Security Advisory – Hikashop Extension for Joomla!

Advisory for: Hikashop for Joomla!
Security Risk: High (DREAD score : 7/10)
Vulnerability: Object Injection / Remote Code Execution
Updated Version: 2.3.2

In a routine audit of our Website Firewall we discovered a serious vulnerability within the Hikashop ecommerce product for Joomla! allowing remote code execution on the vulnerable website[s].

What are the risks?

This vulnerability affects Joomla! websites running Hikashop (< 2.3.2). It requires open account registration with email activation, this is the default configuration. In this particular case, a malicious user (actor) can remotely execute commands on the site (RCE), allowing them to do things like read any configuration file, modify files, and / or insert malware.

Because of the severity, you need to update your Hikashop installations as soon as possible. The Hikashop team released an update and provided more details on the issue here: Security Issue for HikaShop 2.3.2 and below and for HikaMarket 1.4.2 and 1.4.3

Technical details

The extension was using some code within the user activation part of the software that relied on the PHP’s unserialize() function to confirm user-provided information. The keyword to remember here is user-provided.

As a rule of thumb, it is wise to never send raw, user-provided data, to sensitive functions (especially to unserialize()). In this case, it lead to an Object Injection vulnerability.

An attacker could use this behavior to spawn any classes available in the application’s context, modifying any internal variable it might have in an attempt to modify the class destructor’s execution flow.

These type of attacks are highly dependent on the available classes to the attacker when unserialize() parses its payload. We naturally thought it might be a good idea to verify whether or not something bad could be done using Joomla! 3.* classes, and it turns out there is. Using this, we were able to turn the Object Injection issue into a Remote Code Execution vulnerability, allowing us to run commands on the remote site.

Because of the severity, we will not release any POC (proof of concept code) or provide more details until user have had more time to update. After 30 days, we will disclose all information.

Update Hikashop as soon as possible!

Please update Hikashop immediately! The developers did their part and released an update within hours of our disclosure. Now, it is time for you to do your part and update your sites.

Note that site running behind our Website Firewall were remotely patched using our Zero Day Immediate Response feature.

Understanding Denial of Service and Brute Force Attacks – WordPress, Joomla, Drupal, vBulletin

Many are likely getting emails with the following subject header Large Distributed Brute Force WordPress Attack Underway – 40,000 Attacks Per Minute. Just this week we put out a post titled More Than 162,000 WordPress Sites Used for Distributed Denial of Service Attack.

What’s the Big Deal?

Remember life before social media? How quiet and content we seemed to be? How the only place we got our information was from the local news or cable outlet? Maybe a phone call, or via email? Today however, we seem to be inundated with information, with raw unfiltered data, left to our thoughts and perceptions of what they really mean. Every day there is some new tragedy, a plane goes missing, a child is abducted, a school shooting, the brink of WWW III. Is it that we live in a time where we are all losing our mind? Or maybe, could it be that the only difference between now and then, is the insane amount of information at our finger tips?

With this in mind, yes, it’s true, there are ongoing Distributed Denial of Service (DDoS) and Brute Force attacks against WordPress sites. In fact it extends far beyond that specific platform, it’s affecting many other platforms like vBulletin, Joomla, Drupal. The reality is that these attacks have been ongoing for many months now, so much so, that they’ve become part of our daily life and it’s not when they happen that we’re surprised, quite the contrary, when they don’t.

Read More

Sucuri CloudProxy Website Firewall Improvements

If you are are a regular reader of our blog you probably know about our CloudProxy Website Firewall, it launched publicly a year ago. Since then, our team has been extremely focused on improving it, making it more effective and efficient for everyday website owners.

If you are not familiar with CloudProxy, I highly recommend reading some of the documentation and benefits of it:

In fact, if you have a website, why not try it out?

Read More

Layer 7 DDOS – Blocking HTTP Flood Attacks

There are many types of Distributed Denial of Service (DDOS) attacks that can affect and bring down a website, and they vary in complexity and size. The most well known attacks are the good old syn-flood, followed by the Layer 3/4 UDP and DNS amplification attacks.

Layer 7 DDOS

Today though, we’re going to spend a little time looking at Layer 7, or what we call an HTTP Flood Attack.

Read More

Google Bots Doing SQL Injection Attacks

One of the things we have to be very sensitive about when writing rules for our CloudProxy Website Firewall is to never block any major search engine bot (ie., Google, Bing, Yahoo, etc..).

To date, we’ve been pretty good about this, but every now and then you come across unique scenarios like the one in this post, that make you scratch your head and think, what if a legitimate search engine bot was being used to attack the site? Should we still allow the attack to go through?

