14 Sep

Astra Falsely Claims That Minor Vulnerabilities in Contact Form 7 Lead To Websites Being Hacked

If you are looking for information on vulnerabilities in WordPress plugins a common suggestion is to do a search for them, like this recent one from a moderator from the WordPress Support Forum:

Do a search for any known vulnerabilities in the plugin. If any exist for old plugins, they should be well known by now.

Beyond the fact that there are many vulnerabilities in old plugins that have yet to be found because people are not doing extensive security reviews of every plugin out there (unfortunately the moderators of the forum don’t seem to be interested keeping their advice to things that they have factual backing for), the results from such a search will lead to a lot of inaccurate information. While looking into something related to a recent vulnerability in the plugin Contact Form 7 we ran across article from a security company named Astra, which shows that at work. What was striking was the claim at the top of it “Your site is probably hacked”:

That is simply false.

Their whole article looks to be written by someone that doesn’t really have an understanding of what they are talking about, making it hard to decipher what is trying to be claimed in it if you actually understand the topic, but some parts are easy enough to decipher as being false.

The most important part in understanding this company doesn’t understand what they are talking about (while claiming to be security experts), much less know that any websites have been hacked due to the vulnerability they are discussing, is this portion of their article:

WordPress allows multiple user roles as contributors, editors, subscribers, authors etc. Due to this vulnerability a user logged in as a contributor can edit the content form, a feature which is presently the privilege of editors and admins only. This vulnerability is more severe than it seems because of the two features of the contact form 7:

  1. Contact Form 7 allowed absolute file path i.e. /host/home/somefile.pdf. Thus with the ability to edit the form the attacker could access files outside wp-content.
  2. ‘Filetypes’: A non privileged user can tweak the feature filetypes i.e. (filetypes: gif|png|jpg|jpeg)to include files like .php, .asp etc. i.e (filetypes: php|asp) and obtain reverse shells.

Possible Consequences of Privilege Escalation in Contact Form 7

Thus the attacker can put the file type of his choice in the wp-contents directory and obtain a reverse shell paving way for further attacks. As a temporary solution, Takayuki Miyoshi the author of this plugin has disallowed file path that refers to a file placed outside the wp-content directory. Many users have started to complain about file attachment errors on the support forum of contact form-7. To stay secure update to the latest version and Move your files to <your WordPress root>/wp-content/ and replace the line in the File Attachments fields accordingly.

What those vulnerabilities actually could be used to do is very different than what is described there. One of the vulnerabilities apparently allowed lower level users access to a capability that they were not intended to have access to, as mentioned above. But as we described in our post detailing the other vulnerability, the second one would allow anyone with that capability to view the contents of arbitrary files. It doesn’t have anything to do with uploading files to the website. Making the whole thing more head scratching, restricting the uploading of malicious files to the wp-content wouldn’t stop them from being exploitable, so if you believed what they believed was allowed before, there would still be an issue with the plugin (even if you placed restrictions on running files using a .htaccess file in that directory, that could be overwritten with a .htaccess file that doesn’t have that restriction).

They Don’t Know How Websites Are Hacked

That isn’t a one off issue. In looking over their website a recent blog post stood out to us, since it seems to be written by someone who doesn’t know how websites are getting hacked, despite the company providing hack cleanups and claiming to be able to protect website from being hacked, so they should be well aware of how website are being hacked.

The post is titled “10 Joomla SQL Injection Vulnerabilities that Could be the Cause of Your Hacked Joomla” and it starts with this claim:

Joomla is one of the largest and the most popular content management system which is open source. Joomla has a large user base, and the popularity has brought the service under the notice of attackers and malicious programmers. Attackers often target this service since the users store a huge amount of data on their servers. Hackers often launch a Joomla SQL injection attack on accounts that have certain vulnerabilities. Any vulnerability will lead to a huge leak of data which would benefit the attackers. At Astra such attacks and hacked Joomla accounts are common. Any breach in the system can cause potential havoc for customers and their businesses. If you are a user then identifying an attack or vulnerability is very important. However, if your account is hacked, then the first step is to identify the attack. Identifying the attack will enable you to find the vulnerability and plug it. To help you with this, the following vulnerabilities might be a probable cause for your hacked account.

Almost none of that is true. Only a few variants of SQL injection vulnerabilities are likely to be exploited on the average website, so claiming that hackers “often” launch attacks against that type of vulnerability is untrue. It is telling that there idea of how to identify the source of the hack isn’t by say looking at the HTTP logging, which in the case of exploitation of Joomla extension would show evidence that was the source, but by seeing if you have a vulnerable piece of software on the website. The reality is that the vast majority of vulnerabilities we see disclosed in web software are things that are not likely to be exploited on the average website, so doing that is likely to lead you off in the wrong direction, especially if you are like this company and don’t even understand what is potential impact of a vulnerability.

Something else stood out to us from that. For most of the entries listed they start something like this:

Immediate Fix: Update to version greater than 2.x.x or Use Astra

or this:

Immediate Fix: Update to the latest version or use Astra

But for the only vulnerability that list as not being fixed they state this instead:

Immediate Fix: Remove the plugin since no update is available.

So they apparently only provide protection if the developer of software has already fixed the issue, in which case what is the supposed to be the additional value of their protection service over doing the security basic of keeping your website secure. On their homepage they claim to provide “360° real-time website protection”, which they clearly don’t based on that.

Why Are They Lying About Being At Least Partially Based in India?

In looking over these guys something seemed odd to us. If you look at the homepage they have a photo of the Golden Gate Bridge, which is located in San Francisco, California:

In the footer of the website is the claim that “Made with heart in” the USA, France, and Germany:

Yet other things we saw would point to them at least being based in part in India. Looking at the whois for the domain list the registrant being in Noida, India. If you check out some of the search results for the company or their parent Czar Security, the presence seems more clear, including the CTO being based in India despite that being someone who would seem to be intimately involved in making the service.

On their contact page they list their US address as being in Newark, New Jersey, which is 3,000 miles and completely across the country from the Golden Gate Bridge and it looks very different than the Golden Gate Bridge. While they suggest “Come over, coffee on us!” above the addresses, it looks like that is address is mail box drop, which seems less than honest.

We don’t why they would lie about this, but it seems to be a good indication that you can’t trust other claims they make, considering that isn’t well hidden. It really speaks to how fundamentally terrible the security industry is that obvious lies are so rampant in a business that is so trust based.

These Companies Have No Connection to Astra

Inaccurate claims abound even on the homepage. For example, they have this claim:

That seems impressive, but we would read that as they have employees that previously worked for those companies handling security, but in reality it just means that their employees had, prior to being involved in the company, reported some vulnerability to those companies:

They have received acknowledgements from various global companies on multiple occasions for pointing out security issues in their web portals. These companies include Microsoft, Yahoo, Adobe, Mediafire, IMDb, University of Sydney, AT&T, Bufferapp and Blackberry. They also donated the Bounty amount to Palestine Children’s Relief Fund.

Being able to find random vulnerabilities on websites and actually being able to fully secure high profile websites are very different things, and if the latter was as easy, security wouldn’t be in such bad shape. The lack of the basic understanding of security that the articles we mentioned would indicate about this company, is something we often find from people in the security industry that are more script kiddies than security professionals. Unfortunately they often have easy time selling companies on products and services of limited, at best, value, helping to lead to security being in such bad shape.

They Rely On Someone Else For Security

What seemed more notable in the domain name registration is that they are running their own website through a competing security service, as the name servers are from Cloudflare:

Name Server: chris.ns.cloudflare.com
Name Server: sue.ns.cloudflare.com