Microsoft’s “clarification” on the various workarounds for the recent Internet Explorer security debacle.
6078 items (0 unread) in 72 feeds
Microsoft’s “clarification” on the various workarounds for the recent Internet Explorer security debacle.
Latest updates from Microsoft: the critical remote execution bug which we already talked about affects all IE versions (included IE8 beta) on every supported Windows operating system.
The bulletin also corrects some early assumptions about this unpatched vulnerability, which is being actively exploited in the wild from apparently legitimate sites infected through automated SQL injections:
The only work-around suggested by Microsoft is disabling both active scripting and the OLEDB32 library, which is unluckily required by most applications working with databases.
So, do you really want to keep inflicting yourself that blue “e”? Or are you ready for a red panda?
WordPress announced the following vulnerability in WordPress 2.6.2:
A vulnerability in the Snoopy library was announced today. WordPress uses Snoopy to fetch the feeds shown in the Dashboard. Although this seems to be a low risk vulnerability for WordPress users, we wanted to get an update out immediately. 2.6.3 is available for download right now. If you don’t want to download the whole release to get the security fix, you can download the following two files and copy them over your 2.6.2 installation.
The st_newsletter Plugin is once again vulnerable to SQL Injection.
The hole is located within the page stnl_iframe.php, the parameter newsletter is missing correct sanitisation and so the plugin is prone to this attack. Currently we’re not aware about any fixes, users should disable the Plugin in the meantime, or should fix the problem their self. As r45c4l told no certain version is vulnerable, mostly all previous versions and the current 2.2.81 are vulnerable.
This is considered a HIGH RISK vulnerability.
Credit: The hole was discovered by r45c4l.
More Info: An exploit has been made available on milw0rm
A number of vulnerabilities have been discovered in the WP Comment Remix 1.4.3 plugin.
The following is a short overview of the vulnerabilities discovered:
These vulnerabilities are considered HIGH risks. The latest version (1.4.4) apparently addresses these issues.
Credit: ChX Security
More Info: The full Advisory can be found on the ChX Security Website.
Product: Wordpress-MU (multi-user)
Version: Versions prior to 2.6 are affected
Credits: Juan Galiana
Juan Galiana has published the advisory to Bugtraq this week which includes a proof of concept exploit.
Wordpress-MU is affected by a Cross Site Scripting vulnerability, an attacker can perform an XSS attack that allows him to access the
targeted user cookies to gain administrator privileges
In /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables “s” and “ip_address” of GET method aren’t properly sanitized
WordPress-MU were notified and version 2.6.1 addresses this issue. We recommend all users upgrade as soon as possible.
iso^kpsbr has discovered a vulnerability that may allow an external attacker to gain admin access to WordPress 2.6.1.
WordPress is prone to a weakness in the entropy of generated passwords. Successfully exploiting this issue may allow an attacker to guess randomly generated passwords. WordPress 2.6.1 is vulnerable; other versions may also be affected.
The original advisory and proof of concept exploit is available on securityfocus.
WP Contact Form is a very popular WordPress plugin.
Mustlive has reported a number of vulnerabilities which you can view at his web page here.
According to the plugin authors page, the latest version is 3.1.8. We went ahead and downloaded a copy to have a look. The actual contact form page that your users see is not vulnerable to these attacks. However, the "/wp-admin/admin.php?page=wp-contact-form
/options-contactform.php" is vulnerable.
Please note at the time of writing this article all versions appear affected (<=3.1.8). We recommend disabling this plugin until a fix can be provided.
The Wp Downloads Manager module is a plugin for WordPress.
Wp Downloads Manager is prone to a vulnerability that lets attackers upload and execute arbitrary code. This issue occurs because the application fails to sufficiently sanitize user-supplied file extensions before uploading files onto the webserver via the ‘upload.php’ script.
Successfully exploiting this issue will allow attackers to upload and execute arbitrary PHP code within the context of the webserver process. This may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Wp Downloads Manager 0.2 is vulnerable; other versions may also be affected.
Affected Products:Giulio Ganci Wp Downloads Manager 0.2
References:Giulio Ganci: Wp Downloads Manager Homepage
An exploit has been made available on Milw0rm and is publically available.
