Feeds
13620 items (0 unread) in 75 feeds
-
Watchfire Application Security Insider
-
BlogSecurity
-
sirdarckcat
-
Google Online Security Blog
-
CGISecurity.com: Your Web Site and Application Security Resource
-
Switch/Twitch
-
mybeNi websecurity
-
cat slave diary
-
SecuriTeam Blogs
-
Curiouser and Curiouser
-
Alex's Corner
-
Billy (BK) Rios
-
Chris Shiflett
-
christian's weblog
-
funkatron.com
-
GNUCITIZEN
-
The Spanner
-
hackademix.net
-
Ruby on Rails Security Project
-
It's a shampoo world anyway
-
Web Security Blog
-
ha.ckers.org web application security lab
-
Yet Another Infosec Blog
-
PHP Security Blog
-
Security Thoughts
-
Sunnet Beskerming Security Advisories
-
Disenchant's Blog
-
Sylvan von Stuppe
-
Larholm.com
-
The Turkey Curse
-
Jeremiah Grossman
-
Anurag Agarwal - Application Security Evangelist
-
Ivan Ristic
-
deep inside | security & tools
-
omg.wtf.bbq.
-
BlueHat Security Briefings
-
Tactical Web Application Security
-
.:Computer Defense:.
-
tssci security
-
Plynt Penetration Testing Blog
-
Michael Howard's Web Log
-
Security Retentive
-
BindShell.Net
-
Dominic White's .tHE pRODUCT
-
SecurityFocus News
-
Justice League
-
Schneier on Security
-
Rational Survivability
-
terminal23
-
1 Raindrop
-
hiredhacker.com
-
Matasano Chargen
-
-
Michael on Security - Musings on Information Security
-
Fortify blog
-
The Art of Software Security Assessment
-
GDS Security Blog
-
Vodun.org
-
Robert Penz Blog
-
Mark Curphey - SecurityBuddha.com
-
Liminal states
-
Security Ripcord
-
ModSecurity Blog
-
IBM Internet Security Systems Frequency X Blog
-
Suspekt...
-
extern blog SensePost;
-
Zero in a bit
Items by Philipp
BlogSecurity
-
WordPress Thrashing Authorisation Bypass
Posted: February 22nd, 2010, 3:41pm CST by Philipp
Tags: Advisories [edit]
Thomas Mackenzie has reported a vulnerability affecting Wordpress >= 2.9. Versions before 2.9 are not vulnerable. tmacuk quote: Since version 2.9 a new feature was implemented so that users were able to retrieve posts that they may have deleted by accident. This new feature was labelled ‘trash’. Any posts that are placed within the trash are only viewable [...] -
st_newsletter SQL Injection
Posted: November 1st, 2008, 10:50am CDT by Philipp
Tags: Advisories [edit]
The st_newsletter Plugin is once again vulnerable to SQL Injection. The hole is located within the page stnl_iframe.php, the parameter newsletter is missing correct sanitisation and so the plugin is prone to this attack. Currently we’re not aware about any fixes, users should disable the Plugin in the meantime, or should fix the problem their self. [...] -
Multiple vulnerabilities in WP Comment Remix 1.4.3
Posted: November 1st, 2008, 10:47am CDT by Philipp
Tags: Advisories [edit]
A number of vulnerabilities have been discovered in the WP Comment Remix 1.4.3 plugin. The following is a short overview of the vulnerabilities discovered: SQL Injection: caused by unsanitized variable “p” in the ajax_comments.php file. Cross Site Scripting: This affects authenticated and unauthenticated users. Cross Site Request Forgery: the form generated through wpcr_do_options_page lacks the WordPress wp_nonce security function. These [...] -
Wordpress-MU Cross Site Scripting Vulnerability
Posted: October 2nd, 2008, 3:46pm CDT by Philipp
Tags: Advisories [edit]
Product: Wordpress-MU (multi-user)
Version: Versions prior to 2.6 are affected
Credits: Juan GalianaJuan Galiana has published the advisory to Bugtraq this week which includes a proof of concept exploit.
Wordpress-MU is affected by a Cross Site Scripting vulnerability, an attacker can perform an XSS attack that allows him to access the
targeted user cookies to gain administrator privilegesIn /wp-admin/wpmu-blogs.php an attacker can inject javascript code, the input variables “s” and “ip_address” of GET method aren’t properly sanitized
WordPress-MU were notified and version 2.6.1 addresses this issue. We recommend all users upgrade as soon as possible.
-
WordPress 2.6 Released
Posted: July 21st, 2008, 4:57pm CDT by Philipp
Tags: News [edit]
WordPress 2.6 is now available. We have mentioned from of the security improvements in an earlier post. The latest version promises a number of security enhancements as follows:
- XML-RPC is turned off by default, but is easy to turn on again. Historically, attacks were possible through the XMLRPC services. We don’t know how many bloggers use the XMLRPC services (i.e. blogger clients), however, we think this will improve the security by limiting exposure.
- Full SSL Core Support. This means no plugin is needed, it’s even possible to force an SSL connection.
- Improvements around session and database management.
This new version also fixes over 194 bugs and the user interface is apparently more user-friendly.
Sounding good so far? The biggest improvement from our point of view is the version control around content management. It’s now to track co-author changes.
The full package can be gained as usual from the official download page.
But as with every new major release, we recommend you wait for the first minor update as new features may present new security holes, as experience has shown.We are still waiting for WordPress to perform a full code review and application security test. We really think this will be beneficial to both the user and WordPress.
-
WordPress 2.6 Security Improvements?
Posted: June 23rd, 2008, 6:00am CDT by Philipp
Tags: News [edit]
WordPress 2.6 plans to have a number of security improvements. A number of XMLRPC features will be deactivated by default. I doubt they will remove functions such as pingbacks and trackbacks, however, it is something to keep an eye on.
So will this really help secure WordPress in the future?
WordPress have been becoming more security focused. They surpressed database errors in version 2.3.2 and added salted passwords & cookie security in 2.5. Although some of the initial releases caused more harm then good, we think WordPress are generally trying to do the right thing.
Minimising XMLRPC functions is certainly a good way to mitigate the attack surface. In fact, BlogSec have been thinking about coding a plugin to do this. However, WordPress really need to get a dedicated security team together that will provide quality security standards and procedures around development, infrastrucure and design. Commenting on this, David Kierznowski had this to say:
I don’t believe they have achieved a golden security standard as yet, when considering the security implications in the initial WordPress 2.5 release, but they are certainly on the right track.
-
Nextgen gallery - XSS flaw
Posted: June 18th, 2008, 4:01am CDT by Philipp
Tags: Advisories [edit]
The Nextgen Gallery Plugin version <= 0.96 have been found vulnerable to a persistent Cross Site Scripting bug..
According to the advisory, the attacker does require authentication and access to the following URL:
http://[host]/[directory]/wp-admin/admin.php?page=nggallery-manage-gallery
As far as we know, no fix is currently available.
-
WordPress Upload File Plugin SQL Injection
Posted: May 31st, 2008, 3:31pm CDT by Philipp
Tags: Advisories [edit]
A SQL Injection vulnerability has been reported in WordPress by the Balsec Team. The advisory is lacking alot of detail.
This post will be updated as new information is made available.
-
WordPress 2.3.3 Directory Traversal Vulnerability
Posted: May 31st, 2008, 3:26pm CDT by Philipp
Tags: Advisories [edit]
Sandor Attila Gerendi found a vulnerability within WordPress 2.3.3, which under certain circumstances allows an attacker to run arbitrary PHP code on WordPress 2.3.3.
Input passed via the “cat” parameter to index.php is not properly sanitised in the “get_category_template()” function in wp-includes/theme.php before being used to include files in template-loader.php. This can be exploited to include arbitrary PHP files from local resources via directory traversal attacks.
According to the advisory, successful exploitation allows execution of arbitrary PHP code, but requires privileges to store PHP files on an affected system and that WordPress is installed on a Windows platform.
The vulnerability is confirmed in version 2.3.3.
Solution:
Update to version 2.5.1.If you wish to patch your 2.3.3 install, please see the WordPress Trac.
-
WordPress 2.5.1 Malicious File Execution
Posted: May 31st, 2008, 3:18pm CDT by Philipp
Tags: Advisories [edit]
CWH Underground have published an advisory regarding a malicious file execution vulnerability in WordPress 2.5.1.
We do not quite follow this advisory. The vulnerability discusses the idea of uploading a PHP backdoor onto a WordPress blog via the upload file facility, or via the plugin edit facility. I don’t think this is really a WordPress issue but rather the correct functionality of WordPress.
We have discussed before in our WordPress Whitepaper that the file upload facility should be restricted to trusted users only. We also recommend you reading our Role Management post.
-
WordPress 2.5.1 Release Fixes Several Vulnerabilities
Posted: April 28th, 2008, 3:30am CDT by Philipp
Tags: Advisories [edit]
The First Security- & Bugfix Release of the latest WordPress branch is now available. WordPress do not mention the vulnerabilities fixed on the download page, but BlogSec recommended 2.5 users upgrade ASAP.
Of all the bugs fixed, two fairly critical security issues were fixed. A Cross-Site Scripting vulnerability and the WP 2.5 Cookie Integrity Protection Vulnerability, discovered by Steven J. Murdoch.
The latest WordPress 2.5.1 can be downloaded from WordPress.
WordPress discuss the vulnerabilities here and as part of their development feed.
-
WP Spreadsheet(wpSS) SQL Injection
Posted: April 24th, 2008, 1:32pm CDT by Philipp
Tags: Alerts [edit]
A vulnerability has been found in Spreadsheet(wpSS) WordPress plugin.
The SQL Injection vulnerability may allow an attacker to compromise your backend database and potentially your blog and web server.
A public exploit has been released on milw0rm by 1ten0.0net1.
The ’ss_id’ parameter inside ss_load.php is not correctly escaped before being passed to the database.
It was reported that all versions before 0.6 are vulnerable. The plugin homepage is currently not available. Therefore, we can’t prove that the version 0.61(released August ‘07) is indeed safe to use.
It is recommended that you disable this plugin until a fix has been verified.
-
WP-Download SQL-Injection
Posted: April 4th, 2008, 5:02am CDT by Philipp
Tags: Alerts [edit]
WP-Download 1.2 is vulnerable to a SQL-Injection Vulnerability. The dl_id parameter in "wp-download.php" is not correctly sanistised.
An attacker could use this vulnerability to retrieve usernames and passwords and potentially compromise your blog!
This bug has been reported in version 1.2, but it is likely that older versions are affected.
Please upgrade to version 1.2.1 which addresses this issue.
This vulnerability was discovered by BL4CK. A public exploit has been released into the wild and is available on Milw0rm.
-
WordPress.com Blogs Vulnerable
Posted: March 9th, 2008, 3:21pm CDT by Philipp
Tags: Advisories [edit]
WordPress.com (2.3.2) is vulnerable to two Cross-Site Scripting vulnerabilities. It is important to note that these only affect WordPress.com blogs.
Proof of concept exploits have been released and there is a danger that an XSS Worm could use this type of vulnerability to compromise thousands of WordPress.com blogs. (See developer verse hosted blogs debate.).
Doz from hackerscenter.com released the advisory. The full disclosure advisory is available and a Video demonstration was also released.
Note (again):These vulnerabilities only affect the Hosting Platform WordPress.com as the download package of WordPress doesn’t include invite.php or users.php file.
-
WordPress Whitepaper and ModSecurity now available in Espanol
Posted: March 6th, 2008, 1:37pm CST by Philipp
Tags: News [edit]
Thanks to the effort of Samuel Aguilera we now have Spanish translations of our WP Whitepaper and the ModSecurity WhitePaper.
The translation is es_ES, but should be understandable for other derivates of Spanish.
Samuel is also known for his translations for FileZilla and XP-AntiSpy.
If you think that the Whitepaper should be as well available in your native language and you would like to do it, feel free to contact us. For example we would like to see the Whitepaper translated into Chinese.
Whitepaper in Spanish Download
ModSecurity in Spanish DownloadFor other languages see the main Pages of these Papers:
WP Whitepaper
ModSecurity&WordpressPlease note we are working on a new version of the WordPress Whitepaper. So you can look forward to this.
-
wp-people, Simple Forum, WP Photo Album, Search Unleashed, Sniplets
Posted: February 27th, 2008, 11:18am CST by Philipp
Tags: Advisories [edit]
Once again a number of critical issues have been discovered in a variety of WordPress plugins. If you are using one of these plugins, we suggest disabling the plugin until a fix has been produced by the plugin developer. Info as follows:
WP People <=1.6 is vulnerable to SQL Injection. The person parameter is not correctly sanitised. This means the WordPress blog database and blog may be compromised. Credit goes once more to S@BUN
Original Entry on BugTraqSimple Forum <2.1 (Build 237) The Forum and Topic parameters are not correctly sanitised. This means the WordPress blog database and blog may be compromised. S@BUN is credited for these Disclosures: SF 1, SF 2.
WP Photo Album - WPPA <1.1 The photo and album parameters are not correctly sanitised. This means the WordPress blog database and blog may be compromised.
