Tag Archives: CMS

WordPress Security Updates Roundup (June 2016)

Last weekend WordPress made available a security update to their popular self-hosted blogging tool/content management system (CMS, defined) bringing it to version 4.5.3.

Why Should These Issues Be Considered Important?
WordPress recommends installing this update as soon as possible due to the severity of the issues that it resolves. It isn’t immediately clear but 24 security issues were addressed in this update. Please find below a summary of those issues:

  • A redirect bypass in the customizer (which could be used by an attacker to redirect to websites to perform attacks such as watering hole attacks (defined))
  • 2x cross site scripting (XSS) vulnerabilities (defined) as a result of attachment names
  • Revision history information disclosure
  • A denial of service issue (defined)
  • some less secure sanitize_file_name edge cases
  • unauthorized category removal from a post
  • password change via stolen cookie (defined)

Previously in early May this year WordPress made available version 4.5.2. This was also an important security update that addressed 2 security vulnerabilities. The first relates to a Same Origin Method Execution (SOME) (defined) vulnerability. This vulnerability is similar to a cross site scripting (XSS) vulnerability since it abuses JSON (defined) callbacks.

The second issue addressed is a more traditional cross site scripting (XSS) vulnerability within a 3rd party library, namely MediaElement.js.

Separately in early June WordPress removed a plugin named WP Mobile Detector from their plugin website when attacks begin exploiting a trivially exploitable zero-day vulnerability (defined) within it.

Researchers at the security firm Sucuri were able to determine that the attacks for this vulnerability began on the 27th of May. The vulnerability was then disclosed on the Plugin Vulnerabilities website. The vulnerability allows an attacker to upload a file of their choice to a WordPress website.

Finally, and as above in late May the security firm Sucuri discovered a critical (due to the ease of exploitation) cross site scripting (XSS) vulnerability in the popular WordPress Jetpack plugin. This issue affected more than 1 million WordPress websites.

How Can I Protect Myself from These Issues?
As always; WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

For the WP Mobile Detector; it was later updated to version 3.6 to address this vulnerability. However as noted by Sucuri in their advisory the vulnerability was not fully addressed by this new version and they are working with them to address this further shortcoming.

If you use the WP Mobile Detector plugin, please ensure that you are using the most recent version. While the vulnerability is difficult to exploit since it requires the allow_url_fopen API (defined) to be enabled. US CERT recommends disabling this API (defined) call if it is not needed for your website as a defence in depth (defined)(PDF) measure.

Lastly for the JetPack plugin, please update to version 4.0.3 or later to resolve the above mentioned critical XSS issue. Updates were also made available for all 21 code branches of the plugin if you are not already using the newest code branch. The developers of the plugin have also provided an FAQ for this update as well as the steps to install it.

Thank you.

WordPress Releases Security Update (February 2016)

On the 3rd of February WordPress released a security update to their popular self-hosted blogging tool/content management system (CMS, defined) bringing it to version 4.4.2.

This is a critical security update that resolves 2 security issues. One is a server-side request forgery (SSRF) attack that could allow information disclosure since it has the potential to bypass normal access controls. The remaining issue was present on the login page of WordPress which could have been used to cause a redirect for a user trying to login.

Due to the severity of these issues, WordPress is advising it’s users to update immediately.

Separately a ransomware (defined) campaign is compromising very large numbers of WordPress websites by adding obfuscated (defined within this post) JavaScript (defined) to the websites that results in visitors to those sites being redirected to a website of the attacker’s choice. The JavaScript can deliver the ransomware to a victim system if it is using outdated versions of Adobe Flash Player/Reader, Microsoft Internet Explorer or Silverlight since it makes uses of the Nuclear exploit kit (defined). At this time there is very little detection of the exploit code using VirusTotal.com

A shortlist of recommendations to protect your WordPress website against this ransomware campaign is shown below (for your convenience). This list including further details of this threat is available from Heimdal Security’s blog post (I wish to express my sincere thanks to them for making such detailed information available to protect against this threat):

  • Keep software and your operating system updated at all times
  • Backup your data, do it often and in multiple locations
  • Use a security tool that can filter your web traffic and protect you against ransomware, which traditional antivirus cannot detect or block.

Moreover; a technical description of how this attack occurs against a WordPress website is available within this Sucuri blog post. Malwarebytes also provide advice and a further technical description in their blog post as they describe how the exploits have switched from the Nuclear exploit kit (defined) the to the Angler exploit kit.

As always; WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

For more information on installing updates to commonly used software, this blog can assist. Please see the “Protecting Your PC” page for how to keep software updated. Moreover; specific information on Adobe updates is available here with Microsoft updates discussed here.

Thank you.

WordPress Releases Security Updates (January 2016)

On Wednesday of last week, WordPress released version 4.4.1 of it’s popular self-hosted blogging tool/content management system (CMS, defined).

This update resolves 1 security cross-site scripting (XSS) vulnerability (defined) that if exploited by an attacker could have allowed them gain control of your WordPress website. This issue was responsibly disclosed (defined) to WordPress and they worked internally to resolve it.

Due to the severity of this issue, WordPress is advising it’s users to update immediately.

WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. Full details of this update and how to install it are available in this WordPress blog post. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

Thank you.

Popular WordPress Anti-spam Plugin Addresses Critical Security Issue

The website security firm Sucuri earlier this month disclosed a critical issue in Akismet, an anti-spam plugin used by millions users of the WordPress content management system. Sucuri notified Automattic (parent company of WordPress) of this issue earlier this month. Sucuri only disclosed the issue after an update was made available.

