Tag Archives: Content Management System

WordPress Security Updates Roundup (June 2016)

Last weekend WordPress made available a security update to their popular self-hosted blogging tool/content management system (CMS, defined) bringing it to version 4.5.3.

Why Should These Issues Be Considered Important?
WordPress recommends installing this update as soon as possible due to the severity of the issues that it resolves. It isn’t immediately clear but 24 security issues were addressed in this update. Please find below a summary of those issues:

  • A redirect bypass in the customizer (which could be used by an attacker to redirect to websites to perform attacks such as watering hole attacks (defined))
  • 2x cross site scripting (XSS) vulnerabilities (defined) as a result of attachment names
  • Revision history information disclosure
  • A denial of service issue (defined)
  • some less secure sanitize_file_name edge cases
  • unauthorized category removal from a post
  • password change via stolen cookie (defined)

Previously in early May this year WordPress made available version 4.5.2. This was also an important security update that addressed 2 security vulnerabilities. The first relates to a Same Origin Method Execution (SOME) (defined) vulnerability. This vulnerability is similar to a cross site scripting (XSS) vulnerability since it abuses JSON (defined) callbacks.

The second issue addressed is a more traditional cross site scripting (XSS) vulnerability within a 3rd party library, namely MediaElement.js.

Separately in early June WordPress removed a plugin named WP Mobile Detector from their plugin website when attacks begin exploiting a trivially exploitable zero-day vulnerability (defined) within it.

Researchers at the security firm Sucuri were able to determine that the attacks for this vulnerability began on the 27th of May. The vulnerability was then disclosed on the Plugin Vulnerabilities website. The vulnerability allows an attacker to upload a file of their choice to a WordPress website.

Finally, and as above in late May the security firm Sucuri discovered a critical (due to the ease of exploitation) cross site scripting (XSS) vulnerability in the popular WordPress Jetpack plugin. This issue affected more than 1 million WordPress websites.

How Can I Protect Myself from These Issues?
As always; WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

For the WP Mobile Detector; it was later updated to version 3.6 to address this vulnerability. However as noted by Sucuri in their advisory the vulnerability was not fully addressed by this new version and they are working with them to address this further shortcoming.

If you use the WP Mobile Detector plugin, please ensure that you are using the most recent version. While the vulnerability is difficult to exploit since it requires the allow_url_fopen API (defined) to be enabled. US CERT recommends disabling this API (defined) call if it is not needed for your website as a defence in depth (defined)(PDF) measure.

Lastly for the JetPack plugin, please update to version 4.0.3 or later to resolve the above mentioned critical XSS issue. Updates were also made available for all 21 code branches of the plugin if you are not already using the newest code branch. The developers of the plugin have also provided an FAQ for this update as well as the steps to install it.

Thank you.

Drupal Releases Security Updates (Feb 2016)

The widely used website Content Management System (CMS)(defined) Drupal in late February released security updates for versions 6, 7 and 8.

10 security issues were addressed (of the severities listed below) by the released security updates:

  • 1x critical
  • 6x moderately critical
  • 3x less critical

Drupal users should upgrade to versions 6.38, 7.43 or 8.0.4 as appropriate. Further information and steps to install the updates are available in Drupal’s Security Advisory.

As noted by Drupal version 6 has reached its end of life (EOL) and will no longer receive security updates going forward. Further information is provided in this dedicated page.

Moreover, in early January an IOACtive senior security consultant Fernando Arnaboldi disclosed 3 security issues in a blog post. While these issues were responsibly disclosed to Drupal at the time of writing they have not addressed them. As advised within that blog post for those who administer Drupal installations they may wish to manually download updates for Drupal and its add-ons in order to work around these issues until they are addressed.

Thank you.

WordPress Releases Security Update (February 2016)

On the 3rd of February WordPress released a security update to their popular self-hosted blogging tool/content management system (CMS, defined) bringing it to version 4.4.2.

This is a critical security update that resolves 2 security issues. One is a server-side request forgery (SSRF) attack that could allow information disclosure since it has the potential to bypass normal access controls. The remaining issue was present on the login page of WordPress which could have been used to cause a redirect for a user trying to login.

Due to the severity of these issues, WordPress is advising it’s users to update immediately.

