the version of other software they were offering and things got much worse.

They are still installing Joomla 2.5.14:

GoDaddy's Hosting Connectin is installing Joomla 2.5.14

 

That version is now a year out of date, the next version was released on November 6, 2013, and GoDaddy hasn’t updated their Joomla version despite there having been four subsequent releases with security fixes (2.5.1.5, 2.5.19, 2.5.25, and 2.5.26).

Joomla is among the software GoDaddy lists as being the five most popular in the Hosting Connection and unfortunately isn’t the only one where they have failed to keep up with security updates. They are currently installing Simple Machines Forum version 2.0.6:

GoDaddy's Hosting Connectin is installing Simple Machine Forum 2.0.6

Version 2.0.9, which was released over a month ago, addressed “several security issues” and the developers recommended “that you update your forums immediately to ensure that your community is safe”.

Looking at other software we work with frequently we found more problems. GoDaddy is still offering MediaWiki 1.21.1:

GoDaddy's Hosting Connectin is installing MediaWiki 1.2.1.1

Support for the MediaWiki 1.21.x series ended back in June, so GoDaddy should have switch to a newer series by that point. Before that though they failed to update for any of the nine security updates (1.21.2, 1.21.3, 1.21.4, 1.21.5, 1.21.6, 1.21.8, 1.21.9, 1.21.10, and 1.2.11) released for the 1.21.x series.

Next up, GoDaddy is still offering OpenX despite it being re-branded as Revive Adserver over a year ago:

GoDaddy's Hosting Connectin is installing OpenX 2.8.3

The version they are offering is nearly five years out of date, the next version was released in January of 2010, and they fail to update for the last eight security updates (2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 3.0.0, 3.0.2, and 3.0.5).

For Moodle they are still providing Moodle 1.9.19:

GoDaddy's Hosting Connectin is installing Moodle 1.9.19

That was the last release of the Moodle 1.9.x series, for which support for security fixes ended entirely last December. Anyone unlucky enough to install this version and start using it now would discover they will have a lot of work to get it to a supported version as the upgrade from Moodle 1.9.x to 2.x is a major one and they will have to do at least two upgrades as you have to an intermediate upgrade 2.2.x before getting to a supported version.

GoDaddy’s Partnership with SiteLock

It gets worse from there, while GoDaddy is putting their client’s websites at risk they then want to sell them additional service to “Defend your website against hackers.”, which is done in partnership with SiteLock. We would ask how it is that SiteLock hasn’t informed them about the issue with outdated software but our past experience is the SiteLock doesn’t do the basic security check of making sure the software on a website is up to date, which would expect from a company that GoDaddy says provides the “most advanced and complete security solution available”, or make sure that software gets updated when they clean up a hacked website.

Nov 12 2014

GoDaddy’s Bad Response to the Drupal 7 Vulnerability

Back on October 15, Drupal released Drupal 7.32, which resolved a highly critical security vulnerability that existed in prior Drupal 7 versions. Unlike security vulnerabilities that have been fixed in recent years in Drupal and other major software, this vulnerability was easily exploitable. By the next day we were seeing attempts to exploit the vulnerability and we have been seeing a steady pickup of people contacting us about cleaning up their hacked Drupal websites, which were hit due to this. The speed and scope of the exploitation points to the need to improve how security vulnerabilities are handled in Drupal and more broadly.

Since making software that is completely free of vulnerabilities is next to impossible the best solution for this type of situation is to introduce an improved upgrade mechanism, like the one in WordPress. Starting with WordPress 3.7, security updates are automatically applied without requiring any user intervention. Checks for new versions are normally done every 12 hours and the WordPress server can instruct them to happen more frequently ahead of a planed update, so within a day most websites will have the security update applied. Not only does this protect those websites, but it makes the remaining vulnerable websites a less attractive target since the success rate of trying to exploit the vulnerability is much smaller (that doesn’t mean that they won’t get hacked though).

In the meantime, getting the word out on the need to update or take remedial as soon as possible is important to lessening the severity of security vulnerabilities. In this case Drupal recommend restoring a backup from before October 15 if you didn’t upgrade right away and every day that passes makes it harder to do that. Web hosts could play an important role in getting the word out. At least some of the largest web hosts already have the capability to detect what software and in some cases what version is in use, so they can inform impacted customer of the situation. GoDaddy has attempted to do this for the Drupal 7 vulnerability, though their implementation leaves a lot to be desired.

