My Security Planet » Items by DK

Feeds

6078 items (0 unread) in 72 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

WebSecurity

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security

Security

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...

SEO

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

Tools

• Opensourcetesting.org News

Items by DK

BlogSecurity

• 

  WordPress 2.6.2 Snoopy Vulnerability

  Posted: November 1st, 2008, 10:56am CDT by DK

  Tags:  Advisories   [edit]

  WordPress announced the following vulnerability in WordPress 2.6.2:

  A vulnerability in the Snoopy library was announced today.  WordPress uses Snoopy to fetch the feeds shown in the Dashboard. Although this seems to be a low risk vulnerability for WordPress users, we wanted to get an update out immediately. 2.6.3 is available for download right now. If you don’t want to download the whole release to get the security fix, you can download the following two files and copy them over your 2.6.2 installation.

  1. wp-includes/class-snoopy.php
  2. wp-includes/version.php

  

  
• 

  WordPress 2.6.1 Weak Entropy Vulnerability

  Posted: September 11th, 2008, 5:08am CDT by DK

  Tags:  Advisories   [edit]

  iso^kpsbr has discovered a vulnerability that may allow an external attacker to gain admin access to WordPress 2.6.1.

  WordPress is prone to a weakness in the entropy of generated passwords. Successfully exploiting this issue may allow an attacker to guess randomly generated passwords. WordPress 2.6.1 is vulnerable; other versions may also be affected.

  The original advisory and proof of concept exploit is available on securityfocus.

  

  
• 

  Acunetix Advanced Web Vulnerability Scanner Review

  Posted: August 18th, 2008, 6:27pm CDT by DK

  Tags:  Reflections   [edit]

  As some of you may know, our wp-scanner project looks for common WordPress XSS issues but what about testing more advanced web sites and/or CMS (content management systems)?

  Acunetix is one of the leading commercial web applicaton vulnerability scanners on the market. The reason I mention it (other then the fact that they are one of our sponsors) is that they provide a free XSS scanner - which my work collegue describes as "awesome". So if you have enjoyed wp-scanner or have a site you’d like testing for Cross-Site Scripting vulnerabilities I’d strongly recommend giving it a go.

  For those of you looking for the full monty, Acunetix provides a reasonably priced full-featured web vulnerability scanner which I have used on a number of occasions and found extremely useful. I especially like the WSDL enumeration and testing (web services), SQL Injection fuzzer and the fact that version 5 is built around helping sites achieve the PCI standard. The interface is also very neat and extremely easy to use.

  Check out some of the screen shots:

  
  

  If you interested in more information go check out the latest version 5 features and tools.

  

  
• 

  WordPress Pwnie Awards

  Posted: August 13th, 2008, 10:08am CDT by DK

  Tags:  News   [edit]

  The Pwnie Awards, an ‘annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community’.

  It seems like hardly a week goes by without a new vulnerability in WordPress or one of its many plugins. Many of them are actively being exploited to own popular WordPress blogs and use them to serve spam or client-side exploits to unsuspecting visitors. The popularity of WordPress combined with the abysmal security practices of WordPress plugin developers places the entire Internet at risk and is worthy of a nomination.

  More info at pwnie-aware.org.

  

  
• 

  WP Contact-Form Vulnerabilities

  Posted: August 13th, 2008, 10:03am CDT by DK

  Tags:  Advisories   [edit]

  WP Contact Form is a very popular WordPress plugin.

  Mustlive has reported a number of vulnerabilities which you can view at his web page here.

  According to the plugin authors page, the latest version is 3.1.8. We went ahead and downloaded a copy to have a look. The actual contact form page that your users see is not vulnerable to these attacks. However, the "/wp-admin/admin.php?page=wp-contact-form
  /options-contactform.php" is vulnerable.

  Please note at the time of writing this article all versions appear affected (<=3.1.8). We recommend disabling this plugin until a fix can be provided.

  

  
• 

  AskApache WordPress Hardening Plugin

  Posted: August 7th, 2008, 4:48pm CDT by DK

  Tags:  Plugin Reviews   [edit]

  BlogSecurity released a popular article last year titled "Hardening WordPress with htaccess". It provided basic, yet effective techniques to harden a WordPress blog install.

  Using Apache’s mod_rewrite allows us to perform basic filtering and application firewalling. AskApache is pushing mod_rewrite boundaries to the limits with a cool plugin that will allow automated anti-hack/spam htaccess rules.

