My Security Planet » BlogSecurity

BlogSecurity

WordPress Upload File Plugin SQL Injection

Posted: May 31st, 2008, 3:31pm CDT by Philipp

Tags: Advisories [edit]

A SQL Injection vulnerability has been reported in WordPress by the Balsec Team. The advisory is lacking alot of detail.

This post will be updated as new information is made available.
WordPress 2.3.3 Directory Traversal Vulnerability

Posted: May 31st, 2008, 3:26pm CDT by Philipp

Tags: Advisories [edit]

Sandor Attila Gerendi found a vulnerability within WordPress 2.3.3, which under certain circumstances allows an attacker to run arbitrary PHP code on WordPress 2.3.3.

Input passed via the “cat” parameter to index.php is not properly sanitised in the “get_category_template()” function in wp-includes/theme.php before being used to include files in template-loader.php. This can be exploited to include arbitrary PHP files from local resources via directory traversal attacks.

According to the advisory, successful exploitation allows execution of arbitrary PHP code, but requires privileges to store PHP files on an affected system and that WordPress is installed on a Windows platform.

The vulnerability is confirmed in version 2.3.3.

Solution:
Update to version 2.5.1.

If you wish to patch your 2.3.3 install, please see the WordPress Trac.
WordPress 2.5.1 Malicious File Execution

Posted: May 31st, 2008, 3:18pm CDT by Philipp

Tags: Advisories [edit]

CWH Underground have published an advisory regarding a malicious file execution vulnerability in WordPress 2.5.1.

We do not quite follow this advisory. The vulnerability discusses the idea of uploading a PHP backdoor onto a WordPress blog via the upload file facility, or via the plugin edit facility. I don’t think this is really a WordPress issue but rather the correct functionality of WordPress.

We have discussed before in our WordPress Whitepaper that the file upload facility should be restricted to trusted users only. We also recommend you reading our Role Management post.
Comprehensive Vulnerability Scanner

Posted: May 17th, 2008, 1:02pm CDT by DK

Tags: News [edit]

BlogSecurity have been discussing merging the wp-scanner project with GNUCITIZEN to provide a more comprehensive vulnerability scanning solution.

At the moment, the WordPress vulnerability scanning will be free, however, premium services will be available to scan your entire web server for known vulnerabilities. The premium service as it stands will allow you to scan mail services, web services and much more. This means we’ll be able to provide you with a more comprehensive vulnerability scanner then just your WordPress installation. We may have to charge a small fee for the premium service to cover bandwidth costs, but wp-scanner will remain free.

Nothing is set in stone at this time but we wanted to give you guys a chance to provide your ideas and feedback before finalising any plans. Aren’t we thoughtful? Speak now or forever hold your peace.
Vulnerability Hidden in Blog

Posted: May 12th, 2008, 3:34am CDT by DK

Tags: News [edit]

Aviv Raff, an Israeli security researcher has made an unpatched Internet Explorer 7 & 8 vulnerability public by hiding it on his blog.

Creating a vulnerability treasure hunt on your blog is one technique you wont find in any SEO book. We assume this is a publicity stunt, especially as an exploit of this caliber could potentially earn thousands if sold to ZDI or others.
Identity Theft 101

Posted: May 6th, 2008, 4:56pm CDT by DK

Tags: Reflections [edit]
I phoned my bank to activate my card the other day. The automated voice required a date of birth and the number of digits in my Mother’s maiden name. Lets assume an attacker can get this information, lets be realistic, what could really happen?

Lets explore some ideas of what an attacker could do with enough information about you:
- apply for a credit card in your name;
- open a bank or building society account in your name;
- apply for other financial services in your name;
- run up debts (e.g. use your credit/debit card details to make purchase) or obtain a loan in your name;
- apply for any benefits in your name (e.g. housing benefit, new tax credits, income support, job seeker’s allowance, child benefit);
- apply for a driving licence in your name;
- register a vehicle in your name;
- apply for a passport in your name; or
- apply for a mobile phone contract in your name.
The latest estimate is that identity fraud costs the UK economy £1.7 billion. Thats billion NOT million.

