Only one critical vulnerability this week. I would suggest removing it until the author finishes his fixes (he’s almost finished). Otherwise, all of the rest of this week’s vulnerabilities have updates immediately available.
The big news this week was the release of 4.7.5 which addressed six security-related issues, and three maintenance items. Considering this is a security-focused update, if you don’t have the auto-updates enabled, and you haven’t already upgraded, you need to do so as soon as possible.
Unfortunately, 4.7.5 didn’t address CVE-2017-8295 aka the unauthenticated password reset vulnerability. While I’ve stated previously that this particular vulnerability has a narrow attack surface, it’s still a vulnerability that is actively being targeted and remains in all versions of WordPress. I find it particularly odd that the core team still hasn’t addressed it considering it should be easy enough to correct: use get_site_url() instead of $_SERVER[‘SERVER_NAME’] in pluggable.php.
The WordPress security team also announced they now have an official bug bounty program on HackerOne. They’ve already awarded $3,700 in bounties. Not only does it cover the WordPress project but includes BuddyPress, bbPress, GlotPress, WP-CLI, and all of their associated sites, plus WordCamp.org. Might be a nice little way to contribute to WordPress and make some money on the side. 😀
If you work in Higher Education and are located in the south-western region of Missouri, don’t miss out on the HighEdWeb Regional conference this Monday, May 22 at 8am. This will be a hand’s-on workshop where we cover the top web application security risks, and then use them to attack a vulnerable web application. I promise you it’ll be fun! While it is free, space is limited though, so make sure if you think you might want to go, you need to sign-up ASAP to reserve your spot!
This week’s report is fairly light, with no major critical issues. Given the report’s light reading, I would encourage you to read Wordfence‘s post from this week on “22 Abandoned WordPress Plugins with Vulnerabilities” as it highlights a major area of concern when it comes to WordPress: communicating to users that a vulnerability exists in a plugin they are using. Please look over the list and make sure you aren’t using any of the ones listed, and if you are, start looking for alternatives.
Last Saturday the WordPress version 4.8 release date was announced: June 8th. Beta 1 should be available later today with the Release Candidate targeted for May 25th. 4.8 is the first major version released in 2017, and is a stepping-stone toward releasing the new Gutenberg editor in WordPress. In addition it should include a new WYSIWYG widget, and several media widgets.
If you use wpDirAuth, please note that I released a fairly substantial upgrade yesterday. The biggest changes were the addition of several hooks that can be used to modify/extend wpDirAuth to your institution’s specific requirements without having to modify the plugin directly. I also added a cookie expiration setting into the settings area so you can more easily change the one hour default to something else without having to add code to your theme’s function file.
For the Password Reset vulnerability it’s important to note that the scenarios under which this attack can be exploited are limited. In addition, if you are limiting access to the login area by IP address, which I strongly recommend, then this attack is mostly mitigated unless the attack is happening from inside your allowed network ranges. I’ll admit though, I’m a little disappointed in the Core team that they didn’t fix this when it was first reported to them, considering it shouldn’t be that hard to fix. Hopefully we’ll see them address it v4.7.5.
Interestingly, both issues revolve around the same issue I corrected in the last update to my wpDirAuth plugin: using the _SERVER variables SERVER_NAME and HTTP_HOST. As I have said previously, all data is tainted. If you didn’t write it into your code yourself, you can’t trust it.
This week’s report is, fortunately, not too bad. Just six disclosures. There were two more that I saw information on, but was unable to confirm. My guess is that if they turn out to be legit, we’ll see them pop up in the next week.
“…all links with a target of _blank will get a rel attribute of noopener noreferrer.”
If you’re unfamiliar with noopener, it prevents a page being opened in a new window/tab from having access to the window.opener object, an issue called Tabnapping. Firefox doesn’t support noopener, so you have to include noreferrer. Read more about how the vulnerabilitymanifestsitself. If you noticed these showing up in your links, now you know it’s there to protect your users.
WordCamp Kansas City
WordCamp Kansas City (#wckc) kicks off today. Unfortunately, I won’t be there today, but will be speaking tomorrow morning at nine, and then will be attending the rest of the day. Definitely looking forward to seeing everyone!
