Welcome back to the Patchstack Weekly security update! This is Episode 6, released in the 2nd week of 2022. This episode focuses on two main topics - disclosure of unpatched vulnerabilities and supporting open source.
In this week's session, we will cover a WordPress plugin that patched a critical authenticated remote code execution bug.
As well as big disclosure by the Patchstack Alliance, which identifies dozens of themes that shared the same vulnerable code between them and there is no patch available.
Finally, I will talk about an open-source developer who protested against the abuse of their time by large companies who use their projects at no cost.
Giving back to open source projects will be the topic of this week's knowledge share. I discuss the importance of supporting open source projects and how to get started.
PHP everywhere RCE
This week, the WordPress plugin "PHP Everywhere" received a patch that addressed an authenticated code execution vulnerability.
Users with contributor or higher access levels could inject PHP code which would be executed by the webserver. Even if PHP is everywhere, you don't want contributors executing it.
This vulnerability was found by Patchstack's very own Vlad Visse and reported to the developer a few weeks ago. After some back and forth, the developer agreed to issue a patch.
Users of the PHP Everywhere plugin should be sure to update this plugin to the most recent release.
This update may require running an Upgrade Wizard the developer included to fix some backward compatibility issues related to this security patch, so please be sure to put aside some time to get this plugin updated.
I have mentioned in the last few weeks that Patchstack has a backlog of unpatched vulnerabilities in dozens of WordPress themes. This week we began releasing details on affected plugins.
More details are available on our blog, but the TL;DR version of the story is that the developer never issued a patch and was non-communicative with our staff for over a month. We notified the WordPress Themes repository volunteers, and the themes have been removed.
Site owners running any of these insecure themes should be looking to manually patch (we can help), vPatch, or find a new theme for their website.
Open source developer gone rogue
This week, the developer of the popular NPM libraries faker.js and colors.js pushed a release that disabled the functionality of their libraries in protest of the organizations who used those open source libraries for profit.
The developer had publicly stated they did not wish to continue supporting Fortune 500 organizations with free work.
There are always multiple sides to a story. In this case, many people believe the developer was too harsh. I can see that his update caused web applications relying on these libraries to break.
On the other side of things, I can also see how frustrating it can be for open source projects to not receive the support they need to continue operating, while corporations with funds to spare that use those projects act like Ebenezer Scrooge. These projects need support to thrive, not only monetarily but through the community as well.
This concern, the importance of supporting open source projects is a perfect topic for this week's weekly knowledge share.
Open-source code stewardship
The value of open-source projects can not be understated. I am comfortable saying that every individual who engages with technology, certainly has benefited from the open-source technology existing. Either directly via websites or mobile devices, or indirectly via the businesses or services that use open source. The world has embraced open-source and is better off because of it.
At the helm of these projects are typically individuals, the developers. These developers are sometimes called benevolent dictators, but I prefer the term shepherd of their projects. Shepherd fits better, especially for smaller or humbler projects. The leaders of these projects are like a shepherd to a flock, they are responsible for guiding the project in the right direction and protecting it from harm.
We should not forget supporting open-source developers. They are people too, and all people face adversities, frustrations, and difficulties in life.
How one handles these struggles in their own life is how we become better as an individual, but along a similar line: how we help others who are struggling is how we build a better society.
The open-source disconnect
Open-source repositories like NPM and the WordPress plugins or themes repositories have tens of thousands of open-source projects.
Many of those projects represent thousands of hours of work and effort … and with a click of a button, users can download any component, library, or tool for free. Users trust and expect the code is safe and function and gloss over all of the effort that the developers have put into it.
The majority of open-source users download, use, benefit but forget to give back. In many cases, a little cash if funds are available is an easy way to give back. But, there are many other ways to give back open-source projects, some that may be more helpful than money as well. In fact, you do not need to be a rich plutocrat to support a project, you can support the people and their projects in many ways.
Know the developers
Supporting projects starts with knowing the project and the developers behind it. Most projects will have a website or at least a social media presence. If you are lucky, they will have a guide on how to contribute and what sort of contributions are needed.
Many larger open source projects will have a community behind them. Normally a forum, IRC channel, Slack, or an e-mail list you can join.
These communities are built to give everyone a chance to ask and answer questions, help each other out, give input or just give thanks. Even if you have nothing to give back, you can show support with a simple thank you. Never underestimate the power of a well-timed thank you. It can make a world of difference in someone's life.
Patchstack is supporting open source projects, in a very specific and unique way. We are building an alliance that brings together open-source developers and security researchers.
These two groups, who sometimes seem at odds with one another, come together when they share the same goal of secure software. The Patchstack Alliance gives the developers access to free security bug reports.
Sure, sometimes they did not ask for the report, but we are willing to go the extra mile by providing guidance and assistance to the developers where we can. This is how we support open source projects, and it is especially beneficial for projects that otherwise could not afford security audits.
If you are interested in practicing or learning more about secure code review, then please consider joining the Patchstack Alliance and help make a difference to secure more open source projects on the web.
Supporting Patchstack supports this Alliance. Be it the Patchstack App securing your website, the vulnerability intelligence feed for hosting companies, or a formal secure code review. These things support many of our no-cost efforts like speaking at conferences and these Patchstack Weekly updates which normally include some secure development tips.
Whichever product you choose, by supporting Patchstack you are also supporting an Alliance between security researchers and open-source developers. An alliance that brings together people of differing backgrounds, from all across the globe, with one shared goal of improving security. This effort allows the users to continue trusting that the open-source projects they use are safe.
Thanks and appreciation
This week's thanks go out to the WordPress themes team, who took action based on our report to remove unsafe themes until they have received a patch. Thanks also go out to the PHP Everywhere plugin developer, thank you for putting in the extra effort to get that security concern patched.
Thank you is also extended to Lenon Leite and Vlad Visse and the rest of the Patchstack Red Team. Keep up that awesome work of finding and reporting insecurities in open-source software.
I will be back next week with more security tips, tricks, opinions, and news on the Patchstack Weekly security update!
Thank you for your time.