Many CMS plugins are disabling TLS certificate validation… and that’s very bad

Haythem Elmir

An absurd number of CMS plugins and PHP libraries are disabling SSL/TLS certificate validation on purpose, and by doing so, they’re putting millions of internet users at great risk.

To make matters worse, many of these plugins and libraries are used to establish connections to payment provider servers, connections through which they later transmit sensitive user data or handle financial transactions.

This important, yet lesser known security issue, was discovered and brought to ZDNet’s attention by Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprise.

The issue resides in how authors of CMS plugins and PHP libraries are configuring their code, and specifically some cURL options.

cURL is a command-line utility found on all web hosting servers, which is used for transferring data to and from remote servers. cURL’s use is ubiquitous in the web development community, and many CMS plugins and PHP libraries use it to download, send, and upload data to remote servers via the server’s underlying console, instead of opening actual browser sessions for each connection.

cURL supports a bunch of protocols, such as opening connections via HTTP, FTP, SMTP, POP3, LDAP, and more.

For example, when a WordPress plugin that handles financial transactions to « Payment Process #46, » it uses cURL connections in the background to actually upload your sensitive credit card data to the payment provider’s servers. This usually happens via cURL connections set up via HTTPS, for which cURL also handles SSL/TLS certificate validation, a crucial step in making sure you’re talking to a legitimate HTTPS server.

But Arciszewski has recently discovered that developers of many CMS plugins and PHP libraries are disabling cURL security features for when cURL is used to download or send data via HTTPS connections, like the ones above.

This is a huge issue, especially for the cases where cURL is used to handle financial transactions and sensitive user data.

Having those connections negotiated via weakened HTTPS connections is a disaster waiting to happen, as it can allow attackers to easily trick websites into downloading or sending legitimate data to malicious servers. Because the two features are off, the originating site doesn’t trigger any alerts to either users or the sites’ owners.


According to Arciszewski, this happens because of two cURL settings that developers of CMS plugins and PHP libraries disable on purpose.

The first is « CURLOPT_SSL_VERIFYHOST », which many plugins and libraries set to « false » instead of « true ».

What this setting means is that cURL won’t verify the host URL to which it’s connecting to download or upload data. As long as the remote server has a valid certificate, signed by any random Certificate Authority, such as Let’s Encrypt or Comodo, the server’s URL can be or, and the website from which the cURL request originates won’t care.

The second cURL setting that many developers are disabling is « CURLOPT_SSL_VERIFYPEER », which many devs are setting to « 0 » instead of the more secure « 2 » value.

This setting means that websites will accept connections to any random HTTPS server, even to those who use self-signed certificates.

« This exposes you to extremely trivial man-in-the-middle attacks, » Arciszewski said in a report published last week.

This is no small issue that can be ignored. The problem is extremely widespread in the PHP community, especially.

A cursory GitHub search for the first and second settings reveals hundreds of thousands of projects where developers are disabling cURL certificate validation, including in hundreds of WordPress plugins.[..]
To read the original article:

Laisser un commentaire

Next Post

Kraken Ransomware Upgrades Distribution with RaaS Model

Affiliates pocket 80 percent of every ransom payment. The Kraken ransomware author has released a second version of the malicious code, along with a unique affiliate program on the Dark Web. According to research into Kraken v.2 the new version is being promoted in a ransomware-as-a-service (RaaS) model to underground […]