This week’s report isn’t too bad, though there is one critical vulnerability in the plugin WooCommerce Catalog Enquiry that you’ll want to address immediately. You’ll also notice my plugin (wpDirAuth) is included. Read below to find out what was fixed.
In case you didn’t notice, the 4.7.4 update was released yesterday. The update addresses 47 bug fixes and improvements to the REST API. If interested, you can look through all the changes. If you have updates enabled, your system has probably already updated. If you don’t have them enabled for some reason, make sure to visit the Dashboard –> Updates in your site and run the update.
Cross-Site Request Forgery in WordPress Core
A Cross-Site Request Forgery vulnerability in WordPress Core was disclosed today. Specifically, it affects the request_filesystem_credentials() function in /wp-admin/includes/file.php. This affects versions 4.5.3 up to and including 4.7.4.
The FTP/SSH form functionality of WordPress was found to be vulnerable to Cross-Site Request Forgery. This vulnerability can be used to overwrite the FTP or SSH connection settings of the affected WordPress site. An attacker can use this issue to trick an Administrator into logging into the attacker’s FTP or SSH server, disclosing his/her login credentials to the attacker. In order to exploit this vulnerability, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.
In addition, the WordPress installation must not be able to write to the wp-content folder so that it falls back to trying to use the internal FTP/SSH functionality. Apparently, this was discovered back last summer during The Summer of Pwnage event and still hasn’t been corrected.
While there is no fix yet, standard best practices should help mitigate the risk:
Don’t log into your site with an account that has administrative privileges unless you’re doing something that requires administrative privileges
If you do need to some administrator tasks, don’t browse to other sites in the same browser as you’re using to perform those administrative tasks
Once you’re finished with the administrative tasks, log out of that account
Hopefully now that the vulnerability has been disclosed, the WordPress core team will get a fix out for it.
As you have noticed, my wpDirAuth plugin was listed in this week’s report. I was in the process of making some changes to it and decided to go back to some of the code that is still around from when I inherited it to see if there were other quick changes I could implement to improve it. In the function, `wpDirAuth_loginFormExtra()` it was using `$_SERVER[‘HTTP_HOST’]` to rebuild a redirection. Specifically, the code was checking to see if Require SSL login had been enabled in the plugin, but the request for wp-login.php was not over https. If so, then it rebuilt the request and attempted to redirect the user to the https version in a multitude of ways. Unfortunately, HTTP_HOST is set via the Host header sent from the client, making it unsafe to use. So if a site using wpDirAuth had Require SSL enabled in the plugin, but did not have FORCE_SSL_ADMIN defined in wp-config.php nor was enforcing ssl via the web server, and If an attacker was able to trick a victim into clicking on a link from a site they controlled, they could have injected the Host header and sent the victim to the non-http version of wp-login on a site using wpDirAuth. From there they could have redirected the user to yet another site, or launched a Cross-Site Scripting attack. Version 1.8.0 requests the domain from WordPress directly, removing the reliance on HTTP_HOST.
Introducing Super Simple Account Enumeration Blocker
After speaking at WordCamp St. Louis, I had several people ask me if I could package the code I demonstrate in the account enumeration part of my talk into a single plugin they could install. I finally had a few minutes to do so (honestly, the longest part is remembering how to use Subversion when I use Git in my day-to-day duties and personal projects). The result is Super Simple Account Enumeration Blocker. As its name implies, there isn’t much to it. It blocks the most common methods of account enumeration, including the User slug from the users endpoint in the REST API, and the overly informative error message upon a failed login attempt. I probably won’t add much to it beyond edits/additions to match what happens in core. Hopefully some of you will find it useful.
This week’s report is pretty large. Mostly due to the disclosure by DefenseCode that 50+ plugins from the company BestWebSoft contained multiple Cross-Site Scripting vulnerabilities. Essentially, if you have one of their plugins, you need to see if there is an update for it yet. The vendor is working to update all of them, but with that many, it’s going to take awhile. In this week’s report, I’ve marked which ones have been updated at the time when I created the report. It’s very possible they have updated more of them. If you use one of their plugins and need it, I’d keep checking the plugin’s page for an update.