  The plugin looks like a great tool for the more tech-savvy blog user. I say tech-savvy because the plugin requires tweaking on upgrades and may require adjustments specific to your needs, however an interesting project to keep an eye on nonetheless. My personal approach would be to utilise ModSecurity which is much more powerful then mod_rewrite and which can be applied at the web server layer rather then having to have custom rules for each WordPress install.

  

  
• 

  WP Downloads Manager 0.2 Remote File Upload

  Posted: August 7th, 2008, 4:21pm CDT by DK

  Tags:  Advisories   [edit]

  The Wp Downloads Manager module is a plugin for WordPress.

  Wp Downloads Manager is prone to a vulnerability that lets attackers upload and execute arbitrary code. This issue occurs because the application fails to sufficiently sanitize user-supplied file extensions before uploading files onto the webserver via the ‘upload.php’ script.

  Successfully exploiting this issue will allow attackers to upload and execute arbitrary PHP code within the context of the webserver process. This may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

  Wp Downloads Manager 0.2 is vulnerable; other versions may also be affected.

  Affected Products:

  Giulio Ganci Wp Downloads Manager 0.2

  References:

  Giulio Ganci: Wp Downloads Manager Homepage

  An exploit has been made available on Milw0rm and is publically available.

  Credits:

  Thanks to MustLive for informing us of this issue.

  More information is available at [www.juniper.net]

  

  
• 

  BlogSecurify Service Launched!

  Posted: June 23rd, 2008, 9:23am CDT by DK

  Tags:  News   [edit]

  Well the time has finally arrived! We are psyched to notify our readers, that the day has finally arrived! The initial version of the BlogSecurify project designed by GNUCITIZEN and BlogSecurity teams is now ready for testing.

  This is only the initial release but knock yourselves out! We hope this new framework will allow us to expand the service to new heights, testing multiple blog types and versions. Its modular, its fast and its powerful and supports caching!

  >>Launch BlogSecurify Next Generation!

  Note: The old wp-scanner project will still remain active until we feel that BlogSecurify has reached a level that we are happy with, but for now, enjoy!

  

  
• 

  BlogSecurify Demo Video!

  Posted: June 9th, 2008, 4:05am CDT by DK

  Tags:  News   [edit]

  You guys are going to love our new wp-scanner and blog security testing service! We’ll be adding loads more tests and support multiple blog types not just WordPress.

  Hint: Wear your earphones when watching this video to get the full vibe.

  

  
• 

  Comprehensive Vulnerability Scanner

  Posted: May 17th, 2008, 1:02pm CDT by DK

  Tags:  News   [edit]

  BlogSecurity have been discussing merging the wp-scanner project with GNUCITIZEN to provide a more comprehensive vulnerability scanning solution.

  At the moment, the WordPress vulnerability scanning will be free, however, premium services will be available to scan your entire web server for known vulnerabilities. The premium service as it stands will allow you to scan mail services, web services and much more. This means we’ll be able to provide you with a more comprehensive vulnerability scanner then just your WordPress installation. We may have to charge a small fee for the premium service to cover bandwidth costs, but wp-scanner will remain free.

  Nothing is set in stone at this time but we wanted to give you guys a chance to provide your ideas and feedback before finalising any plans. Aren’t we thoughtful? Speak now or forever hold your peace.

  

  
• 

  Vulnerability Hidden in Blog

  Posted: May 12th, 2008, 3:34am CDT by DK

  Tags:  News   [edit]

  Aviv Raff, an Israeli security researcher has made an unpatched Internet Explorer 7 & 8 vulnerability public by hiding it on his blog.

  Creating a vulnerability treasure hunt on your blog is one technique you wont find in any SEO book. We assume this is a publicity stunt, especially as an exploit of this caliber could potentially earn thousands if sold to ZDI or others.

  

  
• 

  Identity Theft 101

  Posted: May 6th, 2008, 4:56pm CDT by DK

  Tags:  Reflections   [edit]

  I phoned my bank to activate my card the other day. The automated voice required a date of birth and the number of digits in my Mother’s maiden name. Lets assume an attacker can get this information, lets be realistic, what could really happen?