The vulnerability was found by S@BUN and is fixed in Version 1.1 of WPPA.Search Unleased <=0.2.0 is vulnerable to Arbitrary HTML Injection. Advisory here. Krzysztof Burghardt is credited for this discovery. This vulnerability is confirmed within Version 0.2.0 and will be fixed with the upcoming Release 0.2.1. This vulnerability is being exploited in the wild, we recommend disabling the plugin until a fix can be provided.
Sniplets 1.1.2 (and possibly other versions) have been found vulnerable to a number of HIGH risk issues, including HTML Injection, File Upload and PHP code execution. We strongly recommend disabling this plugin until a fix is provided.
nbbn@gmx.net is credited for discovering these issues. -
WPIDS v0.1.2 officially released
Posted: February 20th, 2008, 4:55pm CST by Philipp
Tags: Tools [edit]
We are pleased to announce the availability of WPIDS 0.1.2. WPIDS is a Intrusion Protection System, which is based upon the Intrusion Detection System PHPIDS.
The Plugin is able is able to detect attack strings and block them. This adds that needed layer of protection!
The latest version ships with PHPIDS version 0.4.7. The latest PHPIDS release fixes a number of false positives as well as now being able to detect even more attacks. The following bug fixes have occured within WPIDS code (to mention a few):
- XML-RPC is no longer blocked by default, it’s optional.
- Non English chararacters aren’t dropped anymore, allowing other languages. This initially broke the search facility.
- Each intrusion is now clearly visible and an error is displayed. In short, it looks alot cleaner and slicker!
Known bugs: Search engine traffic with HTTP_REFERER set generates logs. The login Page displays some errors about missing Cookie-Values. Both of them are harmless and will not cause any problems. They are not critical fixes and will be fixed in the next release (version 2).
This version will be a complete rewrite of the current Codebase, with the aim to make it more modular as well as to provide additional options. Some of the WP Lockdown’s plugin functionality will be modified as we have stumbled across problems running them concurrently.
The original release is available at phpids.org, a Full Package is ready for Download, or you can get your latest Copy from the Subversion.
If you encounter any Problems or you’ve got any feature Requests please put them into my Forum.
-
WordPress Mu 1.3.3 Security release
Posted: February 7th, 2008, 3:52am CST by Philipp
Tags: Advisories [edit]
-
dmsguestbook, st_newsletter, Wordspew, wp-footnotes vulnerabilities
Posted: February 5th, 2008, 3:39am CST by Philipp
Tags: Advisories [edit]
Within the last few days a number of remote SQL Injection vulnerablities within a variety of plugins have been released. This new search for this type of vulnerability follows David Kierznowski’s recent finding in the popular WP TextLinkAds plugin.
dmsguestbook 1.7.0 is vulnerable to multiple vulnerabilites. At first it’s possible to Deface your wp-config.php, an Attacker can gain in that way access to your MySQL data. It’s caused by improperly control/sanitization of the parameters folder & file. At the same time there are multiple XSS vulnerabilities which are also HIGH risk issues.
There are several SQL Injection vulnerabilities within this plugin. More information is available at bugtraq.
We highly recommend to disable and remove the plugin from your Blog until a major version release to address all these holes. It is likely that previous versions are affected as well.
The Version 1.8 is available but BlogSecurity have received reports that it does not solve all the problems.
st_newsletter 2.x is vulnerable to SQL Injection. This is caused by improper sanitisation of the newsletter parameter within the shiftthis-preview.php file. This makes it possible to retrieve a list of all registered Users and their Password hashes. This hole was discovered by S@BUN and we’re not aware of any current fixes.
Another SQL Injection was made public by S@BUN again, for Wordspew here is the parameter id in wordspew-rss.php. This parameter is not sanitized and therefore open to attacks. Again we’re not aware of any fixes.The latest version, 3.72 fixes the Vulnerability. It’s available on the official WordSpew Webpage
The last hole for now is within wp-footnotes 2.2. The current version allows access to the Adminpanel of the plugin via the URL. This results in XSS vulnerabilities. More can be found over on BugTraq. Again no fix is currently available.
-
WordPress 2.3.3 Security Fix
Posted: February 5th, 2008, 3:22am CST by Philipp
Tags: News [edit]
A new Version of WordPress (2.3.3) is available for Download.
This release fixes one vulnerability, which allows any authenticated user access to edit any post from any user on that Blog. This is possible by sending a malicious request via the XML-RPC interface.
Replacing the xmlrpc.php file will resolve this problem: xmlrpc.php (from WP 2.3.3).
Anyway 2.3.3 fixes some minor Bugs as well, so an entire install may be beneficial.
Original entry on WP-Dev.
-
Fredrik Fahlstad Plugins Vulnerable
Posted: February 1st, 2008, 3:27am CST by Philipp
Tags: Advisories [edit]
The H-T Team made some new exploits public which affect following Plugins by Fredik Fahlstad fGallery 2.4.1 and WP-Cal 0.3, both are vulnerable against Remote SQL Injection. It is likely that earlier versions are affected.
Within the WP-Cal Plugin, the File editevent.php is vulnerable for this attack, because of improper sanitisation of the id parameter. Within the fGallery Plugin the File fim_rss.php is vulnerable to this attack, the parameter album isn’t properly sanitized as well.
PoCs are available on Milw0rm here and there.
To fix these vulnerabilites you have to change the following lines For WP-Cal:
$id = $_GET['id'];
$event = $wpdb->get_row(”SELECT * FROM $table WHERE id = $id”);
To
$id = intval($_GET[’id’]);
$event = $wpdb->get_row(”SELECT * FROM $table WHERE id = $id”);And for fGallery:
$cat = $wpdb->get_row("SELECT * FROM $cats WHERE id = $_GET[album]");
$images = $wpdb->get_results(”SELECT * FROM $imgs WHERE cat = $_GET[album] AND status = ‘include’”);To
$cat = $wpdb->get_row("SELECT * FROM $cats WHERE id = intval($_GET[album])“);
$images = $wpdb->get_results(”SELECT * FROM $imgs WHERE cat = intval($_GET[album]) AND status = ‘include’”);
More changes may be needed, to fix the vulnerability at all.Currently we’re not aware of any official fixes for these holes.
-
WP-Forum 1.7.4 SQL Injection
Posted: January 22nd, 2008, 2:23pm CST by Philipp
Tags: Advisories [edit]
For Fredrik Fahlstads WP-Forum Plugin was a critical vulnerability made public. Details are available on Secunia and milw0rm.
This hole may allow an unauthenticated attacker full access to your blog and potentally your web server/host.
PoCInput passed to the “user” parameter in the WordPress installation’s index.php script (when “forumaction” is set to “showprofile” and “page_id” to a page with the “” tag) is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
See milw0rm
FixThe BlogSec team are unaware of any fixes at this time.
-
WP-Filemanager
Posted: January 8th, 2008, 3:11pm CST by Philipp
Tags: Alerts [edit]
The H-T Team have reported a vulnerability in WP-Filemanager.
***No proof of concept available***
The vulnerability is suppose to affect version 1.2. It may also affect earlier versions (in fact, this is likely). It is possible for an Attacker to upload Arbitrary PHP-Code, which can afterwards be executed with Webserver rights.
Currently there’s no vendor fix available. BlogSecurity recommend that users disable and remove the Plugin until a fix is available.
For the original Bug Disclosure visit SecurityFocus.
-
WPIDS - WordPress Intruder Detection System
Posted: November 21st, 2007, 9:00pm CST by Philipp
Tags: [edit]
WPIDS is the WP port of PHPIDS, an Intrusion Detection system for PHP. With PHPIDS it’s possible to check all delivered user-generated content for malicious code, like SQL Injection/XSS/CSRF, and so on. In short, its a defense plugin for WordPress that BlogSec members have been working on for a few months now. I would say it was more of an Intruder Prevention System then an Intruder Detection system.
The primary features of WPIDS are as follows:
1. If an attack is detected, a number of checks are performed and a risk level is applied to the attack risk. So the higher the impact is, the more likely is it that the the request will be blocked.
2. The other component is called WP-Lockdown, this component adds more static checks to your WordPress install and checks for known and widely used intrusion attacks. To provide a high level of usability the plugin does not check the content or comments, but we are already working on a new version which includes HTMLPurifier which will add some extra security to these fields.
For feature requests and questions about WPIDS please drop by the official forum. For general problem with PHPIDS please use their official forum or Bugtracker. If you stress test your Website for fun(or just by luck) and you found some harmful string which isn’t caught by PHPIDS please report them so that we can improve the project and move it forward.
Now one last important note before you can grab your copy of WPIDS, in order to run it you need a webserver which runs PHP 5.1.6+. If your webserver doesn’t run with PHP5 ask your web hoster if they’re going to update it (as PHP4 will reach its end of life at the end of 2007). Without PHP5.1.6 you won’t be able to use WPIDS as PHPIDS requires this. WPIDS will still work without PHP5, however, it will be limited to WP-Lockdown’s checks only.
You can grab your Copy from the official PHPIDS website.