Why Should This Issue Be Considered Important?
A critical cross-site scripting (XSS) issue (defined) was found within Akismet caused by how it handles hyperlinks (links to other websites) placed within blog comments. This could allow an unauthenticated attacker (namely an attacker that does not have any prior access to your WordPress website) to insert malicious scripts into the Comment section of the WordPress administration panel. The most serious consequence of this would be a full website compromise. Further details of this vulnerability are provided within Sucuri’s advisory.

How Can I Protect Myself From This Issue?
Please update to version 3.1.5 of Akismet using the steps provided in this Akismet blog post.

Thank you.

Popular WordPress Plugin Addresses Critical Security Issue

The website security firm Sucuri last week disclosed a critical issue in Jetpack, a plugin used by more than 1 million users of the WordPress content management system.

Why Should This Issue Be Considered Important?
Sucuri discovered a critical cross-site scripting (XSS) issue (defined) within the Jetpack plugin caused by how it validates the email address submitted via the contact form module within the plugin.

If an attacker were to use this vulnerability in addition to their knowledge of website hacking they could execute (run or carry out a set of steps) JavaScript (defined) code of their choice on your WordPress site. This could allow the attacker to add a backdoor (defined) to your website allowing them convenient access or conduct a watering hole attack (defined) (further examples of options open to the attacker are presented in Sucuri’s security advisory for this issue).

How Can I Protect Myself From This Issue?
Please update to JetPack version 3.7.1 or later (at the time of writing, version 3.7.2 is available). Instructions for updating WordPress plugins are provided here. Installation instructions for JetPack are provided here.

I hope that the above information is useful to you in securing your WordPress site from this flaw if you make use of the JetPack plugin.

Thank you.

WordPress Releases Security Updates

Earlier today, WordPress released version 4.3.1 of it’s popular self-hosted blogging tool/content management system (CMS, defined).

This update resolves 3 security issues:

The most serious issues was a cross-site scripting issue (defined) when processing shortcode tags that could allow an attacker to inject JavaScript (defined) of their choice into the page. Such JavaScript code could be used in watering-hole attacks (defined). This issue is discussed in more detail in this article.

A further cross-site scripting issue was also corrected in the user list table. The final issue addressed a permissions issue where a user could sticky private posts when they would otherwise not have the permissions/rights to do so.

Due to the severity of these issues, WordPress is advising it’s users to update immediately.

WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. Full details of this update and how to install it are available in this WordPress blog post. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

Thank you.

Unpatched WordPress Sites Used By Exploit Kits

The security firm Zscaler recently detected a large number of WordPress websites that are being used by exploit kits (exploit kits, defined) to deliver ransomware to the sites visitors. Their blog post shows the large scale nature of this issue and how many WordPress websites are currently affected. The attackers are compromising the websites by exploiting vulnerable WordPress sites allowing the installation of backdoors (see Aside below for a definition) and the injection of an Iframe (Iframe, defined) into the legitimate traffic that travels to the victim’s system when they visit the site.

WordPress sites using version 4.2 and earlier can be compromised by the security issues that they contain. Such issues were addressed by WordPress with 4 security updates being released for version 4.2 from April until August this year.

Why Should These Issues Be Considered Important?
Since the visitors to your website may have a chance of their devices becoming infected which may impact the number of visitors to your site and your website’s reputation it is in your interest and to the benefit of your visitors/customers to address these security issues.

How Can I Protect Myself From These Issues?
If your website is powered by WordPress or makes use of WordPress it is recommended to update to the latest version of WordPress which is version 4.3 (at the time of writing). The version of WordPress in question is the self-hosted/self-administered server based installation rather than the WordPress.com version which is administered by WordPress.

As mentioned in a previous blog post, if you have automatic updates enabled for WordPress (available since version 3.7, thanks again to Sophos for that information) this update will be installed for you. Alternatively you can access your WordPress dashboard and choose Updates -> Update Now.

In addition, plugins for WordPress sites such as Symposium, Google Analytics by Yoast Premium and the IFrame plugin of WordPress have also been found to have SQL injection (SQL injection, defined) and cross-site scripting (XSS) (cross-site scripting, defined) vulnerabilities. The security firm dxw Security provide advice and mitigations in the above linked to advisories for each plugin.

I hope that the above advice is useful to you in better securing your WordPress installations/websites from attack.

Thank you.

=======================
Aside:
What is a backdoor?

A backdoor is the general name given to the means for an attacker to conveniently access devices/services within an organization that they would not usually be able to do so e.g. via a command line (shell, Linux shell, Windows Command Prompt both defined).

Such a command shell will allow them to enter commands that the victim device will then carry out. This means of accessing the device/service bypasses access control methods in place to secure the device/service (under more normal circumstances) e.g. passwords, one-time passwords and smart cards etc.

An attacker will usually set up such a backdoor after initially compromising a company (e.g. using a spear phishing email, spear phishing defined) so that they can more conveniently access the company network in the future to carry out further malicious actions.

Another means of accessing the device or service would be via a VPN (e.g. VNC) or Microsoft Remote Desktop Protocol (RDP) that the attacker would have set up to enable easier access in the future. The attacker would usually use compromised credentials from an employee (obtained by some other means) of the company in order to log into the VPN to arouse as little suspicion as possible. An alternative definition of a backdoor is also available here.

Please note that the tools such as VNC and Microsoft RDP (among others) are not malicious in nature but like almost everything in this world, legitimate tools can be used for malicious purposes.
=======================