  Lets explore some ideas of what an attacker could do with enough information about you:

  • apply for a credit card in your name;
  • open a bank or building society account in your name;
  • apply for other financial services in your name;
  • run up debts (e.g. use your credit/debit card details to make purchase) or obtain a loan in your name;
  • apply for any benefits in your name (e.g. housing benefit, new tax credits, income support, job seeker’s allowance, child benefit);
  • apply for a driving licence in your name;
  • register a vehicle in your name;
  • apply for a passport in your name; or
  • apply for a mobile phone contract in your name.

  The latest estimate is that identity fraud costs the UK economy £1.7 billion. Thats billion NOT million.

  More information is available at Home Office Identity Theft web site.

  

  
• 

  Facebook Top 8 Security Tips

  Posted: May 5th, 2008, 2:09am CDT by DK

  Tags:  Articles   [edit]

  This article discusses some simple, easy to follow steps to increase your personal security on Facebook.

  1. Golden Rule - Assume that the personal information and photos you display are publicly available and now just available to specific friends.
  2. Strong Passwords - It may seem obvious but make sure you use a strong password for your account. Also, I’d suggest not using that password you use for everything else, you know what I’m talking about.
  3. Secure your birth date - Birth dates are often required to validate our identity. Under Profile, you can choose to not display your birthday or alternatively you can choose not to display your year of birth.
  4. Privacy Profile Settings - We suggest setting the Profile Privacy > Basic to "only me" for items: Education Info, Work Info and Profile Privacy > Contact Information to "no one" for items: Mobile Phone, Land Phone, Current Address, Email. You may want to display your website address for advertising.
  5. Privacy Application Settings - Each Facebook application has similar settings to those of the Privacy settings. New applications are being added everyday. Its difficult to define a set policy. However, we suggest you remove any unwanted applications and/or limit there settings as required.
  6. Privacy Search Settings - Depending on your use of Facebook, you may not want to be publicly visible or you may want to limit what information is available to all users (i.e. your picture, friend list etc). We recommend changing the search settings from "everyone" to "friends of friends". You may also want to untick "view your friends list".
  7. Privacy News Feed and Mini-Feed Settings - Control what stories about you get published to your profile and to your friends’ News Feeds. You may not want to display information such as joined groups etc. Although, I don’t know how much privacy this offers as friends can view your groups anyway.
  8. Joining Groups & Networks - be cautious when joining groups. All users of a group will be permitted to see your profile data. Although, there may be a setting somewhere that restricts this as I did find some accounts that I could not access.

  

  
• 

  Feedburner Awareness API

  Posted: May 1st, 2008, 8:47am CDT by DK

  Tags:  Reflections   [edit]

  Having fun with FeedBurner Awareness API.

  The FeedBurner Awareness API (AwAPI) allows publishers of FeedBurner feeds to reuse the detailed traffic statistics we capture for any of their feeds. Third-party applications and web services that consume feeds can leverage this data to provide useful feed awareness statistics to potential subscribers… - awarenessapi

  In October 07, BlogSecurity released an article titled, "Feedburner: Show me the money". Knowing your way around Feedburner can be really useful when looking for blog partners or blogs to place ads. Awareness API makes this a peice of cake!

  What I also find interesting, is that these statistics could be used by attackers during the target profiling stage to find and sort high traffic sites with accuracy. In addition to this, a more subtle attacker may only want to deface or propogate an attack further by infecting a specific page. How would the attacker easily determine the page with the most traffic?

  Enough chit-chat, lets see Awareness API in action by viewing Problogger’s stats:

  http://api.feedburner.com/awareness/1.0/GetFeedData?uri=
  ProbloggerHelpingBloggersEarnMoney&dates=2008-01-01,2008-04-02
  

  
  <feed id="40080" uri="ProbloggerHelpingBloggersEarnMoney">
  <entry date="2008-01-01" circulation="36533" hits="61608"
  downloads="1" reach="4918"/>
  <entry date="2008-01-02" circulation="37465" hits="73923"
  downloads="5" reach="6356"/>
  <entry date="2008-01-03" circulation="37161" hits="73702"
  downloads="1" reach="6525"/>
  <entry date="2008-01-04" circulation="36983" hits="71214"
  downloads="0" reach="5976"/>
  <entry date="2008-01-05" circulation="36559" hits="60201"
  downloads="0" reach="4338"/>
  ...
  

  The boy is definately getting hits!

