Tag Archives: Cross Site Scripting

WordPress Security Updates Roundup (June 2016)

Last weekend WordPress made available a security update to their popular self-hosted blogging tool/content management system (CMS, defined) bringing it to version 4.5.3.

Why Should These Issues Be Considered Important?
WordPress recommends installing this update as soon as possible due to the severity of the issues that it resolves. It isn’t immediately clear but 24 security issues were addressed in this update. Please find below a summary of those issues:

  • A redirect bypass in the customizer (which could be used by an attacker to redirect to websites to perform attacks such as watering hole attacks (defined))
  • 2x cross site scripting (XSS) vulnerabilities (defined) as a result of attachment names
  • Revision history information disclosure
  • A denial of service issue (defined)
  • some less secure sanitize_file_name edge cases
  • unauthorized category removal from a post
  • password change via stolen cookie (defined)

Previously in early May this year WordPress made available version 4.5.2. This was also an important security update that addressed 2 security vulnerabilities. The first relates to a Same Origin Method Execution (SOME) (defined) vulnerability. This vulnerability is similar to a cross site scripting (XSS) vulnerability since it abuses JSON (defined) callbacks.

The second issue addressed is a more traditional cross site scripting (XSS) vulnerability within a 3rd party library, namely MediaElement.js.

Separately in early June WordPress removed a plugin named WP Mobile Detector from their plugin website when attacks begin exploiting a trivially exploitable zero-day vulnerability (defined) within it.

Researchers at the security firm Sucuri were able to determine that the attacks for this vulnerability began on the 27th of May. The vulnerability was then disclosed on the Plugin Vulnerabilities website. The vulnerability allows an attacker to upload a file of their choice to a WordPress website.

Finally, and as above in late May the security firm Sucuri discovered a critical (due to the ease of exploitation) cross site scripting (XSS) vulnerability in the popular WordPress Jetpack plugin. This issue affected more than 1 million WordPress websites.

How Can I Protect Myself from These Issues?
As always; WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

For the WP Mobile Detector; it was later updated to version 3.6 to address this vulnerability. However as noted by Sucuri in their advisory the vulnerability was not fully addressed by this new version and they are working with them to address this further shortcoming.

If you use the WP Mobile Detector plugin, please ensure that you are using the most recent version. While the vulnerability is difficult to exploit since it requires the allow_url_fopen API (defined) to be enabled. US CERT recommends disabling this API (defined) call if it is not needed for your website as a defence in depth (defined)(PDF) measure.

Lastly for the JetPack plugin, please update to version 4.0.3 or later to resolve the above mentioned critical XSS issue. Updates were also made available for all 21 code branches of the plugin if you are not already using the newest code branch. The developers of the plugin have also provided an FAQ for this update as well as the steps to install it.

Thank you.

WordPress Releases Security Updates (January 2016)

On Wednesday of last week, WordPress released version 4.4.1 of it’s popular self-hosted blogging tool/content management system (CMS, defined).

This update resolves 1 security cross-site scripting (XSS) vulnerability (defined) that if exploited by an attacker could have allowed them gain control of your WordPress website. This issue was responsibly disclosed (defined) to WordPress and they worked internally to resolve it.

Due to the severity of this issue, WordPress is advising it’s users to update immediately.

WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. Full details of this update and how to install it are available in this WordPress blog post. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

Thank you.

Popular WordPress Anti-spam Plugin Addresses Critical Security Issue

The website security firm Sucuri earlier this month disclosed a critical issue in Akismet, an anti-spam plugin used by millions users of the WordPress content management system. Sucuri notified Automattic (parent company of WordPress) of this issue earlier this month. Sucuri only disclosed the issue after an update was made available.

Why Should This Issue Be Considered Important?
A critical cross-site scripting (XSS) issue (defined) was found within Akismet caused by how it handles hyperlinks (links to other websites) placed within blog comments. This could allow an unauthenticated attacker (namely an attacker that does not have any prior access to your WordPress website) to insert malicious scripts into the Comment section of the WordPress administration panel. The most serious consequence of this would be a full website compromise. Further details of this vulnerability are provided within Sucuri’s advisory.

How Can I Protect Myself From This Issue?
Please update to version 3.1.5 of Akismet using the steps provided in this Akismet blog post.

Thank you.

Popular WordPress Plugin Addresses Critical Security Issue

The website security firm Sucuri last week disclosed a critical issue in Jetpack, a plugin used by more than 1 million users of the WordPress content management system.

Why Should This Issue Be Considered Important?
Sucuri discovered a critical cross-site scripting (XSS) issue (defined) within the Jetpack plugin caused by how it validates the email address submitted via the contact form module within the plugin.

If an attacker were to use this vulnerability in addition to their knowledge of website hacking they could execute (run or carry out a set of steps) JavaScript (defined) code of their choice on your WordPress site. This could allow the attacker to add a backdoor (defined) to your website allowing them convenient access or conduct a watering hole attack (defined) (further examples of options open to the attacker are presented in Sucuri’s security advisory for this issue).

How Can I Protect Myself From This Issue?
Please update to JetPack version 3.7.1 or later (at the time of writing, version 3.7.2 is available). Instructions for updating WordPress plugins are provided here. Installation instructions for JetPack are provided here.