The 4.7.4 update has been moved up from the first week of May to Tuesday, April 18th with Thursday, April 19th as a fallback date. It seems there was a bug they weren’t going to be able to fix in time for the May release, and the security team wanted to get the 4.7.4 out sooner than mid-May. My guess then is that there will be an important security update in 4.7.4 so be prepared to update on Tuesday next week.
Matt (Mullenweg) posted his First Quarter Check-In yesterday. In it he states he wants to see a v4.8 upgrade released in late May, early June. From his State-of-the-Word address, I had assumed we wouldn’t see a major upgrade until fall, if at all this year. I know there’s been some work on media/image widgets and TinyMCE updates, so maybe he’s planning on pushing those out as the 4.8 upgrade?
Other WordPress Security Stuff
In case you missed it, Wordfence released a great post on how home routers are being hacked and used to launch attacks against WordPress sites. Routers using the Allegro RomPager 4.07 embedded web server (of which there are over 200 models) are vulnerable to Misfortune Cookie (CVE-2014-9222).
The Misfortune Cookie vulnerability is due to an error within the HTTP cookie management mechanism… attackers can send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application and system state… trick[ing] the attacked device to treat the current session with administrative privileges
What Wordfence noticed was IPs that would come on, perform a few attacks against WordPress sites and then switch back, sometimes for up to a month at a time.
What we have found is a botnet that is distributed across thousands of IPs. Each IP is only performing a few attacks, those attacks are spread across many websites and the attacks only last a few minutes or hours.
Because the attacker is spreading the attacks across a large pool of IPs and only for a short time on any given IP of the low frequency, it can go unnoticed. It’s entirely possible that other CMSes are also being targeted but because of the distributed of IPs and low-volume are doing undetected. In addition to checking your router’s make/model against the list linked above, Wordfence has also made a tool available to check to see if your router is vulnerable.
Wanted to do a couple of quick PSA’s. First, SiteLock disclosedearlier this week that they are starting to see backdoor scripts masquerading as a legitimate SEO plugin. This isn’t a particularly new attack method as we’ve seen it quite a few times in the past. However, it’s a good reminder that you should be intimately familiar with the plugins you have installed. If there’s one there you don’t remember installing or know nothing about, that’s a red flag. In addition, you should be monitoring your site and have alerts enable for plugin installations and activations.
Second, start preparing for the WordPress v4.7.4 update. The core team has been hard-at-work fixing bugs that will be bundled up into the 4.7.4 update. 4.7.4 is currently scheduled for release the first week of May.
Third, the results of the WordPress Editor Experience survey have been published. Highlights, IMO are:
Half of the respondents use the Text editor at least sometimes
But almost half never use the markup buttons
76% never use the distraction free option (I never use it)
Just under a third have added a shortcodes plugin (ugh) to extend the editor
90% of respondents who use a screen reader felt the editor experience is sufficient or better
Fifth, WordCamp Kansas City is in just a couple of weeks (28th and 29th). If you haven’t purchased your tickets yet, you need to get on that before they sell out! $40 for two days of professional development. Forty sessions in total. Lunch (and coffee+snacks for breakfast) provided for both days. That’s an incredible value. If you are in Columbia, MO and want to carpool, let me know.
Last, if you live in Columbia, MO Steve Struemph and I are in the beginning stages of starting a WordPress meetup for Columbia. If you are interested in joining, or helping us, please get in touch with one of us!
Had a fellow developer contact me today who was running into an issue. He was in the process of migrating his sites from one server to another, and upon finishing the move and attempting to login, discovered his administrator account no longer had permissions to do anything, and appeared to have a subscribe role. My first thought was possibly a cookie issue, so he tried deleting cookies, and using a different browser. No progress.