This is exactly what happened a few days ago on a client site; we began blocking certain Google’s IP addresses requests because they were in fact SQL injection attacks. Yes, Google bots were actually attacking a website.

Read More

Sucuri CloudProxy WAF Plugin for WordPress

If you are using our CloudProxy WAF to protect your WordPress websites, we highly recommend that you also install our new CloudProxy plugin for WordPress. It has been public for a few weeks, and now we feel it is ready for production use, hence the announcement. :)

sucuri-cloudproxy-wordpress-waf-plugin

You can download the plugin from WordPress Plugin Directory, or directly in your WordPress wp-admin panel by searching for CloudProxy from the “Add New Plugin” page.

The Sucuri CloudProxy WAF plugin is free from the WordPress repository, and allows direct access to your CloudProxy dashboard from within your WordPress wp-admin panel. It allows you to see your audit logs and security events, clear caching, and overall easier management of your CloudProxy account without the need to login to Sucuri.net.


Note:The CloudProxy plugin doesn’t add any additional security measures beyond what’s offered in the CloudProxy service. The plugin is not required for CloudProxy use.

*ps: if you are not using CloudProxy, you should. Go check out CloudProxy today!

CloudProxy WAF – September Report

*By Tony Perez and Daniel Cid

As many of you are aware we released a website protection tool, CloudProxy WAF/IDS, at the beginning of the year and over the past few months we have been working with the data we’ve been accumulating. We’re finally at a place where we think we can provide better insight into the world of website attacks.

What we’re hoping to do is provide a monthly summary, similar to what you’ll read here that helps you understand the various website attacks we see via our CloudProxy WAF/IDS. It will also, hopefully, shed insight into the growing online threats that website owners face daily.

September 2013

We have some very small and some big sites with us. And the first thing we noticed is that even the smaller sites get attacked quite often. All sites do.

Every web site gets attacked. And that happens daily. Many times per day.


Read More

Sucuri CloudProxy Web Application Firewall (WAF) – Out of Beta

We are happy to announce that after more than a year in testing, Sucuri’s CloudProxy is out of beta.

CloudProxy

CloudProxy is currently available to Sucuri customers, so if you have an account with us, you can subscribe to CloudProxy from your dashboard.

Here is a quick testimonial:

I inherited a couple of websites that were hand coded and getting hacked on a daily bases. Hooked them up to CloudProxy last week and so far the sites have been protected and are not being hacked anymore. At this point, I’d highly recommend this service if you are running an out of date CMS or code and are getting hacked often! Great service!

Linda Kimble Long


Read More

Dissecting a WordPress Brute Force Attack

Update: Brute force protection now available: http://cloudproxy.sucuri.net/brute-force-protection


Over the past few months there has been a lot of discussion about WordPress Brute Force attacks. With that discussion has come a lot of speculation as well. What are they doing? Is it a giant WordPress botnet? Is it going to destroy the internet? Well, as you would expect of any good geeks we set out to find a way to find out.

This is not to be exhaustive case study or meant to be a representative sample of what all attacks look like, but it does have similar characteristics to the types of attacks and infections we deal with on a daily basis.

In this post, my goal is to highlight a hack that occurred this weekend, July 20th to be exact, against one of our several honeypots. In this specific instance, it was setup and configured approximately 2 months ago. It had been hacked about a month and a half ago and silly me I forgot to configure what I needed to do real forensics, oops. In any event, everything was cleared and pushed out again to see what happened, it was nothing more than a matter of sitting back and waiting.

Sure enough, about 30 days later and it was hacked, this time we were ready to see what happened..

Read More

Sucuri CloudProxy WAF – Fake Bots Explained

One of the most common questions we have been getting since launching our CloudProxy WAF is regarding bot activity and why it appears that we are blocking Google and / or Bing bots. Inside the CloudProxy dashboard we provide a full audit log of any request that gets denied access and when a client see’s something like the following in their logs they tend to get concerned:

13/May/2013:09:20:29 +0000] 80.72.37.156 “IP Address not authorized” “POST /wp-login.php HTTP/1.1″ 403 “” “Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)”

In this specific instance they are concerned that we are blocking Bing because of this reference: bingbot/2.0; +http://www.bing.com/bingbot.htm. They are especially concerned when it says Googlebot, like this one:

13/May/2013:18:27:14 -0400] 198.50.161.234 “Spam comment blocked” “POST /blog/wp-comments-post.php HTTP/1.0″ 403 “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”

Nobody wants to block Google out of their sites.

Read More