ASAP Lab blog and case studies

Development security: debugging, development logs and utilities

ASAP Lab is a full-stack team of SysOps and SRE engineers providing business solutions for eCommerce websites. Aside from infrastructure set up and monitoring we focus on information security. Recently, our security team has detected a growing number of attacks on customer sites built on different CMS including the CS-Cart platform which are hosted by Scalesta (our all-in-one managed hosting solution). Fortunately, most attacks were prevented by our experts who protect online businesses data against various leaks and hacking attempts.

Read more: Am I at risk? First signs of cyber attack.

We made a deep investigation to identify common problems and shortcomings in the work of projects which lead to hacking and came to the expected but still very disappointing results. Today we are going to speak about several common problems that are linked to one large process - not a completely built development workflow. Let's take a closer look at 2 main clusters:

  • left log files, debug information, and sometimes even database dumps. More likely by negligence or carelessness; and
  • externally accessible utilities such as Adminer or Git. Again lack of attention to detail or incorrect server configurations.

Naturally, this is only the “tip of the iceberg” and, alas, all this leads to major security problems.  Now let's together look at each cluster, and then don’t forget to show this article to your developers 😉

Available log files and debug information

Sometimes during development, debugging, or any improvements on live websites, developers or administrators include additional logs, for example, in the error_log, error.log files. At first sight this looks quite innocent, but it might actually lead to a huge security issue: expose store paths or disclose bug information that can be further exploited. 

Files like phpinfo.php, info.php, i.php and others containing phpinfo() information can reveal not only paths, but in combination with Cross Site Scripting (XSS) attack provide the access to all cookies (yes, even with http-only flags) and further access to administrator level. And it all starts with simple PHP version information, right?

Externally accessible utilities such as Adminer or Git

An incorrect server configuration can reveal, for example, the project source code or give access to directories and files that no one should have access to. At all! Let's take a look at Git - a collaborative development utility. If a directory exists and is accessible, then with certain knowledge and skills, you can get the entire project source code and then look for vulnerabilities or access keys if they were added to the project code.

And now let’s pass to the “root cause” of most frequent leaks, and we are talking about the Adminer utility. It has many vulnerabilities fixed by its vendor in new versions, but developers and administrators are very reluctant to update it on a regular basis.

In general, an externally accessible Adminer utility (as well as phpMyAdmin and other utilities that allow access to the database), especially in combination with available log files and phpinfo, or even simply enabled debug mode, can provide an attacker with enough information to exploit such vulnerabilities as CVE-2021-43008 (7.5/10 HIGH), CVE-2021-21311 (7.2/10 HIGH) and CVE-2020-35572 (6.1/10 MEDIUM). And this in 90% of cases will lead to access to the database or a leak.

> Yes, we all understand that sometimes developers or analysts might need direct access to a database, but this rather indicates a broken development process. It is better to make changes to the database using migrations that are available in CS-Cart, for analysts it’s recommended to make a read-only replica of the database which is closed from the outside and accessible only through an SSH tunnel.

Read more: Top 5 Common Myths and Misconceptions about Cybersecurity

Investigation results 

In order to prove our conclusions let’s address the results of our investigation. The ASAP Lab information security team together with the CS-Cart team found that:

  1. Among 100k checked projects, 14% of projects had various kinds of vulnerabilities. 5% of detected vulnerabilities are critical and soon the CS-Cart team will contact project owners to fix these vulnerabilities with them.
  2. 71% of all database access utilities are not updated and have vulnerabilities, and 17% of them have critical remove_code_execution and arbitrary_file_read vulnerabilities.
  3. 3% percent of projects have a .git directory available externally, which indicates an incorrect web server setup and may also reveal the project's source code.
  4. 67% of projects use PHP legacy versions that have performance and security issues and will no longer have security patches.

As you might notice during this article besides available log files and externally accessible utilities we mentioned several times the outdated or not updated software. CMS, applications, add-ons or server software - all this needs regular updating to be on a safe side. Updates provide not only new features but what is more important - vulnerabilities fixes, performance improvements and security patches. 

To sum it up, information security of your store is not only about the quality of CMS you use or the experience of your developers and service providers. Attention to detail, well arranged development process and regular updates might protect you against the common security issues as well. If you have any security concerns we in ASAP Lab will take care of your website.

Learn more about the security audit