20170616 Vulnerable Plugins Report and Other News

Just FYI, I’m also posting the weekly list over at WPCampus so that the information reaches more people, specifically in Higher Education.

This week’s list.

Vulnerable Plugins

There are nine unfixed vulnerabilities across five plugins this week.  The vast majority of this week’s unfixed vulnerabilities all come from a single author.  Unfortunately, he reused the same chunk of vulnerable code across all of his plugins.  Specifically, when processing POST data, he did not include a nonce or other check to ensure that user intended to initiate the save action, leaving his code open to a Cross-Site Request Forgery vulnerability.  In addition, there is no validation, filtering or sanitation performed on the data before he saves the information to the database. He then later echoes that data back out to the browser without any escaping leaving the code, and more importantly the user, open to Cross-Site Scripting vulnerabilities.  An attacker could therefore combine these two vulnerabilities to steal an Admin’s session IDs on a target WordPress site.

Other News

Speaking of WPCampus, they just announced this week that WPCampus 2017 will be livestreamed for FREE!!  The lineup looks fantastic this year, with a ton of incredible information.  Even if you don’t work with WordPress, there are numerous sessions that are platform-agnostic.  Go ahead and block off your calendar for Friday, July 14th and make time to tune back in on Saturday, July 15th.  You definitely don’t want to miss this.

HighEdWeb also announced their schedule for the upcoming annual conference in Hartford, CT.  I’ll be doing a pre-conference workshop this year, but will otherwise not be speaking.  Instead I’m serving as co-chair for the Development, Programming and Architecture (DPA) track. And let me just warn you, the DPA track has some amazing talks lined up this year.  You should probably just go ahead and plan on staying in the track for both days.  😀

Even if you aren’t interested in DPA, HighEdWeb is always an amazing conference. I understand budgets are tight, but it is well worth your money, even if you have to pay for trip yourself.  I highly encourage you to go ahead and register today.

20170609 Vulnerable Plugins/Themes Report, WordPress 4.8

Last week’s report.

Sorry for not getting this out on Friday. Last week was… crazy.  And Friday ended up being way busier than I anticipated.

Plugins/Themes

There are four plugins this week (Count per Day, WP Testimonials, Skype Legacy Buttons, WP Posts Carousel) with known issues but no fixes currently available.  WP Testimonials hasn’t been updated for four or five years, so it’s probably safe to say it isn’t going to be updated.  If you’re using it, you should consider finding a replacement.  The other item I want to draw attention to is the Eduma Education Theme.  Since it isn’t the WordPress plugin repository, I’m unsure if you receive an admin notification about the update.  If you’re using Eduma, please make sure you update.

WordPress News

The big news last week was the release of WordPress 4.8 “Evans”.  There were no security fixes in this release (at least not according to the changelog), but it does include 225 bug fixes and numerous user interface improvements.  The biggest one includes the introduction of Image, Video Audio and Rich Text Widgets.  These new widgets will allow your end users to add media and formatted text to widget areas, where before they would have had to know HTML.  They also added a REST API endpoint for the new media widgets, which opens up the possibilities for even more media-focused widgets. If you haven’t already, definitely upgrade.

 

20170602 Vulnerable Plugins Report and Other News

This week’s report.

Vulnerable Plugins

A couple of quick notes on some of the items in this week’s report.  With the plugin eventr, version 1.02.0 through 1.02.2 are definitely vulnerable to the SQL Injection flaws @_larry0 discovered.  What’s particularly interesting is the authored used prepared queries elsewhere in the codebase, even in the same file.  So the author knew about prepared statements, and how to use them but for some reason didn’t in these areas.  In addition, versions 1.01.2 and earlier, while not vulnerable to the vulnerabilities @_larry0 disclosed suffer from other SQL Injection vulnerabilities.  If you’re using this plugin, I would strongly encourage you to remove it and find a different one to replace it.

In regards to the Cross-Site Scripting and File Disclosure vulnerabilities in Tribulant Newsletters (free and pro) disclosed by DefenseCode, while DefenseCode claims they’ve been fixed by the vendor, a quick look through the free version (4.6.5.4) shows that they most definitely have NOT been fixed.  This plugin is riddled with XSS vulnerabilities and the file disclosure is still there as well.  I don’t know if the author originally fixed them when contacted and then somehow accidentally reverted to the old codebase between when s/he released 4.6.5 and the later versions, or if they never actually fixed the issues, but told DefenseCode they had.  Either way, the vulnerabilities still exist. so I’d suggest removing this one and look for a suitable replacement.