Credits:Thanks to MustLive for informing us of this issue.
More information is available at [www.juniper.net]
The Nextgen Gallery Plugin version <= 0.96 have been found vulnerable to a persistent Cross Site Scripting bug..
According to the advisory, the attacker does require authentication and access to the following URL:
http://[host]/[directory]/wp-admin/admin.php?page=nggallery-manage-gallery
As far as we know, no fix is currently available.
A SQL Injection vulnerability has been reported in WordPress by the Balsec Team. The advisory is lacking alot of detail.
This post will be updated as new information is made available.
Sandor Attila Gerendi found a vulnerability within WordPress 2.3.3, which under certain circumstances allows an attacker to run arbitrary PHP code on WordPress 2.3.3.
Input passed via the “cat” parameter to index.php is not properly sanitised in the “get_category_template()” function in wp-includes/theme.php before being used to include files in template-loader.php. This can be exploited to include arbitrary PHP files from local resources via directory traversal attacks.
According to the advisory, successful exploitation allows execution of arbitrary PHP code, but requires privileges to store PHP files on an affected system and that WordPress is installed on a Windows platform.
The vulnerability is confirmed in version 2.3.3.
Solution:
Update to version 2.5.1.
If you wish to patch your 2.3.3 install, please see the WordPress Trac.
CWH Underground have published an advisory regarding a malicious file execution vulnerability in WordPress 2.5.1.
We do not quite follow this advisory. The vulnerability discusses the idea of uploading a PHP backdoor onto a WordPress blog via the upload file facility, or via the plugin edit facility. I don’t think this is really a WordPress issue but rather the correct functionality of WordPress.
We have discussed before in our WordPress Whitepaper that the file upload facility should be restricted to trusted users only. We also recommend you reading our Role Management post.
Yesterday Symantec elevated its ThreatCon rating as a response to an infection involving about 20,000 web pages (250,000 according to other sources), and probably still actively spreading through an automated SQL injection.
The main news is that this time an apparently unpatched vulnerability affecting Adobe Flash Player is being exploited, making the attack on end-users effectively cross-browser and potentially cross-platform:
The attack uses multiple layers of SWF redirection and generates URLs designed to target specific Flash version and browser combinations, supporting both Internet Explorer and Firefox.
The Adobe Product Security Incident Response Team reports of being aware of this problem and cooperating with the antivirus company for a precise assessment.
In the meanwhile, according to Symantec, you should:
Additional notes for NoScript usersAvoid browsing to untrustworthy sites. Consider disabling or uninstalling Flash until patches are available. Deploy script-blocking mechanisms, such as NoScript for Firefox, to explicitly prevent SWFs from loading on all but explicitly trusted sites. Temporarily set the kill bit on CLSID d27cdb6e-ae6d-11cf-96b8-444553540000 until patches availability is confirmed.
Since the offending SWF files are served from external ad-hoc Chinese domains, (wuqing17173.cn, woai117.cn and dota11.cn at this moment,very unlikely to be in your whitelist), even if a trusted site was infected you should still be protected.
However, if you want maximum protection, it’s a good time to check NoScript Options|Plugins|Apply these restrictions to trusted sites as well.
This option turns NoScript in an effective security-oriented replacement of the FlashBlock extension, working also with Java, Silverlight and other potentially vulnerable plugins such as QuickTime.
All the active embedded content pieces, no matter where they come from, will be blocked preemptively and you will be able to load them selectively by clicking on visual placeholders.
(from PSIRT’s blog):
This exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0. We strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0.
Since the currently exploited vulnerability appears to be patched, but the attacking vector explicitly tests for the 9.0.124.0 player and can perform dynamic redirects, I’d obviously upgrade but still stay on the cautious side, deploying preemptive countermeasures just in case they’re saving the real zero-day for a second weave…
The First Security- & Bugfix Release of the latest WordPress branch is now available. WordPress do not mention the vulnerabilities fixed on the download page, but BlogSec recommended 2.5 users upgrade ASAP.
