Magento Security Update ( – Zend_XmlRpc Vulnerability

A few days ago, Magento was released to fix a very serious security vulnerability that allows attackers to read any file on the web server where the Zend XMLRPC functionality is enabled. This might include password files, configuration files, and possibly even databases if they are stored on the same machine as the Magento web server.

The Magento team provides the following info in their post:

Read More

Joomla 2.5.5 released (security update)

Joomla 2.5.5 was just released today, with a few bugs fixed and 2 important security updates for a privilege escalation and an information disclosure issue:

1- Privilege escalation

High severity security issue, that allows unprivileged users to get admin access to a site running Joomla.

2- Information Disclosure

This is a low severity security issue that leaks internal information about the database, internal paths and PHP info.

More information about this release here: Joomla 2.5.5 released

Remember, the leading cause for web site compromises is outdated software! So as a web site owner, you have to do your part to minimize risk and keep your site (and your users) safe. Update now!

Sitecheck was also updated to alert users not running version 2.5.5 on their Joomla sites.

Security Vulnerability in MySQL

A serious security vulnerability discovered in MySQL was disclosed this weekend. It basically allows anyone to bypass authentication and log in directly into the database. We tried on a few 64bit Ubuntu systems and were able to replicate the issue (it seems that only 64 bit platforms are affected).

Crazy theory: Could this be related to the LinkedIn,, eHarmony and other recent breaches? Did any of them have MySQL exposed? Even worse, was this really a bug or a very clever backdoor? What you guys think?

Anyway, back to topic. Sergei Golubchik explained the issue in detail:

Read More

PRWeb Stores Passwords In Clear Text

It is 2012 and with the growing web threats you would expect to see increased measures to protect user credentials. We hope that in the wake of events with LinkedIn and eHarmony others realize the importance of an increased security posture.

Consider the recent LinkedIn, e-Harmony or similar breaches in the past to see how important this topic has become.

Back to the topic at hand…

Read More

WHMCS Website Hacked and Database Leaked

The WHMCS website and twitter accounts got compromised yesterday, and their full database (and files) were posted online.

WHMCS Twitter Hacked

Yes, it means that if you have an account there, or if you use any of the WHMCS products, you have to change all your passwords asap, and wait from a confirmation from them before downloading anything from their web site again (since it might still be compromised or with backdoors).

They posted the following on their blog:

Read More

Joomla updates (1.5.26 and 2.5.4)

If you are using Joomla, now is a good time to check if your sites are updated. Some (high severity) vulnerabilities were fixed in the latest release, especially if you are still on the 1.5.x branch.

For 1.5.26:

High Priority – Core – Password Change Vulnerability.
Low Priority – Core – Information Disclosure.

For 2.5.4:

Low Priority – Core – Information Disclosure.
Low Priority – Core – XSS Vulnerability.

Version 2.5.3 (released 2 weeks ago) also contains multiple security fixes, so if you haven’t updated your sites lately, you better check them asap.

More details on their release notes for 1.5.26 and for 2.5.4.

*Remember, the leading cause for web site compromises is outdated software! So as a web site owner, you have to do your part to minimize risk and keep your site (and your users) safe. Update now!

e107 Being Exploited – Vulnerable contact.php Scanned and Attacked

We are seeing an old vulnerability on e107 being widely scanned and exploited. e107 is a free open source content management system (CMS).

More details on the vulnerability are available here:

It was discovered that access control to the [php] bbcode which allows executing PHP code is wrongly implemented in e107. This allows unauthenticated users to execute arbitrary PHP code easily.

Affected versions
Affected is e107 < = 0.7.20 MOPS-2010-111 MOPS-2010-112

Read More

Malware Campaign from

No, they don’t quit, so get used to it! We are seeing quite a few websites being compromised with malware getting loaded from random domains in the TLD.

This is what gets added to the footer of the hacked sites:

<script  src= ""></script>

Once loaded, it does another level of redirection to (random domain, but using the parameters h1&s=pmg), which will then attempt to exploit via browser using multiple exploit kits.

Read More

Vulnerability in the Absolute Privacy Plugin

We are seeing reports that a vulnerability in the Absolute Privacy WordPress plugin (link) is being used to hack and compromise sites with it installed.

This plugin has a serious unpatched security vulnerability that allows anyone to login in the WordPress site without a password. From Secunia:

Schaffnern has discovered a vulnerability in the Absolute Privacy plugin for WordPress, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error within the “abpr_authenticateUser()” function in wp-content/plugins/absolute-privacy/functions.php, which prevents the password from being verified. This can be exploited to bypass the authentication mechanism and gain administrative access to the application.

The vulnerability is confirmed in version 2.0.5. Other versions may also be affected.

Note that this plugin has had more than 35 thousand downloads and no patches for this bug. We recommend deleting this plugin asap until a fix is in place.

Our team is still analysing this vulnerability and we will post more details soon. Additional information and original report was found here.

If you think your site has been compromised, you can verify it in here:

Malware Redirecting To

We are seeing a large number of sites compromised with a conditional redirection to the domain (

On all the sites we analyzed, the .htaccess file was modified so that if anyone visited the site from Google, Bing, Yahoo, or any major search engine (by checking the referer), it would get redirected to that malicious domain (

This is what gets added to the .htaccess file of the hacked sites:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC]
RewriteRule .* [R,L]

Google is already blacklisting it and so far it found that it was used to compromise 787 domains (but the number is probably bigger, since that domain just went live 3 days ago – Jan 29):

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 787 domain(s), including,,

What is very interesting is that this malware is hosted at the same IP address as other domains that were used in .htaccess attacks in the past, so we think it is all done by the same group:
.. few more domains ..

We will be monitoring how it is growing and we will post more details soon.

If your site is compromised, check your .htaccess to see if it was modified. If you are not sure, run a scan on your site here: