A massive number of websites today are powered by PHP and content management systems like WordPress, Joomla and Drupal. These sites come with plugins to provide functionalities and improve user experience.
However, a large number of such plugins and PHP libraries are restricting the SSL/TLS certificate validation on websites. This is leaving websites and their customers open to risk of data breach.
This issue was discovered by Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprise.
“The issue lies between the webserver and other webservers,” explained Scott to Daily Host News.
“For example, if you submit your credit card number to shopping.example.com and it forwards it to an Authorize.net gateway to process the transaction, if the server-to-server link between shopping.example.com and the ANet gateway isn’t secured with properly-configured HTTPS, attackers between the two sites can slurp up credit card numbers. This attack would be completely invisible to end users, too.”
He said that websites are using many of these plugins and libraries to set connection to servers of payment providers. These servers handle financial transactions and transmit confidential user data like credit card details.
“This exposes you to extremely trivial man-in-the-middle attacks. All the intercepting proxy needs to do is offer a self-signed certificate and PHP will just trust it,” wrote Scott, in a blog post.
The issue exists in the way creators of these plugins and PHP libraries configure their code, especially in cURL options. The cURL is used to transfer data between remote servers. It is used by plugins and PHP libraries for several purposes like downloading, sending, and uploading data to remote servers.
The following code snippets exists in a PHP file that uses cURL extension.
- curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
- curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
Scott discovered that developers of these plugins and libraries are setting cURL to false rather than true, in snippets of code.
“If you disable this check, you’re opting out of the Certificate Authority infrastructure, which means you’ve elected to blindly accept self-signed certificates,” added Scott.
The developers are setting code to false to avoid security-related errors on the servers of customers. Users might not like a plugin that causes errors to servers. Hence, the developers unknowingly disable SSL validation.
To address the issue, Scott has introduced a new open source software library called Certainty. It keeps the cacert.pem file always up to date, even when the webserver is misconfigured.