13607 items (0 unread) in 75 feeds
Watchfire Application Security Insider
sirdarckcat
Google Online Security Blog
Switch/Twitch
mybeNi websecurity
cat slave diary
Alex's Corner
Billy (BK) Rios
Chris Shiflett
christian's weblog
GNUCITIZEN
The Spanner
hackademix.net
Ruby on Rails Security Project
It's a shampoo world anyway
ha.ckers.org web application security lab
Yet Another Infosec Blog
PHP Security Blog
Sunnet Beskerming Security Advisories
Disenchant's Blog
Sylvan von Stuppe
Larholm.com
Jeremiah Grossman
Anurag Agarwal - Application Security Evangelist
Ivan Ristic
omg.wtf.bbq.
Tactical Web Application Security
.:Computer Defense:.
tssci security
Plynt Penetration Testing Blog
Security Retentive
Schneier on Security
Rational Survivability
terminal23
1 Raindrop
hiredhacker.com
Matasano Chargen
Michael on Security - Musings on Information Security
Fortify blog
GDS Security Blog
Vodun.org
Mark Curphey - SecurityBuddha.com
Liminal states
Security Ripcord
IBM Internet Security Systems Frequency X Blog
extern blog SensePost;
Zero in a bit
A new version of WordPress (2.3.2) is now available for download.
The update fixes some critical security vulnerabilities.
Interestingly, WordPress have decided to turn off WordPress errors by default now. So, our bs-wp-noerrors plugin is deprecated but still useful for those of us who haven’t trusted WP 2.3 enough to upgrade.
This version also presents some additional clean up and fix ups for WP xmlrpc methods. This is definately good news.
More info on changes is available from Westi.
The BlogSec WordPress Sandbox plugin works on a whitelist principle. We accept all pages and posts (including wp-admin, feeds and xmlrpc) but deny requests for any other resources or WordPress functions.
I came up with the idea for this plugin when developing my homepage WithDK.com (where it is currently being tested). I wanted WordPress to act like a CMS (Content Management System), but I didn’t want all the whistles and bells. This plugin allowed me to achieve this, although it is still being tested.
We may want to extend this project to include a fully featured menu system with checkboxes for enabled/disabled WordPress features, but for now its a pet project.
I like the concept of this plugin. A whitelist approach means we allow only what we want which in turn means less areas for attackers to target.
Download bs-wp-sandbox.php.txt - Ver 1.2.1 NOW AVAILABLE.
Once downloaded, open the file with your favourite text editor and change BLOGNAME to suit your needs. Below BLOGNAME, you’ll also find the permitted list, you can delete or add entries as needed.
Enjoy!
BlogSecurity Wordpress Noversion plugin (bs-wp-noversion), prevents WordPress version leakage. Another simple, yet extremely useful WordPress security plugin.
Alot of attackers and automated tools will try and determine software versions before launching exploit code. Removing your WordPress blog version may discourage some attackers and certainly will mitigate virus and worm programs that rely on software versions.
Plugin Name: bs-wp-noversion Plugin URI: http://blogsecurity.net/ Description: Removes the WordPress Version to prevent targetted attacks and version fingerprinting. Author: David Kierznowski Version: 1.0 Author URI: http://blogsecurity.net
The plugin is available here.
Please note: This plugin may affect other plugins that rely on WP versioning.
An exploit has been made publicly available affecting Wordpress PictPress
This is a remote file include vulnerability. This means an attacker requires no authentication or action from the blog administrator in order to compromise or gain full access to the blog.
This is a CRITICAL risk issue. It is recommended that you disable this plugin if in use, until a fix has been provided by the plugin developer.
Credits to Gold_M for discovering this vulnerability.
The popular WP-ContactForm plugin has been found vulnerable to HTML Injection.
This could allow an attacker to compromise your blog if you are authenticated to your blog while at the same time visiting a page with the embedded attack. Another popular attack is using phishing type e-mails.
BlogSec is not aware of any fixes as yet. We will update this post when more information is available to us.
Credit to Mustlive for discovering and publishing the vulnerability.
Check BlogSec’s double agent post
for HTML Injection mitigation ideas.
This plugin is now deprecated as of WordPress 2.3.2. WordPress 2.3.2 has error messages disable by default. This plugin may still be useful for those running older versions.
WordPress by default has error messaging turned on:
function show_errors() {
$this->show_errors = true;
}
It is important to note, that database errors will still be displayed to users even when PHP errors have been turned off. This plugin disables WP DB error messages.
The recent WordPress information disclosure vulnerability demonstrates the potential dangers of having these error messages displayed to the user. It leaks the database prefix and may aid an attacker in further exploitation. In short, for live blogs, you really want this turned off. In fact, I’d suggest WordPress have this disabled by default.
So what we need is a WP action that allows us to turn error messaging off. We can then put this into a plugin.
parse_query - Runs at the end of query parsing.
This is what we want. Once a query has been executed we turn error messaging off for that query. I wrote a quick proof of concept plugin to test this.
The plugin wpdberrors is available here. There may be a better way to do this, suggestions and feedback welcome.
The latest versions will be released as ‘bs-wp-noerrors’ to remain consistent with other BlogSec projects.
Abel Cheung has discovered yet another vulnerability in WordPress.
It is found that the search function provided within WordPress fails to
sanitize input based on different character sets. So if WordPress tries
to query MySQL database using certain specific character sets, WordPress
search function is exploitable using charset-based SQL injection.
Currently known character sets exploitable include Big5 and GBK (see your wp-config.php, as this will mainly affect Chinese blogs). All of them may use backslash (’') as part of multibyte character. WordPress with MySQL database created any other character sets fulfilling such property may also be exploitable.
Workaround: This vulnerability only exists for database queries performed
using certain character sets. For databases created in most other
character sets no remedy is needed.
The full advisory is available here.
Thanks to Abel for keeping us in the loop, and great find.
Update: 10/12/07 This vulnerability has been downgraded to an information disclosure vulnerability ONLY as no proof of concept exploit has been possible. This is contrary to the original advisory. More info here.
A new SQL Injection vulnerability may have been discovered in WordPress 2.3.1. This is a critical security risk that may allow an attacker to remotely compromise your blog.
Test your blog (proof of concept):
POC = http://localhost/path_to_wordpress/?feed=rss2&p=1
Currently, the BlogSec team are unaware of a patch. Please keep an eye on this post for updates.
The original advisory can be found here.
Beenu Arora has been credited for finding the vulnerability.
Thanks to Mustlive for bringing it to our attention.
It seems that security tips for our software often extend to keep up to date with your software. This strategy alone, means two things:
What you really want is defense in depth
Benjamic Franklin’s famous quote seems relavent: By failing to prepare, you are preparing to fail.
For most of us, I think we can manage a few downtime days. BlogSec suffered from a DNS problem recently, which really threw a spanner in the works. We were able to recover, but I can’t help but think that we would have done well to heed Shakesphere’s words:
If you have tears, prepare to shed them now.
Creating a defense in depth strategy involves putting up a number of cyber-barriers or -checkpoints and making certain assumptions. A wise strategy will expect certain if not all areas to be breached.
In time of peace prepare for war.
Some of you may noticed BlogSec has been down the last couple days, this was due to DNS problems from the recent move which has still not been resolved, however, we have setup some other DNS servers as a temporary measure until we can get the problem resolved with our ISP.
