My Security Planet » BlogSecurity » December 10, 2007

Feeds

13607 items (0 unread) in 75 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security
• .:Computer Defense:.

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...
• extern blog SensePost;
• Zero in a bit

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

• Opensourcetesting.org News

BlogSecurity

• 

  WordPress 2.3.1 SQL Injection Vulnerability

  Posted: December 10th, 2007, 9:31am CST by DK

  Tags:  Advisories   [edit]

  Update: 10/12/07 This vulnerability has been downgraded to an information disclosure vulnerability ONLY as no proof of concept exploit has been possible. This is contrary to the original advisory. More info here.

  A new SQL Injection vulnerability may have been discovered in WordPress 2.3.1. This is a critical security risk that may allow an attacker to remotely compromise your blog.

  Test your blog (proof of concept):
  POC = http://localhost/path_to_wordpress/?feed=rss2&p=1

  Currently, the BlogSec team are unaware of a patch. Please keep an eye on this post for updates.

  The original advisory can be found here.

  Beenu Arora has been credited for finding the vulnerability.

  Thanks to Mustlive for bringing it to our attention.

  
• 

  Failing to prepare

  Posted: December 10th, 2007, 3:45am CST by DK

  Tags:  Reflections   [edit]

  It seems that security tips for our software often extend to keep up to date with your software. This strategy alone, means two things:

  • You can trust everyone everywhere to responsibly disclose vulnerabilities to your vendor;
  • When a new release is made public, the race is on… will you upgrade before the attacker diff’s the packages and codes an exploit.

  What you really want is defense in depth

  Benjamic Franklin’s famous quote seems relavent: By failing to prepare, you are preparing to fail.

  For most of us, I think we can manage a few downtime days. BlogSec suffered from a DNS problem recently, which really threw a spanner in the works. We were able to recover, but I can’t help but think that we would have done well to heed Shakesphere’s words:

  If you have tears, prepare to shed them now.

  Creating a defense in depth strategy involves putting up a number of cyber-barriers or -checkpoints and making certain assumptions. A wise strategy will expect certain if not all areas to be breached.

  In time of peace prepare for war.

  

TOP RSS Gregarius 0.5.4 Tentatively valid XHTML1.0, CSS2.0 Last update: Mon May 21 12:13:42 2012