Of all the bugs fixed, two fairly critical security issues were fixed. A Cross-Site Scripting vulnerability and the WP 2.5 Cookie Integrity Protection Vulnerability, discovered by Steven J. Murdoch.
The latest WordPress 2.5.1 can be downloaded from WordPress.
WordPress discuss the vulnerabilities here and as part of their development feed.
Steven J. Murdoch has discovered a vulnerability in WordPress 2.5 that may allow a registered user to gain admin level access on the blog. Only WP 2.5 blogs that permit users to register user accounts are vulnerable.
According to Steven:
This vulnerability exists because it is possible to modify
authentication cookies without invalidating the cryptographic
integrity protection.If a Wordpress blog is configured to freely permit account creation,
a remote attacker can gain Wordpress-administrator access and then
elevate this to arbitrary code execution as the web server user.
The fix is fairly straight forward and WordPress have released a fix in WordPress 2.5.1.
Please note this vulnerability is different to [blogsecurity.net]
Steven’s Advisory is available here.
José Carlos Nieto Jarquín has found a vulnerability affecting WordPress 2.5 ONLY. His advisory was released on SecurityFocus yesterday.
Our recent "Secure WordPress Whitepaper Revision" shows the new WordPress SECRET_KEY variable in the ‘wp-config.php’ file. This SECRET_KEY must be set to something random, as specified in the WordPress documentation. If not, it may be possible for an attacker to brute force the default WordPress SALT generation process to gain access to your blog.
The vulnerability has been reported as a Medium risk as it only affects WordPress installations matching a certain criteria. See advisory for more details.
A proof of concept exploit is publicly available. Please ensure that you set your SECRET_KEY in your ‘wp-config.php’ file to something random.
From wp-config.php:
Change SECRET_KEY to a unique phrase. You won't have to remember
it later, so make it long and complicated. You can visit
https://www.grc.com/passwords.htm to get a phrase generated for you,
or just make something up.
define('SECRET_KEY', 'put your unique phrase here');
WordPress.com (2.3.2) is vulnerable to two Cross-Site Scripting vulnerabilities. It is important to note that these only affect WordPress.com blogs.
Proof of concept exploits have been released and there is a danger that an XSS Worm could use this type of vulnerability to compromise thousands of WordPress.com blogs. (See developer verse hosted blogs debate.).
Doz from hackerscenter.com released the advisory. The full disclosure advisory is available and a Video demonstration was also released.
Note (again):These vulnerabilities only affect the Hosting Platform WordPress.com as the download package of WordPress doesn’t include invite.php or users.php file.
Once again a number of critical issues have been discovered in a variety of WordPress plugins. If you are using one of these plugins, we suggest disabling the plugin until a fix has been produced by the plugin developer. Info as follows:
WP People <=1.6 is vulnerable to SQL Injection. The person parameter is not correctly sanitised. This means the WordPress blog database and blog may be compromised. Credit goes once more to S@BUN
Original Entry on BugTraq
Simple Forum <2.1 (Build 237) The Forum and Topic parameters are not correctly sanitised. This means the WordPress blog database and blog may be compromised. S@BUN is credited for these Disclosures: SF 1, SF 2.
WP Photo Album - WPPA <1.1 The photo and album parameters are not correctly sanitised. This means the WordPress blog database and blog may be compromised.
The vulnerability was found by S@BUN and is fixed in Version 1.1 of WPPA.
Search Unleased <=0.2.0 is vulnerable to Arbitrary HTML Injection. Advisory here. Krzysztof Burghardt is credited for this discovery. This vulnerability is confirmed within Version 0.2.0 and will be fixed with the upcoming Release 0.2.1. This vulnerability is being exploited in the wild, we recommend disabling the plugin until a fix can be provided.
Sniplets 1.1.2 (and possibly other versions) have been found vulnerable to a number of HIGH risk issues, including HTML Injection, File Upload and PHP code execution. We strongly recommend disabling this plugin until a fix is provided.
nbbn@gmx.net is credited for discovering these issues.
Ferruh sent BlogSec an email this morning about a new attack vector for WordPress, using CSRF (Cross Site Request Forgery).
We have not yet had time to investigate the issue further, but it looks interesting. The basic concept revolves around the fact that WordPress is user friendly and asks the user for confirmation before submitting a request without a valid nonce.
By dressing the request in some fancy CSS it may be possible to get the user to confirm the request without them knowing.
Its a CSRF with some user intervention requirements which may mean a little social-engineering. Ferruh also provides a proof of concept exploit.
Ferruh credits BlogSec’s Gareth Heyes for his work around CSS Overlays.
Nice work Ferruh!
Within the last few days a number of remote SQL Injection vulnerablities within a variety of plugins have been released. This new search for this type of vulnerability follows David Kierznowski’s recent finding in the popular WP TextLinkAds plugin.
dmsguestbook 1.7.0 is vulnerable to multiple vulnerabilites. At first it’s possible to Deface your wp-config.php, an Attacker can gain in that way access to your MySQL data. It’s caused by improperly control/sanitization of the parameters folder & file. At the same time there are multiple XSS vulnerabilities which are also HIGH risk issues.
There are several SQL Injection vulnerabilities within this plugin. More information is available at bugtraq.
We highly recommend to disable and remove the plugin from your Blog until a major version release to address all these holes. It is likely that previous versions are affected as well.
The Version 1.8 is available but BlogSecurity have received reports that it does not solve all the problems.
st_newsletter 2.x is vulnerable to SQL Injection. This is caused by improper sanitisation of the newsletter parameter within the shiftthis-preview.php file. This makes it possible to retrieve a list of all registered Users and their Password hashes. This hole was discovered by S@BUN and we’re not aware of any current fixes.
Another SQL Injection was made public by S@BUN again, for Wordspew here is the parameter id in wordspew-rss.php. This parameter is not sanitized and therefore open to attacks. Again we’re not aware of any fixes.The latest version, 3.72 fixes the Vulnerability. It’s available on the official WordSpew Webpage
The last hole for now is within wp-footnotes 2.2. The current version allows access to the Adminpanel of the plugin via the URL. This results in XSS vulnerabilities. More can be found over on BugTraq. Again no fix is currently available.
The H-T Team made some new exploits public which affect following Plugins by Fredik Fahlstad fGallery 2.4.1 and WP-Cal 0.3, both are vulnerable against Remote SQL Injection. It is likely that earlier versions are affected.
Within the WP-Cal Plugin, the File editevent.php is vulnerable for this attack, because of improper sanitisation of the id parameter. Within the fGallery Plugin the File fim_rss.php is vulnerable to this attack, the parameter album isn’t properly sanitized as well.
PoCs are available on Milw0rm here and there.
To fix these vulnerabilites you have to change the following lines For WP-Cal:
$id = $_GET['id'];
$event = $wpdb->get_row(”SELECT * FROM $table WHERE id = $id”);
To
$id = intval($_GET[’id’]);
$event = $wpdb->get_row(”SELECT * FROM $table WHERE id = $id”);
And for fGallery:
$cat = $wpdb->get_row("SELECT * FROM $cats WHERE id = $_GET[album]");
$images = $wpdb->get_results(”SELECT * FROM $imgs WHERE cat = $_GET[album] AND status = ‘include’”);
To
$cat = $wpdb->get_row("SELECT * FROM $cats WHERE id = intval($_GET[album])“);
$images = $wpdb->get_results(”SELECT * FROM $imgs WHERE cat = intval($_GET[album]) AND status = ‘include’”);
More changes may be needed, to fix the vulnerability at all.
Currently we’re not aware of any official fixes for these holes.
Jeffro2pt0 at WeblogToolsCollection has reported two new vulnerabilities that have recently been found in WordPress plugins:
Today, we have a moderately critical SQL Injection Vulnerability that was discovered by HouSSaMix in the “WP-Cal” plugin version 0.x for WordPress.
A person who goes by the handle “enter_the_dragon” has discovered a vulnerability within the Adserve Plugin version 0.2 for WordPress.
More info at WeblogToolsCollection website.
For Fredrik Fahlstads WP-Forum Plugin was a critical vulnerability made public. Details are available on Secunia and milw0rm.