My second thought was that perhaps his user IDs got messed up when he migrated the database and that the IDs from *_users no longer matched up to to the user_id field in *_usermeta. He sent me a screenshot of his record from *_users and matching records from *_usermeta to show me that they all matched. That’s when I noticed that the meta_key foo_capabilities wasn’t wp_capabilities. “Is your $table_prefix variable still set to ‘foo’?” I asked. “Oh, no. I changed it to ‘bar’, but I changed all of the table names when I migrated the database.”
I had him change the meta_keys from ‘foo_capabilities’ to ‘bar_capabilities’ and ‘foo_user_level’ to ‘bar_user_level’ and BOOM! Everything started working again.
So it turns out $table_prefix, despite the variable’s name, is used for more than just prefixing the database tables. It’s used for several meta_keys in the *_usermeta table:
And it’s also used in option_name *_user_roles in the *_options table.
I will mention briefly that I sat in a couple of sessions over the course of the weekend where presenters gave bad advice, security-wise. I didn’t say anything at the time because I didn’t want to be “that guy” who interrupts and contradicts a speaker. I don’t particularly like it when I’m presenting and not every speaker is confident enough to handle an interruption. Just remember that nothing from the client is safe, nothing from the client-side can be relied upon. If you didn’t generate it in your code, the data is tainted and you need to treat it as untrusted. If you have to use the data, verify the data is what you expect it to be and escape it before you send it back to the user. PLEASE.
As I mentioned in part 1, Fernando was kind enough to swing by and pick up Shilpa and myself for day 2 of WordCamp. While Shilpa headed into the conference area to get set up and prepped for her presentation, I volunteered to help Fernando get that morning’s breakfast all set up. Of course, this also meant I had an early jump on the coffee. 😀 After grabbing a couple of cups, I went in to the vendor area to make sure Victor and Sal had survived the various events from the night before. After visiting for a few minutes, I went back over to the main venue to make sure I had a good spot for Shilpa’s presentation, Lessons From Marketing Disasters.
Marketing isn’t what I do on a daily basis, so normally I wouldn’t have attended this track at all, but I wanted to be there as moral support for Shilpa, and as I suspected, it was a fantastic presentation. She did a great job of going through the trials and tribulations they faced at her company; the assumptions they made and how they were incorrect, the actions they took on those incorrect assumptions and the outcomes that came from it. She then explained how they adjusted course using data and smart decisions based on industry best-practices. I sincerely wish that some key people on my campus would have seen this presentation. She covered using surveys, exit pop-ups, A/B testing, funneling and iterative changes to both the process and the site. I would definitely suggest checking out the slidedeck as well as the recorded session (starts at roughly 00:27:00).
Interestingly, the next speaker never arrived. I have no idea what happened. I was bummed too because I really was interested in learning more about the Angular Ecosystem. However, the next speaker, Michael Dyer, was available and agreed to start early. For me, this turned out to be a blessing in disguise as Intro to GraphQL for REST developers ended up being one of my, if not THE, favorite session. In a nutshell, GraphQL is a query language for APIs. Instead of having to perform multiple API calls to gather all the data on the page, you can query GraphQL (running on the server) for exactly what you need even if it spans multiple endpoints in the API.
But Wait! It gets even better! By adding resolvers you can query across APIs! Have a faculty member who writes posts (one API), but you want to include the classes they teach (second API) and some biographical information from their faculty180 profile (third profile)? You could get it all, and only what you need, with one call! My mind was racing with all of the possibilities and use-cases. Interestingly, everyone else in the audience seemed to be struggling with why you would use GraphQL at all. I was stunned that they weren’t able to see the potential. Instead of wasting processing time and expensive calls to the API, and receiving data pieces you don’t need, you can make one call to the API and let the server handle gathering everything for you and receive only what you need.
I grabbed Michael after the presentation and discussed it with him some more. Turns out, Michael is an incredibly smart guy as well as really nice. He was more than happy to dig into it more with me and show me some of the other stuff it can do. He even showed me how easy it is to set up a resolver. We ended up having lunch together to discuss it further, as well as reminisce about the good old days of the internet back in the nineties.
Before the afternoon session, I headed back over to the Sucuri booth, and that is when I fell head over heels in love.Victor and Sal introduced me to Cuban espresso.