More information is available at Home Office Identity Theft web site.
Facebook Top 8 Security Tips

Posted: May 5th, 2008, 2:09am CDT by DK

Tags: Articles [edit]
This article discusses some simple, easy to follow steps to increase your personal security on Facebook.
1. Golden Rule - Assume that the personal information and photos you display are publicly available and now just available to specific friends.
2. Strong Passwords - It may seem obvious but make sure you use a strong password for your account. Also, I’d suggest not using that password you use for everything else, you know what I’m talking about.
3. Secure your birth date - Birth dates are often required to validate our identity. Under Profile, you can choose to not display your birthday or alternatively you can choose not to display your year of birth.
4. Privacy Profile Settings - We suggest setting the Profile Privacy > Basic to "only me" for items: Education Info, Work Info and Profile Privacy > Contact Information to "no one" for items: Mobile Phone, Land Phone, Current Address, Email. You may want to display your website address for advertising.
5. Privacy Application Settings - Each Facebook application has similar settings to those of the Privacy settings. New applications are being added everyday. Its difficult to define a set policy. However, we suggest you remove any unwanted applications and/or limit there settings as required.
6. Privacy Search Settings - Depending on your use of Facebook, you may not want to be publicly visible or you may want to limit what information is available to all users (i.e. your picture, friend list etc). We recommend changing the search settings from "everyone" to "friends of friends". You may also want to untick "view your friends list".
7. Privacy News Feed and Mini-Feed Settings - Control what stories about you get published to your profile and to your friends’ News Feeds. You may not want to display information such as joined groups etc. Although, I don’t know how much privacy this offers as friends can view your groups anyway.
8. Joining Groups & Networks - be cautious when joining groups. All users of a group will be permitted to see your profile data. Although, there may be a setting somewhere that restricts this as I did find some accounts that I could not access.
Feedburner Awareness API

Posted: May 1st, 2008, 8:47am CDT by DK

Tags: Reflections [edit]
Having fun with FeedBurner Awareness API.

The FeedBurner Awareness API (AwAPI) allows publishers of FeedBurner feeds to reuse the detailed traffic statistics we capture for any of their feeds. Third-party applications and web services that consume feeds can leverage this data to provide useful feed awareness statistics to potential subscribers… - awarenessapi

In October 07, BlogSecurity released an article titled, "Feedburner: Show me the money". Knowing your way around Feedburner can be really useful when looking for blog partners or blogs to place ads. Awareness API makes this a peice of cake!

What I also find interesting, is that these statistics could be used by attackers during the target profiling stage to find and sort high traffic sites with accuracy. In addition to this, a more subtle attacker may only want to deface or propogate an attack further by infecting a specific page. How would the attacker easily determine the page with the most traffic?

Enough chit-chat, lets see Awareness API in action by viewing Problogger’s stats:

http://api.feedburner.com/awareness/1.0/GetFeedData?uri=
ProbloggerHelpingBloggersEarnMoney&dates=2008-01-01,2008-04-02
```
<feed id="40080" uri="ProbloggerHelpingBloggersEarnMoney">
<entry date="2008-01-01" circulation="36533" hits="61608"
downloads="1" reach="4918"/>
<entry date="2008-01-02" circulation="37465" hits="73923"
downloads="5" reach="6356"/>
<entry date="2008-01-03" circulation="37161" hits="73702"
downloads="1" reach="6525"/>
<entry date="2008-01-04" circulation="36983" hits="71214"
downloads="0" reach="5976"/>
<entry date="2008-01-05" circulation="36559" hits="60201"
downloads="0" reach="4338"/>
...
```
The boy is definately getting hits!

Specific posts can also be queried (although this didn’t work when I was playing the second time round):

http://api.feedburner.com/awareness/1.0/GetFeedData?uri=
ProbloggerHelpingBloggersEarnMoney&itemurl=
http://www.problogger.net/archives/2008/05/01/
what-you-say-is-what-you-are-the-problem-of-blogger-inferiority-complex/
```
<entry date="2008-04-30" circulation="47441" hits="87226"
downloads="0" reach="7632"/>
```
We found that Feedburner enables this service when the feedCount service is enabled. The Awareness API service does not need to be activated for your site to be displaying this information. We had mixed results when testing. If this is the case, I think this is a bad configuration on Feedburner’s part.

Check out the Awareness API documentation for more uses.