This hole may allow an unauthenticated attacker full access to your blog and potentally your web server/host.
PoCInput passed to the “user” parameter in the WordPress installation’s index.php script (when “forumaction” is set to “showprofile” and “page_id” to a page with the “” tag) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
See milw0rm
FixThe BlogSec team are unaware of any fixes at this time.
David Kierznowski of BlogSecurity has found a critical vulnerability in the popular TextLinkAds plugin for WordPress. The vulnerability allows an unauthenticated, remote attacker to completely compromise your database and therefore your blog.
This is a serious security risk, and should take higher priority then what it has. I have shared various emails with TextLinkAds (starting 31 Dec 2007), but no fix has been made available to date - as far as I am aware. It was trivial to find and there are most likely others… I am releasing this now as attackers may already be exploiting it and I am reluctant to leave it longer.
The vulnerability was tested on version 1.1.1 and the latest version 1.1.3, both were found vulnerable. Please note I have verified that this vulnerability affects v3.0.8.. Please note, all plugins are likely affected before (15/Jan/08). DO NOT rely on the version numbers.
Proof of concept:Removed for security reasons.
Fix information:
The vulnerable code is found on line 512:
$postId = $postId;
This variable is passed to $wpdb->get_results without being sanitised.
to fix this hole, simply change the above line to:
$postId = (int) $postId; /* FIXED */
While browsing through the code, I did notice other SQL Injection problems, but some of these are mitigated by the fact that you need a valid TextLinkAds key to call the function, but a more indepth view may reveal more.
SummaryAlthough I have provided a fix, I would suggest disabling this plugin until a full review of the code has been conducted by TextLinkAds and an appropriate fix released. I am sure this will cause alot of anxiety, especially as a number of larger and smaller blogs earn income via this service.
Democracy is a popular AJAX driven voting plugin for WordPress.
BlogSecurity found a vulnerability in the latest version of Democracy (2.0.1) that may allow attackers to hijack your admin/user accounts as well as a vast number of other attack vectors.
Proof of concept (test your blog):
http://wordpress.dom/blah’style=xss:expression(alert(document.cookie)); (Tested on IE7)
OR
http://wordpress.dom/blah’onMouseOver=javascript:alert(document.cookie);// (Testing on Firebox & IE)
This proof of concept exploits above can be used to test for vulnerable blogs.
How to fix?Go to your democracy plugin directory and edit class.php.
Vulnerable code: in class.php (Line 166)
$url = htmlspecialchars(add_query_arg(array(’dem_action’ => ‘view’, ‘dem_poll_id’ => $this->id)));
Change to:
$url = htmlspecialchars(add_query_arg(array(’dem_action’ => ‘view’, ‘dem_poll_id’ => $this->id)), ENT_QUOTES);
Double quotes are escaped but single quotes aren’t. As single quotes are used in $url, we can append malicious code.As a fix, we simply use htmlspecialchars() with ENT_QUOTES.
SummaryThe Democracy author was contacted initially on the 31 December, and then again at the beginning of last week. As we have not heard anything in over 15 days, we are releasing the advisory along with a fix.
David Kierznowski is credited for the find.
Jose Palazon, sent us an advisory he wrote which allows defeating of a WordPress antispam plugin named, "Peter’s Math AntiSpam spinoff".
I think this is one of the first practical audio captcha hacks I’ve seen. Very cool actually, nice one Jose.
Now, back to the details…
Here’s another spin-off of Peter’s Custom Anti-Spam Image for WordPress that will generate math anti-spam equations as images instead of custom anti-spam images….
The goal of this spin-off plugin is to further fool spambots somewhat by combining the “make them answer a math equation” and “make them read an image” ideas. This plugin aims to keep the readability of the Custom Anti-Spam version, as well as other features like random fonts and colours.
Jose’s research demonstrates practical Pseudo code to attack this plugin. I’m not going to try summarise, just read the paper. In short, spammers are going to have a BBQ with your blog.
Solution? Use an alternate AntiSpam plugin like Akismet or BlogSec’s SpamBam.