Today we have had a number of people contacting us saying that they had just been informed of they needed to upgrade Drupal due to a security issue. Considering that the last security update for Drupal 7 was 7.32 and that was released in the middle of October we were wondering what was causing this. It turns out that GoDaddy has just been letting people know of the vulnerability. While rather late, what was more problematic was what they said in the email.

The first big problem is that based on their email you would think that that is just occurred:

A few days ago Drupal announced a “Highly Critical Public Service announcement” that affects all Drupal users. In short, there’s a major security vulnerability that attackers can leverage against your visitors.

The Highly Critical – Public Service announcement was released back on October 29, not a few days ago. Even before that was released it was widely known that there was urgent need to update as the details of the vulnerability were disclosed with the release of the update on October 15.

The email gets more problematic from there. The beginning of the emails indicates that the required action is updating:

Action required:

Update your Drupal website

Later it says:

It’s extremely important that you update your site immediately to ensure you’re not putting your customers at risk.

At this point if you have Drupal 7 website still running a version below 7.32, that hasn’t been otherwise protected against the vulnerability, you should assume that it has been hacked, so just updating isn’t an appropriate resolution. That isn’t mentioned in the email at all, despite the public service announcement they cite being very clear about that.

Drupal Did Not Recommend This

After reading over this we were curious to see if GoDaddy was spreading this bad information on their website as well. It looks like they only got around to mentioning the issue on November 6, but at least in that case they provided accurate information. Another article linked to from that page those highly inaccurate though. Specifically the section Manually Remove Backdoors, which says:

If you do not have a backup of either your website or database (or both), you must manually remove any backdoors from your Drupal installation.

To do this for you, we offer an Expert Service for $79. With this service, we will perform all of the work for you to make our best effort to remove all backdoors using the procedures identified by Drupal. This service does not guarantee your website is free from compromise, but it is as close to compromise-free as anything can come if your Drupal installation wasn’t upgraded before the first reported compromises or restored from a backup created before Oct. 15, 2015 at 11pm UTC.

To purchase the Expert Service, contact customer support.

You can also manually remove any backdoors yourself using the Drupal-recommended procedure outlined here. This procedure is very complicated and requires an advanced understanding of the technologies Drupal uses (PHP, MySQL) to use effectively. Not all steps listed in the procedure are applicable to shared hosting environments, but completing what you can from this list will provide you the greatest likelihood of removing backdoors from your site.

If you follow the link “the procedures identified by Drupal”, you will find that it isn’t actual something from Drupal. Later GoDaddy links to the same page and describes it as the “Drupal-recommended procedure”, but if you actually look at the page it says “The official recommendation is: Restore from pre-October-15-backups.”. You really have to wonder about a company trying to sell you on an “Expert Service”, for which they don’t have the expertise to actually understand a basic, that is they they are citing something that isn’t actually procedures identified by Drupal or recommend by them.

Nov 03 2014

Drupal 7.32 Usage Reached 24 Percent in Second Week

With a highly critical vulnerability found Drupal 7 versions prior to 7.32 and with Drupal providing data on usage of various versions, a good opportunity to see at what speed websites are being updated when there is a pressing need to do so is available now. Last week we found that in the first week only 12.46% of Drupal 7 websites had been updated to Drupal 7.32. In the second week it has now increased to 23.77%. We should note that it is possible to patch the vulnerability without doing a full upgrade, so not all websites that have not been upgraded are necessarily vulnerable at this point.

drupal-7-usage

Drupal 7.32 usage has now surpassed to 7.31 usage, which was also a security update. What is rather troubling is that 59.28% of Drupal 7 websites haven’t been updated to at least 7.31 despite it being released nearly three months ago.

For those in need of an upgrade we provide one time Drupal upgrades and ongoing upgrades for Drupal 7 (with security updates in a day). You can use our Drupal Version Check chrome extension and Up to Date? Chrome app to keep track of the update status of Drupal websites you manage.