Seriously, this is the best coffee I have ever tasted. I was hooked. And I was wired. I all set for the afternoon sessions.
Turns out we’re even happier when we take selfies with other people so she instructed us to take a selfie with some other people. I didn’t know anyone else in the room, so I had to grab some random people for my group selfie.
Sorry random people for not getting your names so I could tag you, and for the horrible picture. I blame the Cuban coffee! 😉
She briefly covered disclosing too much information about yourself online. I wish I had had the opportunity to discuss OSINT with her and how social media is a huge tool in gathering intelligence on a target.
After that was Rachel Lucas (from WPBICO) to discuss Zero to Zen and Naomi Bush (from gravity+ Pro) on How We Built a Custom WordPress Site and No Custom Code. I’ll mention quickly that after seeing Naomi’s presentation I get why people like gravity forms, but I just can’t get over their less-than-ideal history with security issues and that they make it too easy for people to collect data they really shouldn’t be collecting. When you collect data, you take on the responsibility of protecting that data. You become the steward of that data. And people far too often collect everything just in case, when they don’t really need to. Rule of thumb: you can’t leak it if you don’t have it. 😉
Last up was Adam Soucie to discuss Getting Back Up Again – Developing with Mental Illness (starts at 00:03). Just go watch it. Seriously. Incredibly moving. As someone who has also struggled with mental illness since my teenage years, I applaud his courage to get up and discuss his struggles in front of an audience and for bringing attention to those who suffer.
Last everyone headed back over to the main convention area where we did 80’s and WordCamp trivia and giveaways.
And just like that, WordCamp Miami 2017 was over. People said their goodbyes, hugs were given, and Fernando gave me a ride to the airport. I had an amazing time. I didn’t meet a single person I didn’t like, and I hope I made some connections that last much longer than the short time we were together.
TL;DR – WordCamp Miami is an AMAZING conference, but we still have lots to do educating people on security.
I’d be remiss if I didn’t start this post with acknowledging the incredible work and effort put in by David Bisset, Ptah Dunbar and all of the other organizers for this year’s WordCamp Miami. With the exception of a couple of very minor hiccups, the event went off without a hitch. I can’t thank the organizers enough for everything they did to make WordCamp Miami 2017 a success.
Started Friday morning by meeting and sharing a ride with the wonderful, talented Shilpa Shah, cofounder of Hummingbird Web Solutions. Shilpa flew for 27 hours to come to WordCamp Miami! She reminded me immediately of why I love attending WordCamps: incredibly intelligent, kind, helpful people coming together to share their knowledge. I was honored to be able to get to know her, and will most definitely be taking her up on her offer to come visit India.
I decided to attend the BuddyPress/REST API pre-conference workshop. We don’t use BuddyPress but I was interested in learning more about it, and definitely wanted to dig more into the REST API. David Laietta did a great job introducing us to what BuddyPress is, and what it isn’t, and when it can be a good fit in his BuddyPress 101 talk. Next up, I have to give Tara Claeys major props for embracing the 80’s theme and her inner Jane Fonda to share how her firm used BuddyPress to power a wellness challenge. I really wish I had taken a photo of Tara’s outfit! UPDATE: Erica Lynn saves the day! Erica had the photo I was wishing I had taken and was kind enough to let me post it here!
After lunch was Andrew Taylor from Pantheon to discuss the REST API. The most exciting piece from this talk was that I learned of some undocumented “features” of the REST API that I believe are exploitable. For now that’s all I’ll say until I can dig into them further, and report to the appropriate parties. Besides that, I learned that WordPress has added quite a few capabilities in the REST API for custom post types simply by setting show_in_rest to true when registering a new post type.
Friday night was the speaker dinner. I had a wonderful time hanging out with Jonathan Brinley and Mike Herchel, and then playing Cards Against Humanity with Mike, Kimberly Lipari, David Laietta, Scott Mann and several other people. I got to experience my first plantain and had a thoroughly engaging conversation with Mike and his buddy Kyle on Drupal, how Drupal is changing the update process, the current controversy and the future of Drupal.