  Specific posts can also be queried (although this didn’t work when I was playing the second time round):

  http://api.feedburner.com/awareness/1.0/GetFeedData?uri=
  ProbloggerHelpingBloggersEarnMoney&itemurl=
  http://www.problogger.net/archives/2008/05/01/
  what-you-say-is-what-you-are-the-problem-of-blogger-inferiority-complex/
  

  <entry date="2008-04-30" circulation="47441" hits="87226"
  downloads="0" reach="7632"/>
  

  We found that Feedburner enables this service when the feedCount service is enabled. The Awareness API service does not need to be activated for your site to be displaying this information. We had mixed results when testing. If this is the case, I think this is a bad configuration on Feedburner’s part.

  Check out the Awareness API documentation for more uses.

  

  
• 

  Gravatar Secure to Use?

  Posted: April 29th, 2008, 4:33am CDT by DK

  Tags:  Reflections   [edit]

  I really love the Gravatar concept. Its simple, useful, powerful and centrally managed, but how secure is it to use on a blog or service?

  Regular users may have already seen that we have implemented Gravatars onto BlogSecurity; so its safe to use then, right?

  I made a point on our new BlogSec-News service a couple days ago when implementing Gravatars onto BlogSec. This article expands these points.

  My first thought was, creating a malicious image link and posting this on Gravatar. Imagine placing a malicious peice of code as your profile picture. Every site that has approved your previous comments are all of a sudden vulnerable! However, this thought was quickly exhausted, as Gravatar does not permit third party links. All images are uploaded to Gravatar and centrally managed. Good move!

  So what are the risks then?

  Without looking at the service in great detail, there are two obvious risks with using this service, both of which you should understand and accept before using it.

  Firstly and less likely: If the Gravatar servers are hacked, attackers could embed malicious code into links, which could be used in a variety of attacks including Denial of Service and may, although unlikely, lead to your blog being compromised. However, for this to happen, your site would have to be vulnerable to other attacks.

  Second and more likely: Users control what rating their images receive. By accepting Gravatars, you accept the possibility that some users may use inappropriate images or images of a sensitive nature. Its also difficult to detect these images, unless you were monitoring every post comment on every post (impossible). The end result may be an unhappy user or visitor who blames your site, especially when they fail to understand how the Gravatar service work.

  It is important that these risks are understood and accepted before using the service. As a community, hopefully we’ll look out for these images. When spotted, we could always inform Gravatar, who hopefully have a procedure in place to manage abuse.

  

  
• 

  Wordpress 2.5 Cookie Integrity Protection Vulnerability

  Posted: April 27th, 2008, 2:12pm CDT by DK

  Tags:  Advisories   [edit]

  Steven J. Murdoch has discovered a vulnerability in WordPress 2.5 that may allow a registered user to gain admin level access on the blog. Only WP 2.5 blogs that permit users to register user accounts are vulnerable.

  According to Steven:

  This vulnerability exists because it is possible to modify
  authentication cookies without invalidating the cryptographic
  integrity protection.

  If a Wordpress blog is configured to freely permit account creation,
  a remote attacker can gain Wordpress-administrator access and then
  elevate this to arbitrary code execution as the web server user.

  The fix is fairly straight forward and WordPress have released a fix in WordPress 2.5.1.

  
  Please note this vulnerability is different to [blogsecurity.net]

  Steven’s Advisory is available here.

  

  
• 

  BlogSecurity News Portal Launched

  Posted: April 23rd, 2008, 11:44am CDT by DK

  Tags:  News   [edit]

  We often have people emailing us to discuss a new plugin, an advisory, general news etc.

  Blogsec now offers our users the chance to submit their hot gossip via our new News portal. Check it out, sign-up for email updates, give us your feedback, knock yourselves out :)

  LAUNCH BLOG-SEC NEWS

  

  
• 

  Facebook: What they really have on you

  Posted: April 21st, 2008, 10:31am CDT by DK

  Tags:  News   [edit]

  Old clip, but its a classic, enjoy!

  
  Find more how to and instructional Web videos on 5min.com

  Check out more of our Social Networking articles here.

  

  
• 

  WordPress 2.5 Secret_Key Vulnerability

  Posted: April 16th, 2008, 4:20am CDT by DK

  Tags:  Advisories   [edit]

  José Carlos Nieto Jarquín has found a vulnerability affecting WordPress 2.5 ONLY. His advisory was released on SecurityFocus yesterday.

  Our recent "Secure WordPress Whitepaper Revision" shows the new WordPress SECRET_KEY variable in the ‘wp-config.php’ file. This SECRET_KEY must be set to something random, as specified in the WordPress documentation. If not, it may be possible for an attacker to brute force the default WordPress SALT generation process to gain access to your blog.