Mustlive has found a number of directory traversal vulnerabilities in WP 2.0.11 (Latest 2.0 branch). BlogSec have confirmed this in WordPress 2.3.1. WP 2.3.2 is not vulnerable.
Please note, this only affects WordPress running on MS Windows.
A directory traversal attack, means an attacker can potentially edit and view files outside of its ‘allowed’ area. Depending on how the web server has been configured, this may allow an authenticated user to view sensitive files such as wp-config, password files etc.
The problem lies in the following function:
function validate_file(..)
if (false !== strpos($file, ‘./’))
This works fine for Linux, however, MS Windows operating-systems supports backslash (.). This means we can bypass the above check (’./’) by using (’.’).
Proof of concept:
http://site/wp-admin/index.php?page=.....htaccess
This is fixed in WP 2.3.2 (latest version checks for ‘..’ and ‘./’).
An exploit has been made publicly available affecting Wordpress PictPress
This is a remote file include vulnerability. This means an attacker requires no authentication or action from the blog administrator in order to compromise or gain full access to the blog.
This is a CRITICAL risk issue. It is recommended that you disable this plugin if in use, until a fix has been provided by the plugin developer.
Credits to Gold_M for discovering this vulnerability.
The popular WP-ContactForm plugin has been found vulnerable to HTML Injection.
This could allow an attacker to compromise your blog if you are authenticated to your blog while at the same time visiting a page with the embedded attack. Another popular attack is using phishing type e-mails.
BlogSec is not aware of any fixes as yet. We will update this post when more information is available to us.
Credit to Mustlive for discovering and publishing the vulnerability.
Check BlogSec’s double agent post
for HTML Injection mitigation ideas.
Abel Cheung has discovered yet another vulnerability in WordPress.
It is found that the search function provided within WordPress fails to
sanitize input based on different character sets. So if WordPress tries
to query MySQL database using certain specific character sets, WordPress
search function is exploitable using charset-based SQL injection.
Currently known character sets exploitable include Big5 and GBK (see your wp-config.php, as this will mainly affect Chinese blogs). All of them may use backslash (’') as part of multibyte character. WordPress with MySQL database created any other character sets fulfilling such property may also be exploitable.
Workaround: This vulnerability only exists for database queries performed
using certain character sets. For databases created in most other
character sets no remedy is needed.
The full advisory is available here.
Thanks to Abel for keeping us in the loop, and great find.
Update: 10/12/07 This vulnerability has been downgraded to an information disclosure vulnerability ONLY as no proof of concept exploit has been possible. This is contrary to the original advisory. More info here.
A new SQL Injection vulnerability may have been discovered in WordPress 2.3.1. This is a critical security risk that may allow an attacker to remotely compromise your blog.
Test your blog (proof of concept):
POC = http://localhost/path_to_wordpress/?feed=rss2&p=1
Currently, the BlogSec team are unaware of a patch. Please keep an eye on this post for updates.
The original advisory can be found here.
Beenu Arora has been credited for finding the vulnerability.
Thanks to Mustlive for bringing it to our attention.
The 3ivx high performance MPEG-4 audio/video codec (MP4) for Microsoft Windows is vulnerable to stack overflow, with shellcode proof of concept published by SYS 49152 (a C64 nostalgic like me, undoubtedly).
Surely affected versions are 4.5.1, quite widespread, and the latest 5.0.1.
The most likely exploitation scenario involves user downloading a movie clip in MP4 format from an untrusted source (did you say p0rn?) and consuming it through a media player which relies on the 3ivx codec (the PoC above exploits Media Player Classic, for instance).
Notice that the file name extension doesn’t need to be “.mp4″, as mp4 streams can be wrapped inside container formats such as ASF or AVI.
Of course, if the vulnerable media player installed also its own browser plugin, you can be owned instantly just stumbling upon an untrusted web page, unless you already took proper countermeasures.
3ivx.dll and/or 3ivxVfWCode.dll in your %WinDir%System32 folder; if you can find these files, delete or rename them.If you still need to play MP4 files and you find your system can’t do it anymore, you may want to install the excellent open source VLC Media Player, which uses a different codec.
Slop… er… happy surfing ;)