I hope that the above information is useful to you in securing your WordPress site from this flaw if you make use of the JetPack plugin.

Thank you.

WordPress Releases Security Updates

Earlier today, WordPress released version 4.3.1 of it’s popular self-hosted blogging tool/content management system (CMS, defined).

This update resolves 3 security issues:

The most serious issues was a cross-site scripting issue (defined) when processing shortcode tags that could allow an attacker to inject JavaScript (defined) of their choice into the page. Such JavaScript code could be used in watering-hole attacks (defined). This issue is discussed in more detail in this article.

A further cross-site scripting issue was also corrected in the user list table. The final issue addressed a permissions issue where a user could sticky private posts when they would otherwise not have the permissions/rights to do so.

Due to the severity of these issues, WordPress is advising it’s users to update immediately.

WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. Full details of this update and how to install it are available in this WordPress blog post. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

Thank you.

Unpatched WordPress Sites Used By Exploit Kits

The security firm Zscaler recently detected a large number of WordPress websites that are being used by exploit kits (exploit kits, defined) to deliver ransomware to the sites visitors. Their blog post shows the large scale nature of this issue and how many WordPress websites are currently affected. The attackers are compromising the websites by exploiting vulnerable WordPress sites allowing the installation of backdoors (see Aside below for a definition) and the injection of an Iframe (Iframe, defined) into the legitimate traffic that travels to the victim’s system when they visit the site.

WordPress sites using version 4.2 and earlier can be compromised by the security issues that they contain. Such issues were addressed by WordPress with 4 security updates being released for version 4.2 from April until August this year.

Why Should These Issues Be Considered Important?
Since the visitors to your website may have a chance of their devices becoming infected which may impact the number of visitors to your site and your website’s reputation it is in your interest and to the benefit of your visitors/customers to address these security issues.

How Can I Protect Myself From These Issues?
If your website is powered by WordPress or makes use of WordPress it is recommended to update to the latest version of WordPress which is version 4.3 (at the time of writing). The version of WordPress in question is the self-hosted/self-administered server based installation rather than the WordPress.com version which is administered by WordPress.

As mentioned in a previous blog post, if you have automatic updates enabled for WordPress (available since version 3.7, thanks again to Sophos for that information) this update will be installed for you. Alternatively you can access your WordPress dashboard and choose Updates -> Update Now.

In addition, plugins for WordPress sites such as Symposium, Google Analytics by Yoast Premium and the IFrame plugin of WordPress have also been found to have SQL injection (SQL injection, defined) and cross-site scripting (XSS) (cross-site scripting, defined) vulnerabilities. The security firm dxw Security provide advice and mitigations in the above linked to advisories for each plugin.

I hope that the above advice is useful to you in better securing your WordPress installations/websites from attack.

Thank you.

=======================
Aside:
What is a backdoor?

A backdoor is the general name given to the means for an attacker to conveniently access devices/services within an organization that they would not usually be able to do so e.g. via a command line (shell, Linux shell, Windows Command Prompt both defined).

Such a command shell will allow them to enter commands that the victim device will then carry out. This means of accessing the device/service bypasses access control methods in place to secure the device/service (under more normal circumstances) e.g. passwords, one-time passwords and smart cards etc.

An attacker will usually set up such a backdoor after initially compromising a company (e.g. using a spear phishing email, spear phishing defined) so that they can more conveniently access the company network in the future to carry out further malicious actions.

Another means of accessing the device or service would be via a VPN (e.g. VNC) or Microsoft Remote Desktop Protocol (RDP) that the attacker would have set up to enable easier access in the future. The attacker would usually use compromised credentials from an employee (obtained by some other means) of the company in order to log into the VPN to arouse as little suspicion as possible. An alternative definition of a backdoor is also available here.

Please note that the tools such as VNC and Microsoft RDP (among others) are not malicious in nature but like almost everything in this world, legitimate tools can be used for malicious purposes.
=======================

WordPress Releases Security Updates

Earlier this week, WordPress released version 4.2.4 of its self-hosted blogging tool/content management system (CMS).

This update resolves 6 serious issues, which include:

Due to the severity of these issues, WordPress is advising it’s users to update immediately.

In addition, in late July WordPress released version 4.2.3. That update resolves 2 security vulnerabilities; the first vulnerability is a cross-site scripting (XSS) issue that could allow legitimate users (with Author or Contributor rights) to compromise your website by allowing the addition of JavaScript to the website pages. With the addition of arbitrary JavaScript code to a website comes risks of malware infection (e.g. a watering hole attack) or in a severe case of an XSS attack the user’s session cookies (and thus the resources/information it has access to) are compromised by an attacker. The remaining issue involved a legitimate user with Subscriber permissions being able to carry out un-intended actions, specifically creating a draft of a webpage using the Quick Draft feature.

WordPress users can update their CMS manually or since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. Full details of this update and how to install it are available in this WordPress blog post. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

The next version WordPress namely 4.3 is anticipated to arrive on the 18th of August. While this is not a security update, it does contain important changes. In order to ensure the stability and security of your WordPress installation it is prudent to have streamlined processes in place in order to apply multiple updates to WordPress each month when necessary.

Thank you.