I was the first session in the morning on Saturday. I left the hotel early with plans to get some coffee and a bagel on campus before heading over to the auditorium. Much to my disappointment, I discovered that there aren’t any coffee shops on the FIU campus open on Saturday mornings. WHAT?! What kind of campus doesn’t have coffee regularly available on the weekend? Luckily, my man Patrick Alexander hooked me up with some cuban coffee (though not the cuban espresso that I would fall in love with later). With my caffeine firmly taken care of, I headed back over to the vendor area to meet up with Victor Santoyo from Sucuri. Absolutely incredible guy. Wicked smart. From there I headed back over to get set up for my talk.
Not sure how many people were in my session, but all-in-all, I think it went pretty well. The presentation is normally an hour in length so I had to trim quite a bit out and talk a bit faster than I would have liked in order to squeeze it into the 30 minutes I had available. People seemed to appreciate the information I shared with them, and I ended up having numerous conversations with people later on the subject of securing their site. From there I headed back over to the Sucuri booth to hang out with Victor and discuss things further with people that had attended my talk.
By this point Sal Aguilar had arrived, so he and I manned the booth while Victor went over to do his AMA talk. Sal is also an incredibly talented security analyst for Sucuri. Not only does he work for Sucuri but he’s also the organizer of WordCamp Nicaragua 2017! Sal and I discussed the state of security on the web, the acquisition of Sucuri by GoDaddy and what that means for the future of Sucuri, and the history of WordCamp Nicaragua and challenges he has faced in trying to make sure WordCamp Nicaragua 2017 happens. Sal is a hard worker, and I have no doubt #WCNI2017 is going to be a huge success.
Next up was Mike Herchel’s presentation on WordCamp & Drupal: Community and Contribution Differences and Lessons. As I had suspected, there are many more similarities between the two camps than I think most people are willing to admit. Ended up eating lunch with Mike and Kyle where discussed some of the challenges organization face in trying to keep their tech stacks up-to-date.
After lunch was Chris Wiegman‘s extremely fast session on Securing Your Webserver. I really think the track chairs did a disservice relegating Chris’ presentation to an 8-minute lightning talk. TONS of good information, but only enough to leave you wanting more information. As I had suspected, he discussed php-fpm (something I strongly encourage you to implement if you run your own webserver) and firewalls, but he also covered fail2ban and chrooted jail, two topics that I really wanted more information on. Specifically, I’d like to implement fail2ban in our own environment combined with the network restrictions we’ve added. Chroot jail I was unfamiliar with and now am digging into. Luckily, I know Chris so I’ll just bug him directly.
I spent the remainder of the day hanging out in the Sucuri booth and in the happiness bar. I helped several people with issues on their sites ranging from simple CSS issues to a site that had been compromised. It was my experience that afternoon (and a few sessions on Sunday) that made me realize that those of us in the infosec space still have a long way to go in terms of educating everyone on proper site security. I’m not throwing shade at any person, and especially not anyone that I assisted in the happiness bar. On the contrary. Everyone has to be new at some point, and we can’t expect everyone to be knowledgable on security right from the beginning. What we need to do is make sure securing their site is intuitive and easy. We need to make sure that we make products that are secure to begin with and stay secure with little-to-no-effort on the part of the end user. And we need to make sure there are plenty of talks, sessions, articles, etc. for anyone who has questions or wants to dig in deeper.
At this point, I need to give major props to Fernando Polania. Not only did he offer to give me a ride back to the hotel Saturday afternoon, he also came back Sunday morning to pick me up AND took me to the airport Sunday evening. Oh, and he also organized all the food at WCMIA. All of it. Seriously, this dude is amazing. Super nice guy. Fernando, if you’re reading this post, I’m buying you dinner next time I see you.
The after party was fun. David orchestrated a game of trivia via kahoot.it. I ended up winning a PHP Elephant (donated by PHP Women) of which my daughter absolutely loves. The mall where the event was held had a live latino band that was incredible. It was at this point that I realized 1. I really wish I had taken more spanish in college, and 2. I really enjoy the latin culture. The music, the atmosphere, the food, the language. If I hadn’t been so exhausted I would have stayed later and soaked up more of it.