  The vulnerability has been reported as a Medium risk as it only affects WordPress installations matching a certain criteria. See advisory for more details.

  A proof of concept exploit is publicly available. Please ensure that you set your SECRET_KEY in your ‘wp-config.php’ file to something random.

  From wp-config.php:

  Change SECRET_KEY to a unique phrase.  You won't have to remember
  it later, so make it long and complicated.  You can visit
  https://www.grc.com/passwords.htm to get a phrase generated for you,
  or just make something up.
  define('SECRET_KEY', 'put your unique phrase here');
  

  

  
• 

  WordPress Whitepaper rev-1.2: New Release

  Posted: April 14th, 2008, 5:23am CDT by DK

  Tags:  News   [edit]

  Great news! We are pleased to announce, to our translators dismay, that we have revised our popular "How to Secure WordPress" whitepaper.

  The new revision takes a more hands-on approach making it easier to follow and implement. New sections have been added to cover important topics like Spam and Blog Encryption.

  Check out more information at the WordPress Whitepaper HomePage.

  

  
• 

  When to Upgrade your Software

  Posted: April 11th, 2008, 6:03am CDT by DK

  Tags:  Reflections   [edit]

  We got an interesting comment from Dave today that made me reflect on the question of when to update or upgrade your blog software.

  Until you folks on this site tell me I’m not doing the update. WP always has some security issues when its released.

  It may seem like a fairly simple question, but when should one upgrade their software? I can imagine some would immediately answer, "just keep up with the latest release and you can’t go wrong!".

  Debian is known to be one of the most stable Linux distributions around. Why? Without complicating the answer, Debian are painfully slow when it comes to releasing the latest version of its supported packages. In fact, 9 our of 10 times, they are running a much older version of a particular software package. However, keep in mind that although an older package is being run, the latest revision of that package will be available.

  This presents a bit of a dilemma. By running a tested and proven version of software you are less likely to run into compatibility problems, and it is probably going to be more stable. However, sometimes, the new version has particular features that you really want which forces you to not only upgrade the software package but all its modules and libraries too.

  In the example of WordPress, I remember when WP 2.3 was released. I waited a few revisions before upgrading. I was glad that I did. A number of bugs and security issues were found shortly after the install. You may also remember when WP 2.1.1 got released. A hacker had broken into WordPress and placed a backdoor in the new version of code. This may be unlikely to happen again (hopefully), but it raises the point; immediate upgrades are not always the best solution.

  Fruit for thought!

  

  
• 

  bs-wp-encrypt plugin: Encrypt Logins

  Posted: April 9th, 2008, 5:39pm CDT by DK

  Tags:  Tools   [edit]

  This simple plugin will ensure that all requests to ‘wp-login.php’ and ‘wp-admin/*’ are redirected over HTTPS. By using HTTPS you mitigate the risk of attackers capturing sensitive information such as usernames and passwords, which when accessed over HTTP provide no level of security.

  Please ensure that your site supports HTTPS before enabling this plugin. This can be done by pointing your browser to ‘https://yourblog/wordpress/’.

  Please be aware that this plugin is still new and may have some bugs. If you run into problems simply delete the plugin and report the bug to us.

  bs-wp-https.php can be downloaded here.

  Just rename it to bs-wp-https and drop in in your wp-content/plugins directory. It can be enabled from wp-admin.

  Enjoy!

  

  
• 

  WordPress 2.5 Admin Login SQL Injection Rumour

  Posted: April 7th, 2008, 6:03am CDT by DK

  Tags:  News   [edit]

  BlogSec received an email yesterday with a rumour that an SQL Injection issue has been found in the Wordress 2.5 admin login screen.

  There is currently no evidence to backup this claim, and we have received no further information. As time permits, we will investigate this issue further.

  
• 

  WordPress 2.5 Released with Added Security

  Posted: March 29th, 2008, 5:09pm CDT by DK

  Tags:  News   [edit]

  WordPress 2.5 has been released.

  From a security perspective, the new WP 2.5 promises secure cookie management, salted passwords and prepared SQL querying functions.

  I won’t be upgrading right away… I’ll let it run a while. This may be a good move forward for the WP team. Nice work guys!

  
• 

  Automated WordPress Hacking Tool Cached by Google

  Posted: March 26th, 2008, 6:52pm CDT by DK

  Tags:  News   [edit]

  Cyberinsecure recently posted details of an automated WordPress hacking tool that is doing the rounds. This malicious worm or program appears to create the directory, "wp-content/1/" as well as spam comments:

  The blogs are most likely attacked by some kind of automated tool since the amounts of spam are too big to work manually on all those spam pages creation. It seems there are also spam comments in posts as well. Spam comments are pointing to internal infected blog pages in folder “1″ to get them spidered and to get people to visit them.

  Smackdown also has a nice blog entry about this issue.

  
• 

  Facebook Personal Photos Revealed Yet Again

  Posted: March 26th, 2008, 6:43pm CDT by DK

  Tags:  News   [edit]

  Some members of social networks like Facebook post photos of themselves or others in potentially embarrassing or compromising situations that include illegal drug use or underage drinking that can cause trouble at school or work. Despite the risks, more people than ever are publishing photos and other intimate details about their lives.

  Vulnerabilities in Facebook allow anonymous users to view personal photos YET AGAIN. More details over at Data Storage Today.

  
• 

  OWASP Talk: PHP Code Analysis: Real World Examples

  Posted: March 19th, 2008, 12:13pm CDT by DK

  Tags:  News   [edit]

  OWASP chapter meetings and conferences are always a blast and definately worth attending. I’ll be speaking in London on the 3 April, for those who want to meet up.

  The talks planned are:

  - PHP Code Analysis: Real World Examples (David Kierznowski)

  We delve beyond register_globals and analyse real world examples
  of insecure PHP applications.

  - Abusing PHP sockets for fun and profit (Rodrigo Marcos)

  PHP (PHP: Hypertext Preprocessor) is a server-side HTML embedded
  scripting language which provides web developers with a full suite of
  tools for building dynamic websites. PHP socket library implements a
  low-level interface to the socket communication functions based on the
  popular BSD sockets. This presentation will focus on the use of PHP
  socket library from an offensive point of view, demonstrating
  interesting and creative vectors of attack.

  - Web Application Security Badges (Colin Watson)

  Web site and web application operators can apply to third party
  organisations to request their seal of approval that the web site is
  safe from hackers. These security seals are part of a broad
  collection of badges that web sites can display, but what are they
  testing, should consumers trust them and how do you compare one with
  another?

  
• 

  Interview with Hacker S@BUN

  Posted: March 18th, 2008, 5:02am CDT by DK

  Tags:  Interviews   [edit]

  Today’s interview is with S@BUN, a hacker from Turkey. S@BUN released a number of WordPress-related vulnerabilities recently and the BlogSec team wanted to find out a bit more about him.

  Q: Would you please tell us a little about yourself?

  A: I’m 26 years old and live in Turkey. Exploiting flaws has always been a hobby for me and now I’m writing bugs.

  Q: How long have you been active within the security field? What got you started?

  A: I’ve been in security for a long time, just hacking to begin with, but now I’m sending my exploits to sites.

  Q: You have recently disclosed a number of WordPress and Joomla vulnerabilities to the public. What motivated you to target these web applications? Are other web applications just as vulnerable in your opinion?

  A:Oh no problem joomla-wordpress-xoops-php-nuke-phpbb2. Its a hobby for me. Sometimes I send big exploits to site owners or company owners and other times I send them to sites like milworm-secruityfocus-securtyreason-secmania.

  Q: A large number of your vulnerabilities focus on database manipulation (SQL Injection). Why did you choose this type of vulnerability?

  A:I exploit SQL injection because ıts easy. I can write and use all types of vulnerabilities. Also inexperienced attackers can exploit them.

  Q: BlogSec has mentioned on a few occasions that WordPress needs to provide database safe functions for its core code as well as for its plugin development. Would you agree with this? What else would you suggest that can help improve the security of these and similar web applications?

  A: WordPress has a lot of software errors and I’ve sent them alot but I think they thought I was joking. I have 45-50 big exploits for WordPress. One day I will release them.

  Thanks for taking the time to answer our questions.
  BlogSec look forward to seeing more research from you in the future.

  
• 

  Ferruh WordPress CSRF Vulnerability

  Posted: February 13th, 2008, 6:07am CST by DK

  Tags:  Advisories   [edit]

  Ferruh sent BlogSec an email this morning about a new attack vector for WordPress, using CSRF (Cross Site Request Forgery).

  We have not yet had time to investigate the issue further, but it looks interesting. The basic concept revolves around the fact that WordPress is user friendly and asks the user for confirmation before submitting a request without a valid nonce.

  By dressing the request in some fancy CSS it may be possible to get the user to confirm the request without them knowing.

  Its a CSRF with some user intervention requirements which may mean a little social-engineering. Ferruh also provides a proof of concept exploit.

  Ferruh credits BlogSec’s Gareth Heyes for his work around CSS Overlays.

  Nice work Ferruh!

  
• 

  wp-no-version plugin updated

  Posted: February 13th, 2008, 3:26am CST by DK

  Tags:  News   [edit]

  This latest release of wp-no-version will not remove the version for authenticated users. This was done to support the new WordPress update checks which alert blog owners to new versions of WordPress.

  In my opinion this is really the best of both worlds, wp-scanner will not detect the version of the blog after this has been installed and it still allows you to get the cool WordPress update messages.

  You can get the latest version of wp-no-version here.

  I have tested this on the latest version of WP (2.3.3), as always please report bugs if you come across any.

  
• 

  BlogSec Moving Forward

  Posted: February 12th, 2008, 4:24pm CST by DK

  Tags:  News   [edit]

  BlogSec is planning a major move over the next couple months. This is mainly due to BlogSec’s fast growth and to enable us to develop its future services.

  The plan is to get new dedicated hardware so that we can start kicking in the next phase of the BlogSec project(s).

  We have a number of members willing to translate our materials. Our core team are working on some great projects, and we plan to release new versions of wp-scanner and a variety of additional online security services for blogs.

  I cannot wait to start giving you guys a glimpse of our new projects and services! Thanks to all our readers and contributors for there continued support.

  DK out!

  
• 

  Facebook IE Users at Risk

  Posted: February 6th, 2008, 3:31am CST by DK

  Tags:  Reflections   [edit]

  Elazar recently released a buffer overflow proof of concept in Aurigma’s ImageUploader ActiveX plugin.

  This ActiveX control is used by Facebook and I have seen it mentioned that MySpace is affected too. The vulnerability is only present for Internet Explorer users.

  This vulnerability will allow an attacker to execute commands on your computer via your browser.

  This has massive worm potential because no auto-update facility is available with ActiveX controls. Aurigma may be working on a fix, but it will be a long time before all users have upgraded. Furthermore, its ironic this vulnerability has been released now. BlogSec were a week or two away from releasing a similar advisory. As time permits we’ll look into this further, but in short, I believe their are a number of these vulnerabilities still waiting to be found in the Aurigma service.

  To remove the risk: Go to "D:WINDOWSDownloaded Program Files" you’ll see all your currently installed Internet Explorer ActiveX controls. You are looking for "ImageUploader4". If it exists, right click and uninstall it.

  Next time you go to upload Photos on Facebook, your browser will prompt you to reinstall it, this time installing the latest version.

  Social network services such as Facebook and MySpace have a huge responsibility to their users. A similar vulnerability has been discovered before. This tells me that the vendor may only be patching the symptom rather then targetting the problem.

  It really concerns me when services like Facebook with millions of users, provide and request that their users download and install software that in my opinion has not been security-tested or audited.

  More info is available from Larry Lignan’s post on ZDNET here.

  
• 

  WordPress.com content theft

  Posted: February 4th, 2008, 2:17pm CST by DK

  Tags:  News   [edit]

  Lorelle discusses content theft on WordPress.com. Splogs continue to grow at a rapid rate.

  
• 

  wp-calc & wp adserv plugin vulnerabilities

  Posted: February 1st, 2008, 3:21am CST by DK

  Tags:  Advisories   [edit]

  Jeffro2pt0 at WeblogToolsCollection has reported two new vulnerabilities that have recently been found in WordPress plugins:

  Today, we have a moderately critical SQL Injection Vulnerability that was discovered by HouSSaMix in the “WP-Cal” plugin version 0.x for WordPress.

  A person who goes by the handle “enter_the_dragon” has discovered a vulnerability within the Adserve Plugin version 0.2 for WordPress.

  More info at WeblogToolsCollection website.

  
• 

  Frisco Vista blog hacked

  Posted: January 24th, 2008, 2:14am CST by DK

  Tags:  News   [edit]

  Frisco Vista’s WordPress blog ran into some security problems. His experience can be read here.