February 22, 2012

You are here: Home / Archives for Vulnerability / WordPress

Millions of WordPress Sites Exposing Potentially Private Photos Due to Misconfiguration

January 31, 2012 By

(LiveHacking.Com) – A security researcher has discovered that millions of web sites which run on the popular WordPress blogging plaform are exposing potentially private photos and images due to misconfiguration and a privacy vulnerability in the NextGEN Gallery plugin. The problem is that the NextGEN Gallery plugin allows unrestricted HTTP browsing of its ‘gallery’ directory and so exposes all the photos which have been uploaded to the blog but not necessarily published via the plugin.

To access the gallery the following URL is used http://www.example.com/wp-content/gallery/ where example.com is the domain name of the WordPress site. Variations of this could be http://blog.example.com/wp-content/gallery/ or http://www.example.com/blog/wp-content/gallery/ depending where WordPress has been installed.

A search engine can also be used to find vulnerable sites by using the following search inurl:”/wp-content/gallery/”. Google returns over 7 millions results for this search. A alternative search is: “Index of /wp-content/gallery” which returns over 3 million results.

The impact of this vulnerability is that photos and images are being exposed which the system administrator has not published. Secondly there are privacy issues with the search engines crawling sections of web sites which the admins thought had remained private.

There are however some workarounds which I recommend every WordPress / NextGEN Gallery site use:

  1. Add the following lines to WordPress .htaccess to prevent directory browsing: 
    # Disable Directory Browsing
Options All -Indexes
  2. Create an empty file with the name of index.html or index.php and save it in http://www.example.com/wp-content/gallery/
  3. Use Disable Directory Listings plugin, http://wordpress.org/extend/plugins/disable-directory-listings/.

At this time US-CERT has been notified along with the plugin author. According to the statistics on the WordPress site, NextGEN Gallery has been downloaded over 4.5 million times.

Filed Under: Open Source, Vulnerability, WordPress Tagged With: ,

WordPress 3.3 Patched to Fix Cross-Site Scripting Vulnerability

January 4, 2012 By

(LiveHacking.Com) – WordPress 3.3.1 has been released to fix a Cross-Site Scripting (XSS) vulnerability discovered by  security researchers, Aditya Modha & Samir Shah. As well as fixing the XSS problem, 3.3.1 fixes 15 issues with WordPress 3.3. Once the vulnerability was made public other researchers tried to test the vulnerability but without success. It transpires that if WordPress is installed using an IP address the vulnerability is exploitable. If however, like many people, WordPress is installed via a domain name, the site isn’t vulnerable. This is because of some logic with the WordPress codebase which treats urls differently depending on whether WP_SITEURL is set or unset.

The WordPress team mentioned thanks to Joshua H., Hoang T., Stefan Zimmerman, Chris K. and the Go Daddy security team for responsibly disclosing the bug to the WordPress security team.

WordPress 3.3.1 can be downloaded from here or use Dashboard → Updates in your site admin.

Filed Under: News, Vulnerability, WordPress Tagged With: , ,

Non-updated Versions of TimThumb Still Causing Problems for WordPress

November 1, 2011 By

(LiveHacking.Com) - Nearly three months ago it was discovered that TimThumb, a PHP script that is used in many popular WordPress themes, contains a vulnerability that allows a remote attacker to upload arbitrary PHP code to an infected site.

By crafting a special image file with a valid MIME-type, and appending a PHP file at the end of this, it is possible to fool TimThumb into believing that it is a legitimate image, thus caching it locally in the cache directory.

Researchers at the AVAST Virus Labs in Prague have seen an increase in malware infections that are exploiting non-updated versions of TimThumb.

Researchers from AVAST were contacted with relation to the blog theJournal.fr, the online site for The Poitou-Charentes Journal, which had been infected. According to AVAST. the Poitou-Charentes Journal is just one part of a much bigger attack.

The compromised sites where infected with the Blackhole Toolkit, a set of malware tools available on the black market for around $1500. AVAST have spotted 151,000 hits to one of the locations where this exploit redirects users. AVAST estimates that anywhere up to 3,500 sites have been infected.

More details about the surge in infections can be found here and details of the Blockhole Toolkit can be found on AVAST’s blog here.

Filed Under: Attack, Attacks, Vulnerability, WordPress Tagged With: , ,

Google Images Poisoned by Hacked WordPress Blogs

August 9, 2011 By

(LiveHacking.Com) – Russian security researcher Denis Sinegubko has posted details of 4,358 WordPress blogs that are poisoning Google Images to insert doorway pages that redirect visitors to fake anti virus sites.

These doorway pages replace the original content with twenty or so “thumbnails” and short text snippets relevant to different keyword searches. