A large number of CMS plug-ins and PHP libraries deliberately disable the validation of SSL/TLS certificates, reports ZDNet. This would put millions of Internet users at risk. In addition, many of the plugins and libraries are used to establish connections to payment service providers that later send sensitive user data or handle financial transactions.
The security problem was discovered by Scott Arciszewski, Chief Development Officer at Paragon Initiave Enterprise. The problem lies in how CMS plugin and PHP libraries creators configure their code, and in particular a number of cURL options.
cURL is a command-line utility located on all web hosting servers that is used to send data to and from remote servers. Its use is common in the web development community and many CMS plug-ins and PHP libraries use it to download, send and upload data to remote servers via that server’s console. As a result, there is no need to open a browser session for each connection. cURL supports a variety of protocols, including opening connections via HTTP, FTP, SMPT, POP3 and LDAP.
For example, if a WordPress plugin handles financial transactions using Payment Process #46, it uses cURL connections in the background to upload the credit card information to the payment provider’s servers. This is often done via cURL connections set up via HTTPS, where cURL also handles the validation of the SSL/TLS certificate. This is a crucial step when talking to a legitimate HTTPS server.
However, Arciszewski discovered that developers of many of these plugins and libraries disable cURL security features when cURL is used to download or send data over HTTPS connections. If the connections are made via weakened HTTPS connections, problems can occur. This allows attackers to get websites to download or send legitimate data to rogue servers. But because the functions are turned off, no alarms are received via the original website.
Solution
However, Arciszewski has also found a solution to the problem. The main reason why so many projects disable the cURL functions is because, when enabled, they display scary security-related errors on customers’ servers. In order to bypass these alarms, the functions are deactivated.
The reason the errors appear is because cURL has to validate the certificates of remote HTTPS servers with a list of known and real SSL/TLS certificates. However, not all web hosting services have that list, and many parties store it in other server locations, so that cURL settings for CMS-pugins and PHP libraries cannot be properly configured.
Arciszewski has therefore created its own PHP library called Certainty, which regularly downloads the file from the cURL homepage and hosts it itself. Websites therefore always have an up-to-date list of valid certificates. The library can be implemented in your own projects, after which the cURL settings can be turned on without security alarms appearing.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.