WordPress 3.6.1 Released – Includes Security Fixes

The WordPress team just pushed out a new version of WordPress. WordPress 3.6.1 is a maintenance release that includes some security bug fixes. Straight from their release post, these are the security changes:

  1. Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
  2. Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
  3. Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.

We asked WordPress Lead Developer, Andrew Nacin for a bit of clarity around the author role issue that was fixed, here’s what Andrew said:

A user can reassign the authorship of a post to another user, even when they are not allowed to do so. (For example, the user is an Author and not an Editor.) The user must already be allowed to edit content — and specifically edit that post. They also then lose the ability to edit that post, but this “forging” could still cause a compromised account or malicious user to post as another user.

In closing the conversation with Andrew, he remarked that WordPress is not vulnerable to the remote code execution issue by default:

I’ll emphasize that WordPress is *NOT* exploitable to the RCE out of the box, despite it being a doozy. It requires a vulnerable object (which core does not have), as well as a vulnerable character set. It is a “perfect storm” vulnerability.


Read More

New WordPress and Joomla Updates Available

If you are a WordPress or Joomla user, you better start updating your sites now.

Joomla 2.5.14

Joomla 2.5.14 was released containing some critical security fixes. They didn’t provide much details, but by the summary is seems serious enough to allow users to bypass upload restrictions:

Project: Joomla!
Severity: Critical
Versions: 2.5.13 and earlier 2.5.x versions. 3.1.4 and earlier 3.x versions.
Exploit type: Unauthorised Uploads
Reported Date: 2013-June-25
Fixed Date: 2013-July-31
Description: Inadequate filtering leads to the ability to bypass file type upload restrictions.

More information on Joomla 2.5.14 update here: http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads

WordPress 3.6

WordPress 3.6 (a major release) was also announced with multiple new features and bug fixes. It doesn’t have any specific security fix, but keeping your site updated is a must, so we recommend all users to update.

More information on WordPress 3.6 is available here: http://codex.wordpress.org/Version_3.6


We recommend upgrading as soon as possible to reduce the risk of issue. Make sure you test your upgrades in a development environment before you go hot.

If you have any questions, feel free to drop an email.

WordPress 3.5.2 Security and Maintenance Release

The WordPress team just pushed out a new version of WordPress (3.5.2) that has some security bugs fixed. Straight from their release post, these are the security changes:

  1. Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
  2. Disallow contributors from improperly publishing posts, reported by Konstantin Kovshenin, or reassigning the post’s authorship, reported by Luke Bryan.
  3. An update to the SWFUpload external library to fix cross-site scripting vulnerabilities. Reported by mala and Szymon Gruszecki.
  4. Prevention of a denial of service attack, affecting sites using password-protected posts.
  5. An update to an external TinyMCE library to fix a cross-site scripting vulnerability. Reported by Wan Ikram.
  6. Multiple fixes for cross-site scripting. Reported by Andrea Santese and Rodrigo.
  7. Avoid disclosing a full file path when a upload fails. Reported by Jakub Galczyk.


Read More

Joomla Version 2.5.10 Released – Security Updates

This morning the Joomla development team released a new version of the Joomla platform. This is a Security release, so please be sure to update if you’re on the 2.x branch. If you’re on the 1.x branch the odds of updating seamlessly is highly unlikely so please do so only if you’re engaging a developer to assist you.

This release address 7 security issues, all of them appear to be low to moderate and revolve around Cross-Site Scripting (XSS), Denial of Service (DOS) and Privilege Escalation. It also contains another 38 bug fixes.

Security Fixes include:

If you can, please be sure to update, you can get your latest releases off the Joomla website here.

WordPress 3.5 Released

Update like it’s hot!

Today marks the release of WordPress 3.5 (Named Elvin after jazz drimmer Elvin Jones), a major release this year for the WordPress project.

WordPress 3.5

This release highlights some very significant changes to anything from the JavaScript libraries being used, to a brand new Media Manager. Although there are no security fixes highlighted, there were various bugs fixed along with the newly added features.


Read More

WordPress 3.4.2 Released – Maintenance and Security Update!!

As many know, today the WordPress team released a new patch for WordPress 3.4.2, and have titled it a maintenance and security release.

WordPress 3.4.2 Update

By now many have regurgitated the same post in a number of different blogs and forums pushing the word out, that’s great.

It took us a bit longer because we wanted to better understand the specifics of the security release. Here is what we found:

Read More

Rebots.php JavaScript Malware Being Actively Injected

Holy JavaScript malware, Batman! On August 11th we started seeing the Rebot JavaScript malware string injected on various websites. Since then, it has increased its appearances, and has variated the way it’s being included on the infected sites.

Rebots

When you visit a compromised site, it will attempt to load an additional JavaScript, like one of these:

<script src="http://lig-limp.com.br/rebots.php"..

<script; src="http://chezbruna.com.br/imagens/rebots.php"..


Read More

WordPress Update – 3.3.3 and 3.4.1 Patches Released!!

Well it was only a few weeks ago, but today, two new patches were released: 3.3.3 and 3.4.1.

The good news is, as they are patches, the updates should be fairly straight forward and should not cause much, if any, issues. It is important to note though that this is a Maintenance and Security release. On their official post they highlight the following items:

  • Fixes an issue where a theme’s page templates were sometimes not detected.
  • Addresses problems with some category permalink structures.
  • Better handling for plugins or themes loading JavaScript incorrectly.
  • Adds early support for uploading images on iOS 6 devices.
  • Allows for a technique commonly used by plugins to detect a network-wide activation.
  • Better compatibility with servers running certain versions of PHP (5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which had caused warnings or in some cases prevented emails from being sent.


Read More

Joomla 2.5.5 released (security update)

Joomla 2.5.5 was just released today, with a few bugs fixed and 2 important security updates for a privilege escalation and an information disclosure issue:

1- Privilege escalation

High severity security issue, that allows unprivileged users to get admin access to a site running Joomla.

2- Information Disclosure

This is a low severity security issue that leaks internal information about the database, internal paths and PHP info.

More information about this release here: Joomla 2.5.5 released

Remember, the leading cause for web site compromises is outdated software! So as a web site owner, you have to do your part to minimize risk and keep your site (and your users) safe. Update now!

Sitecheck was also updated to alert users not running version 2.5.5 on their Joomla sites.

WordPress 3.4 Released – Update, Update, Update

It’s always very easy to say to update, but the harsh reality is that although the update process has been drastically streamlined over the past few years, there are always a few challenges. Its why we have put together a post on 3 easy steps that you can take to make the process safer.

Please also take a minute to read up on WordPress 3.4 – code name Green. Also, don’t forget to take a minute to scroll through the long list of contributors and if you know one, thank them for helping make the product.

You can find a more comprehensive list of updates and features here: http://codex.wordpress.org/Version_3.4


If you have any questions feel free to contact us at info@sucuri.net.