JetPack and TwentyFifteen Vulnerable to DOM-based XSS

Disclosure-Image-Wordpress
Any WordPress Plugin or theme that leverages the genericons package is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons. So far, the JetPack plugin (reported to have over 1 million active installs) and the TwentyFifteen theme (installed by default) are found to be vulnerable. The exact count is difficult to grasp, but both the plugin and theme are default installs in millions of WordPress installs. The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package.

DOM-based XSS

The XSS vulnerability WordPress is experiencing is very simple to exploit and happens at the Document Object Model (DOM) level. If you are not familiar with DOM attacks, the OWASP group explain it well:

DOM-Based XSS is an XSS attack wherein the attack payload is executed as a result of modifying the Document Object Model (DOM) “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.


Read More

WP Symposium – Zero Day Vulnerability Dangers

Our friends at SpiderLabs released a blog post today talking about the latest WP Symposium file upload vulnerability, and the attacks they have been seeing in the wild.

This specific vulnerability was disclosed publicly Dec 11th, and attacks against it have started. If you use this WordPress plugin we encourage you to update your plugin.

Scan Timeline

This plugin is not one of the more popular ones, it has some 150,000 downloads, but we decided to look at our internal data threads to see if we could verify SpiderLabs findings.

Indeed, it was/is happening.

Filtering through this month, December, we see a large increase in the number of scanners looking to see if the plugin is configured on websites:

wp-symposiumscans

It went from 0 scans pervious months, to a couple early December, to sharp increase after it’s disclosure on the 11th of December. Since, the number of scans have been growing, with a slight pause for the holiday’s (guess everyone needs time to open gifts). As this plugin is not widely use, most of the scan attempts are generating mostly Not Found error (404 pages – plugin no found).

Exploit Attempts Timeline

The scan attempts timeline is not that interesting per se.

Yes, we started seeing a few more scans before it was publicly disclosed, but it doesn’t tell us much.

However, if a site is found to be using this plugin via one of these scan attempts, the next step is the exploit.

And what was really interesting to us is that when we looked at this specific exploit payload in our logs, we found this (look at December 1st and 9th):

wp-symposiumexploits

What you see is that on December 1st, (11 days before the public disclosure), one of our sites was attacked using this specific exploit. And again on the 9th (2 days before disclosure).

Someone out there knew of this vulnerability and was actively attempting to exploit it. Whether it was made public via underground forums, they are the ones that found it or some other means. Either way, we were dealing with an active 0-day vulnerability.

The website targeted in our stack never used this plugin, so they were naturally protected against it. Regardless though, even if they had the plugin, our Website Firewall would have blocked it through one our Virtual hardening signatures:

2014-12-01 19:24:10: 191.181.x.x – – “POST /wp-content/plugins/wp-symposium/server/php/index.php HTTP/1.1″ 403
BLOCKREASON:VIRTUALHARDENING

This is the kind of discovery that keeps us up late at night, and why we invest heavily in our routine audits. What if it happened in a plugin we were actually using on our own blog? Our WAF blocked it this time, but if it was another vulnerability? Would we block as well? We have many sleepless nights worried, and it’s the foundation of why and what we have built.

This is a classic example of what attackers could do with your website, what are you doing to protect yourself? What are you doing to make sure that website owners don’t abuse your websites resource and reader trust? How are you staying ahead of the threats?

WordFence WordPress Security Plugin Pushes a Security Update

If you are one of the many users of the WordPress Security Plugin, WordFence, we highly encourage you to update. They recently pushed out a security update that could be affecting your install. It is important to note however that what is interesting about this release is that it was actually a Low Severity issue. What’s remarkable however is both their immediate response to the issue, and the detail they provide in their change log.

This is a very good way for a development firm to respond in the event of incidents. Snippet from their change log:

Read More

Thoughts on WordPress Security and Vulnerabilities

homer-simpsons2-155238_640

As avid readers of this blog know, we’ve discovered or written about multiple vulnerabilities within the WordPress ecosystem over the last couple of weeks specifically relating to popular plugins. MailPoet and Custom Contact Forms drove the bulk of the engagement, but those using WPTouch, TimThumb and vBulletin were also made aware of vulnerabilities.

If it seems like most of the problems occur with plugins, it’s because it’s the truth. In fact, it’s not just restricted to Plugins, but includes Themes and any number of other extensions or services that a website might make use of. This actually applies beyond the realm of WordPress and is something that all website owners should be mindful of.


Read More

WordPress and Drupal Core Denial Of Service Vulnerability – Moderately Critical

Both WordPress and Drupal are affected by a DoS (denial of service) vulnerability on the PHP XML parser used by their XMLRPC implementations. The issue lies in the XML entity expansion parser that can cause CPU and memory exhaustion and the site’s database to reach the maximum number of open connections. That will cause the vulnerable site (and server) to go down for a period of time, hence affecting availability of your website.

Kudos to the security teams from both platforms for their collaboration and synchronized disclosure.

The bug was discovered by Nir Goldshlager and disclosed on his blog at BreakSec. He goes onto to explain the specifics of the issue:

Read More

Yoast and Sucuri Partner to Create a Safer Web

Yoast and Sucuri

We’re very excited to finally talk about a partnership that’s been in the works for a few months and in light of the serious nature of the Security in the WordPress ecosystem it only makes sense. It also comes at a time where we, as an organization, are reinvesting into Website Security space through extensive research which gives us a better grasp of the real threat landscape looks like for website owners.

Benefits of the partnership can be seen and felt by both organizations. Over the past 3 weeks we, Sucuri, have been undergoing big changes in our branding and messaging and many have already started to comment. For Yoast, security audits have begun and updates have been proactively pushed to their users. It is our belief that through this partnership we will be able to make a bigger impact to the online threats website owners face on a daily basis. For those wondering, none of Yoast’s plugins or updates to them that we’ve audited contained any serious vulnerabilities.

This post will talk to the specifics of the partnership and how we will be working together.

Regular Security Audits Drive Customer Trust in Yoast Plugins


Read More

Security Issue on vBulletin uploader.swf

The vBulletin team recently disclosed a XSS (cross site scripting) vulnerability in the uploader.swf file that is included by default on vBulletin 4 and 5. This file comes from the YUI library that is not supported anymore, so the vBulletin team is recommending everyone remove that file asap from their installs.

This is their full note:


Read More

Zero Day Vulnerability in OpenX Source 2.8.11 and Revive Adserver 3.0.1

If you are using OpenX or the new Revive Adserver (fork of OpenX), you need to update it ASAP. Florian Sander discovered a serious SQL injection vulnerability that affects all versions of OpenX and all versions of the Revive Adserver. From the Revive advisory:

An SQL-injection vulnerability was recently discovered and reported to the Revive Adserver team by Florian Sander.

The vulnerability is known to be already exploited to gain unauthorized access to the application using brute force mechanisms, however other kind of attacks might be possible and/or already in use. The risk is rated to be critical as the most common end goal of the attackers is to spread malware to the visitors of all the websites and ad networks that the ad server is being used on.

The vulnerability is also present and exploitable in OpenX Source 2.8.11 and earlier versions, potentially back to phpAdsNew 2.0.x.

The XML-RPC delivery invocation script was failing to escape its input parameters in the same way the other delivery methods do, allowing attackers to inject arbitrary SQL code via the “what” parameter of the delivery XML-RPC methods. Also, the escaping technique used to handle such parameter in the delivery scripts was based on the addslashes PHP function and has now been upgraded to use the dedicated escaping functions for the database in use.

We highly recommend anyone using OpenX to upgrade to the latest Revive version, or as a temporary fix, remove the file “www/delivery/axmlrpc.php” from your installation.

Clients using our CloudProxy Website Firewall are already protected against it. If you want to protect your OpenX / Revive install, you can sign up for CloudProxy here.

Server Update Time: OpenSSH Vulnerability Disclosed

The OpenSSH team just released a security advisory about a vulnerability affecting both OpenSSH 6.2 and 6.3.

If you are not familiar with OpenSSH, it’s the software used by a large majority of servers and hosting providers to provide SFTP and SSH services. Any vulnerability discovered in OpenSSH could have a major impact to website owners, and the Internet in general.

The good news is that this vulnerability only affects newer versions of OpenSSH, which are not widely used yet. If you are using Ubuntu 13.10 or Fedora 19, you are likely vulnerable. All other Linux distributions appears to be safe. To double check, log into your server via SSH and type the following command:

# sshd -h
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010

If you see OpenSSH_6.2 or OpenSSH_6.3, you know you are using the affected versions.

Read More

New WordPress and Joomla Updates Available

If you are a WordPress or Joomla user, you better start updating your sites now.

Joomla 2.5.14

Joomla 2.5.14 was released containing some critical security fixes. They didn’t provide much details, but by the summary is seems serious enough to allow users to bypass upload restrictions:

Project: Joomla!
Severity: Critical
Versions: 2.5.13 and earlier 2.5.x versions. 3.1.4 and earlier 3.x versions.
Exploit type: Unauthorised Uploads
Reported Date: 2013-June-25
Fixed Date: 2013-July-31
Description: Inadequate filtering leads to the ability to bypass file type upload restrictions.

More information on Joomla 2.5.14 update here: http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads

WordPress 3.6

WordPress 3.6 (a major release) was also announced with multiple new features and bug fixes. It doesn’t have any specific security fix, but keeping your site updated is a must, so we recommend all users to update.

More information on WordPress 3.6 is available here: http://codex.wordpress.org/Version_3.6


We recommend upgrading as soon as possible to reduce the risk of issue. Make sure you test your upgrades in a development environment before you go hot.

If you have any questions, feel free to drop an email.