UPDATE: While I was writing this post, the author released version 4.6.6 which addresses the Cross-Site Scripting issues.  However, the file disclosure vulnerability still exists, and I’m still seeing at least one other possible stored XSS vulnerability. My recommendation to remove stands.

Other News

WordPress version 4.8 is still on track to be released this coming Thursday, June 8th. To that end, the core team announced the availability of the second Release Candidate for 4.8.  You can grab it here if you’d like to test it out.  As I mentioned previously, 4.8 will include multiple new widget options, as well as a revamped TinyMCE editor.  Be ready to start updating next week.

20170526 Vulnerable Plugins Report

green pasture next to an ocean

This week’s report.

Several critical vulnerabilities this week.  Of note is that all of the critical vulnerabilities are in plugins that have not been updated in more than two years.  While not having an update for two years isn’t a conclusive indicator that a plugin has been abandoned (the version of wpDirAuth from two years ago – 1.7.9 – works just fine in WordPress v4.7.5), it should give you pause.

Before selecting a plugin that hasn’t been updated recently, you should check the forums to see if the developer is still responding to users.  This should also remind all of us that we need to go back every once in awhile and reevaluate the plugins we have installed to make sure they haven’t been abandoned.

20170519 Vulnerable Plugin Report, HackerOne and You’ve Update WordPress, yes?

a beach scene

This week’s report.

Vulnerable Plugins

Only one critical vulnerability this week.  I would suggest removing it until the author finishes his fixes (he’s almost finished). Otherwise, all of the rest of this week’s vulnerabilities have updates immediately available.

WordPress News

The big news this week was the release of 4.7.5 which addressed six security-related issues, and three maintenance items.  Considering this is a security-focused update, if you don’t have the auto-updates enabled, and you haven’t already upgraded, you need to do so as soon as possible.

Unfortunately, 4.7.5 didn’t address CVE-2017-8295 aka the unauthenticated password reset vulnerability.  While I’ve stated previously that this particular vulnerability has a narrow attack surface, it’s still a vulnerability that is actively being targeted and remains in all versions of WordPress.  I find it particularly odd that the core team still hasn’t addressed it considering it should be easy enough to correct: use get_site_url() instead of $_SERVER[‘SERVER_NAME’] in pluggable.php.

The WordPress security team also announced  they now have an official bug bounty program on HackerOne.  They’ve already awarded $3,700 in bounties. Not only does it cover the WordPress project but includes BuddyPress, bbPress, GlotPress, WP-CLI, and all of their associated sites, plus WordCamp.org. Might be a nice little way to contribute to WordPress and make some money on the side. 😀

Other News

If you work in Higher Education and are located in the south-western region of Missouri, don’t miss out on the HighEdWeb Regional conference this Monday, May 22 at 8am.  This will be a hand’s-on workshop where we cover the top web application security risks, and then use them to attack a vulnerable web application.  I promise you it’ll be fun! While it is free, space is limited though, so make sure if you think you might want to go, you need to sign-up ASAP to reserve your spot!

20170512 Vulnerable Plugins Report, WordPress 4.8

Vulnerable Plugins

This week’s vulnerability report.

This week’s report is fairly light, with no major critical issues. Given the report’s light reading, I would encourage you to read Wordfence‘s post from this week on “22 Abandoned WordPress Plugins with Vulnerabilities” as it highlights a major area of concern when it comes to WordPress: communicating to users that a vulnerability exists in a plugin they are using.  Please look over the list and make sure you aren’t using any of the ones listed, and if you are, start looking for alternatives.

WordPress

Last Saturday the WordPress version 4.8 release date was announced: June 8th. Beta 1 should be available later today with the Release Candidate targeted for May 25th.   4.8 is the first major version released in 2017, and is a stepping-stone toward releasing the new Gutenberg editor in WordPress.  In addition it should include a new WYSIWYG widget, and several media widgets.

wpDirAuth

If you use wpDirAuth, please note that I released a fairly substantial upgrade yesterday.  The biggest changes were the addition of several hooks that can be used to modify/extend wpDirAuth to your institution’s specific requirements without having to modify the plugin directly.  I also added a cookie expiration setting into the settings area so you can more easily change the one hour default to something else without having to add code to your theme’s function file.

 

 

20170505 Vulnerable Plugins/Themes Report and other WordPress Security News

mountains and clouds

This week’s report.

The other big news this week was the two disclosures concerning WordPress core: Unauthorized Password Reset and Unauthenticated Remote Code Execution vulnerabilities.  Ryan Dewurst (of the WPScan team) did an excellent write-up on these two vulnerabilities, and I encourage you to read it.  The TL;DR: keep your WordPress instance up-to-date and if you aren’t on the latest branch (4.7.X) you need to get moved over.

For the Password Reset vulnerability it’s important to note that the scenarios under which this attack can be exploited are limited.  In addition, if you are limiting access to the login area by IP address, which I strongly recommend, then this attack is mostly mitigated unless the attack is happening from inside your allowed network ranges.  I’ll admit though, I’m a little disappointed in the Core team that they didn’t fix this when it was first reported to them, considering it shouldn’t be that hard to fix. Hopefully we’ll see them address it v4.7.5.

Interestingly, both issues revolve around the same issue I corrected in the last update to my wpDirAuth plugin: using the _SERVER variables SERVER_NAME and HTTP_HOST.  As I have said previously, all data is tainted.  If you didn’t write it into your code yourself, you can’t trust it.

20170428 Vulnerable Plugins Report and Other WordPress News You Might Have Missed

Brain needs more caffeine

This week’s report.

Vulnerable Plugins

This week’s report is, fortunately, not too bad.  Just six disclosures.  There were two more that I saw information on, but was unable to confirm. My guess is that if they turn out to be legit, we’ll see them pop up in the next week.

WordPress News

Probably the biggest piece of news this week is the announcement by Matt that WordPress will be officially dropping support for Internet Explorer less than version 11.

“…we are officially ending support for Internet Explorer versions 8, 9, and 10, starting with WordPress 4.8.”

The other piece of news (well, less “news” and more awareness) is that of WordPress 4.7.4 they included the latest release of TinyMCE.  That version of TinyMCE includes a change to how it handles links that open in new windows.

“…all links with a target of _blank will get a rel attribute of noopener noreferrer.”

If you’re unfamiliar with noopener, it prevents a page being opened in a new window/tab from having access to the window.opener object, an issue called Tabnapping.    Firefox doesn’t support noopener, so you have to include noreferrer.  Read more about how the vulnerability manifests itself. If you noticed these showing up in your links, now you know it’s there to protect your users.

WordCamp Kansas City

WordCamp Kansas City (#wckc) kicks off today.  Unfortunately, I won’t be there today, but will be speaking tomorrow morning at nine, and then will be attending the rest of the day.  Definitely looking forward to seeing everyone!

20170421 Vulnerable Plugins Report, new plugin released, updates to wpDirAuth

Surfing in Haiku-Pauwela, Hawaii

This week’s report.

Vulnerable Plugins

This week’s report isn’t too bad, though there is one critical vulnerability in the plugin WooCommerce Catalog Enquiry that you’ll want to address immediately.  You’ll  also notice my plugin (wpDirAuth) is included.  Read below to find out what was fixed.

WordPress Updated

In case you didn’t notice, the 4.7.4 update was released yesterday.  The update addresses 47 bug fixes and improvements to the REST API.  If interested, you can look through all the changes.  If you have updates enabled, your system has probably already updated.  If you don’t have them enabled for some reason, make sure to visit the Dashboard –> Updates in your site and run the update.

Cross-Site Request Forgery in WordPress Core

A Cross-Site Request Forgery vulnerability in  WordPress Core was disclosed today.  Specifically, it affects the request_filesystem_credentials() function in /wp-admin/includes/file.php.  This affects versions 4.5.3 up to and including 4.7.4.

The FTP/SSH form functionality of WordPress was found to be vulnerable to Cross-Site Request Forgery. This vulnerability can be used to overwrite the FTP or SSH connection settings of the affected WordPress site. An attacker can use this issue to trick an Administrator into logging into the attacker’s FTP or SSH server, disclosing his/her login credentials to the attacker. In order to exploit this vulnerability, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.

In addition, the WordPress installation must not be able to write to the wp-content folder so that it falls back to trying to use the internal FTP/SSH functionality.  Apparently, this was discovered back last summer during The Summer of Pwnage event and still hasn’t been corrected.

While there is no fix yet, standard best practices should help mitigate the risk:

  • Don’t log into your site with an account that has administrative privileges unless you’re doing something that requires administrative privileges
  • If you do need to some administrator tasks, don’t browse to other sites in the same browser as you’re using to perform those administrative tasks
  • Once you’re finished with the administrative tasks, log out of that account

Hopefully now that the vulnerability has been disclosed, the WordPress core team will get a fix out for it.

wpDirAuth Updated

As you have noticed, my wpDirAuth plugin was listed in this week’s report.  I was in the process of making some changes to it and decided to go back to some of the code that is still around from when I inherited it to see if there were  other quick changes I could implement to improve it.  In the function, `wpDirAuth_loginFormExtra()` it was using `$_SERVER[‘HTTP_HOST’]` to rebuild a redirection.  Specifically, the code was checking to see if Require SSL login had been enabled in the plugin, but the request for wp-login.php was not over https.  If so, then it rebuilt the request and attempted to redirect the user to the https version in a multitude of ways.  Unfortunately, HTTP_HOST is set via the Host header sent from the client, making it unsafe to use.  So if a site using wpDirAuth had Require SSL enabled in the plugin, but did not have FORCE_SSL_ADMIN defined in wp-config.php nor was enforcing ssl via the web server, and If an attacker was able to trick a victim into clicking on a link from a site they controlled, they could have injected the Host header and sent the victim to the non-http version of wp-login on a site using wpDirAuth.  From there they could have redirected the user to yet another site, or launched a Cross-Site Scripting attack.  Version 1.8.0 requests the domain from WordPress directly, removing the reliance on HTTP_HOST.

Introducing Super Simple Account Enumeration Blocker

After speaking at WordCamp St. Louis, I had several people ask me if I could package the code I demonstrate in the account enumeration part of my talk into a single plugin they could install.  I finally had a few minutes to do so (honestly, the longest part is remembering how to use Subversion when I use Git in my day-to-day duties and personal projects).  The result is Super Simple Account Enumeration Blocker.  As its name implies, there isn’t much to it.  It blocks the most common methods of account enumeration, including the User slug from the users endpoint in the REST API, and the overly informative error message upon a failed login attempt.  I probably won’t add much to it beyond edits/additions to match what happens in core.  Hopefully some of you will find it useful.

20170414 Vulnerable Plugins Report and other WordPress News

This week’s report.

Vulnerable Plugins

This week’s report is pretty large.  Mostly due to the disclosure by DefenseCode that 50+ plugins from the company BestWebSoft contained multiple Cross-Site Scripting vulnerabilities.  Essentially, if you have one of their plugins, you need to see if there is an update for it yet.  The vendor is working to update all of them, but with that many, it’s going to take awhile.  In this week’s report, I’ve marked which ones have been updated at the time when I created the report. It’s very possible they have updated more of them.  If you use one of their plugins and need it, I’d keep checking the plugin’s page for an update.

WordPress Updates

The 4.7.4 update has been moved up from the first week of May to Tuesday, April 18th with Thursday, April 19th as a fallback date.  It seems there was a bug they weren’t going to be able to fix in time for the May release, and the security team wanted to get the 4.7.4 out sooner than mid-May.  My guess then is that there will be an important security update in 4.7.4 so be prepared to update on Tuesday next week.

WordPress 4.8

Matt (Mullenweg) posted his First Quarter Check-In yesterday.  In it he states he wants to see a v4.8 upgrade released in late May, early June. From his State-of-the-Word address, I had assumed we wouldn’t see a major upgrade until fall, if at all this year. I know there’s been some work on media/image widgets and TinyMCE updates, so maybe he’s planning on pushing those out as the 4.8 upgrade?

Other WordPress Security Stuff

In case you missed it, Wordfence released a great post on how home routers are being hacked and used to launch attacks against WordPress sites.  Routers using the Allegro RomPager 4.07 embedded web server (of which there are over 200 models) are vulnerable to Misfortune Cookie (CVE-2014-9222).

The Misfortune Cookie vulnerability is due to an error within the HTTP cookie management mechanism…  attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application and system state… trick[ing] the attacked device to treat the current session with administrative privileges

What Wordfence noticed was IPs that would come on, perform a few attacks against WordPress sites and then switch back, sometimes for up to a month at a time.

What we have found is a botnet that is distributed across thousands of IPs. Each IP is only performing a few attacks, those attacks are spread across many websites and the attacks only last a few minutes or hours.

Because the attacker is spreading the attacks across a large pool of IPs and only for a short time on any given IP of the low frequency, it can go unnoticed.  It’s entirely possible that other CMSes are also being targeted but because of the distributed of IPs and low-volume are doing undetected.  In addition to checking your router’s make/model against the list linked above, Wordfence has also made a tool available to check to see if your router is vulnerable.