Category Archives: PHP

Critical PHPMailer & SwiftMailer Security Updates

Although the PHPMailer vulnerability was posted to our Script Security Forum a couple days ago, the widespread and critical nature of these warrants a post here as well. PHPMailer and SwiftMailer are both libraries used for sending emails. A very large number of scripts use one of these two libraries, including WordPress, Drupal, SugarCRM, Joomla and many others. Both libraries contain similar remote code execution vulnerabilities that can be exploited under certain circumstances.

It is very important that you make sure all instances of these libraries are updated. This will, unfortunately, be difficult to pinpoint in some cases since many plugins also include these libraries. Every core script, plugin and theme that you use should be investigated to determine whether or not these libraries are included and require updating.

All instances of PHPMailer must be updated to 5.2.21 or higher, which can be downloaded here.

All instances of SwiftMailer must be updated to 5.4.5 or higher, which can be downloaded here.

This would also be a good time to examine your plugins and themes to make sure they are all being actively maintained. As a general rule, if they haven’t received any updates within 6 months you should be concerned. If they haven’t received any updates within the past year, they probably shouldn’t be used at all.

The ongoing use of abandoned projects are one of the bigger risks that face websites like those powered by WordPress. While such a plugin may appear to be all good and up-to-date from within the WordPress admin panel, the developers may not have touched it in years and the project page may no longer even exist. As such, a regular audit of these is a very good idea and in general you should stick to more popular options when possible.

If you run into any issues with updating or have any questions please feel free to post a comment here, post on our forums or submit a ticket via our portal.

Feature Spotlight – PHP Selector

As we get close to completing all of our server upgrades, I wanted to go ahead and quickly highlight a feature that is available on the new servers. We’ve permitted clients to change the version of PHP that their site uses for many years now but this has always required a modification to the domain’s .htaccess file. Although this wasn’t particularly difficult, it has been simplified even further with the inclusion of PHP Selector. PHP Selector is a CloudLinux component that sits on top of CageFS and allows each cPanel user to select their desired PHP version.

Once you’ve logged into cPanel you’ll find the “Select PHP Version” option under the “Software” menu group as shown below.

cPanel PHP Selector 1

Continue reading

Critical Joomla Security Update

On Monday, December 14th, Joomla 3.4.6 was released to address a critical remote code execution vulnerability (CVE-2015-8562) that exists in all prior versions from 1.5.0 through 3.4.5. Hotfixes are also available for the older, unsupported 1.5 and 2.5 branches. It is imperative that you update all Joomla instances immediately. This was a zero day vulnerability that was actively being exploited prior to it having been discovered and patched. As such, it is remotely possible that your Joomla was already compromised.

We posted this to our forums and in our portal on Monday to give our clients a heads up but given the critical nature of this we figured another post couldn’t hurt. At that time we also deployed mod_security rules which we believe to sufficiently protect all Joomla instances hosted by us unless you have specifically disabled mod_security on the domain, which is not the default or recommended. As always, though, it is still important that these latest patches be applied immediately in order to secure your Joomla instances.

If you have any questions or concerns please don’t hesitate to contact us and we hope everyone has a Merry Christmas!

Script Security Updates

As the holiday shopping season has begun it is more important than ever for businesses to make sure their websites are secured against attackers. Staying on top of script updates (plugins and themes included) is one of the easiest and most vital parts of securing your website. We wanted to take a moment to cover a couple of serious updates that should receive special attention this holiday season.

A Joomla update (3.4.5) was released last month to address a critical remote and unauthenticated SQL injection vulnerability that is present in all 3.2+ versions. The severity of this cannot be stressed enough as it can allow attackers complete access to your account. We’ve had mod_security rules in place to block exploitation of this vulnerability since the day it was announced. To the best of our knowledge attackers have been unable to circumvent these rules but it is in your best interest to apply this update immediately if you have not done so already. If for some reason you’ve manually disabled mod_security on your website it remains fully exposed to this vulnerability if it hasn’t been patched and has likely already been compromised in some manner. For this reason we never recommend disabling mod_security. Further details concerning this update can be found here.

Last week a vulnerability in Zen Cart was also announced and has subsequently been patched. This is an arbitrary file inclusion vulnerability that again could allow attackers complete access to your account. Details and patches are available directly from Zen Cart here. Please note that public disclosure of this vulnerability is scheduled for December 16th but since a patch has already been released it wouldn’t take much for attackers to figure out how to exploit the vulnerability, if they haven’t already. All Zen Cart users should patch their instances immediately.

As always, we will continue to stay on top of these critical vulnerabilities and address them as possible or necessary. If you have any questions please feel free to submit a ticket via our client portal and we’ll gladly assist in any way that we can.

Coming Soon: Server Upgrades

With many hosts your account will remain on a particular server until it fails in some way or another. That’s not the way we do things here at Dathorn. We like to be proactive with upgrading or replacing our servers to help avoid failures that happen more frequently as hardware ages. This also gives us a great opportunity to deploy new configurations, operating system versions, etc. so that we can continue adding value to our services.

Over the next several months we will be going through this process once again. All of our existing shared and reseller hosting servers will be upgraded by means of migrating to a new server. You will receive a ticket notification via our client portal once your particular server has been scheduled. Aside from announcing this I wanted to quickly highlight some of the more important changes that will take place as a part of these migrations.

First up are the hardware changes and the most important of these concerns the local storage. Over the past 13 years we’ve gone from SATA storage to SAS drives to our current hybrid SSD / SATA arrays. Now we’re very excited to be migrating to pure SSD storage. All servers will be utilizing new 12Gbps LSI RAID controllers with a minimum of six 1TB SSDs in RAID 10. The performance that we’ve been able to get from these new systems is simply amazing. While other providers may charge extra for (or not even offer) such high speed storage, all of our clients are being upgraded to it free of charge.

Continue reading

Behind the Scenes: Shellshock & PHP 5.4

Here’s another quick update on what’s been going on here behind the scenes at Dathorn. As you may have heard, critical bugs were discovered in the popular Linux shell, bash. This event, dubbed “Shellshock”, started to publicly unfold about two weeks ago.

shellshock-bugThe details of these vulnerabilities can be a bit difficult to follow given the number of different patches that were posted. It even required a few quick, consecutive updates from some Linux distributions just to get it right. It seemed like each time a new patch was released someone else was able to poke holes in it, finding new methods to exploit and turning bash into a bit of swiss cheese. Continue reading

MySQL 5.5, PHP Updates & Zend Guard Loader

I know it has been a little while since our last post so I wanted to go ahead and post a quick update about a few things that have been happening behind the scenes here.

MySQL 5.5

For many of our clients, MySQL is a vital part of their website whether they realize it or not. Most scripts that our clients utilize depend on MySQL in order to function whether it be WordPress, Joomla, Magento, or any number of other scripts. Because of this, any changes concerning MySQL must be planned and tested thoroughly before hand to help make sure that as little service interruption occurs as possible.

We had long been running MySQL 5.1 without issue and although MySQL 5.5 had been out for some time, we opted to hold off on upgrading as a precaution. Without any dire reasons for needing to upgrade, such as patching bugs or vulnerabilities, we opted to take our time testing the deployment and planning it as best we could. We have been slowly performing these upgrades over the past month or so and on Saturday morning we completed the final upgrade of the last remaining server from MySQL 5.1 to 5.5. Continue reading