Separately a ransomware (defined) campaign is compromising very large numbers of WordPress websites by adding obfuscated (defined within this post) JavaScript (defined) to the websites that results in visitors to those sites being redirected to a website of the attacker’s choice. The JavaScript can deliver the ransomware to a victim system if it is using outdated versions of Adobe Flash Player/Reader, Microsoft Internet Explorer or Silverlight since it makes uses of the Nuclear exploit kit (defined). At this time there is very little detection of the exploit code using VirusTotal.com

A shortlist of recommendations to protect your WordPress website against this ransomware campaign is shown below (for your convenience). This list including further details of this threat is available from Heimdal Security’s blog post (I wish to express my sincere thanks to them for making such detailed information available to protect against this threat):

  • Keep software and your operating system updated at all times
  • Backup your data, do it often and in multiple locations
  • Use a security tool that can filter your web traffic and protect you against ransomware, which traditional antivirus cannot detect or block.

Moreover; a technical description of how this attack occurs against a WordPress website is available within this Sucuri blog post. Malwarebytes also provide advice and a further technical description in their blog post as they describe how the exploits have switched from the Nuclear exploit kit (defined) the to the Angler exploit kit.

As always; WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

For more information on installing updates to commonly used software, this blog can assist. Please see the “Protecting Your PC” page for how to keep software updated. Moreover; specific information on Adobe updates is available here with Microsoft updates discussed here.

Thank you.

WordPress Releases Security Updates (January 2016)

On Wednesday of last week, WordPress released version 4.4.1 of it’s popular self-hosted blogging tool/content management system (CMS, defined).

This update resolves 1 security cross-site scripting (XSS) vulnerability (defined) that if exploited by an attacker could have allowed them gain control of your WordPress website. This issue was responsibly disclosed (defined) to WordPress and they worked internally to resolve it.

Due to the severity of this issue, WordPress is advising it’s users to update immediately.

WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. Full details of this update and how to install it are available in this WordPress blog post. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

Thank you.

Popular WordPress Anti-spam Plugin Addresses Critical Security Issue

The website security firm Sucuri earlier this month disclosed a critical issue in Akismet, an anti-spam plugin used by millions users of the WordPress content management system. Sucuri notified Automattic (parent company of WordPress) of this issue earlier this month. Sucuri only disclosed the issue after an update was made available.

Why Should This Issue Be Considered Important?
A critical cross-site scripting (XSS) issue (defined) was found within Akismet caused by how it handles hyperlinks (links to other websites) placed within blog comments. This could allow an unauthenticated attacker (namely an attacker that does not have any prior access to your WordPress website) to insert malicious scripts into the Comment section of the WordPress administration panel. The most serious consequence of this would be a full website compromise. Further details of this vulnerability are provided within Sucuri’s advisory.

How Can I Protect Myself From This Issue?
Please update to version 3.1.5 of Akismet using the steps provided in this Akismet blog post.

Thank you.

Popular WordPress Plugin Addresses Critical Security Issue

The website security firm Sucuri last week disclosed a critical issue in Jetpack, a plugin used by more than 1 million users of the WordPress content management system.

Why Should This Issue Be Considered Important?
Sucuri discovered a critical cross-site scripting (XSS) issue (defined) within the Jetpack plugin caused by how it validates the email address submitted via the contact form module within the plugin.

If an attacker were to use this vulnerability in addition to their knowledge of website hacking they could execute (run or carry out a set of steps) JavaScript (defined) code of their choice on your WordPress site. This could allow the attacker to add a backdoor (defined) to your website allowing them convenient access or conduct a watering hole attack (defined) (further examples of options open to the attacker are presented in Sucuri’s security advisory for this issue).

How Can I Protect Myself From This Issue?
Please update to JetPack version 3.7.1 or later (at the time of writing, version 3.7.2 is available). Instructions for updating WordPress plugins are provided here. Installation instructions for JetPack are provided here.

I hope that the above information is useful to you in securing your WordPress site from this flaw if you make use of the JetPack plugin.

Thank you.

WordPress Releases Security Updates

Earlier today, WordPress released version 4.3.1 of it’s popular self-hosted blogging tool/content management system (CMS, defined).

This update resolves 3 security issues:

The most serious issues was a cross-site scripting issue (defined) when processing shortcode tags that could allow an attacker to inject JavaScript (defined) of their choice into the page. Such JavaScript code could be used in watering-hole attacks (defined). This issue is discussed in more detail in this article.

A further cross-site scripting issue was also corrected in the user list table. The final issue addressed a permissions issue where a user could sticky private posts when they would otherwise not have the permissions/rights to do so.

Due to the severity of these issues, WordPress is advising it’s users to update immediately.

WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. Full details of this update and how to install it are available in this WordPress blog post. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

Thank you.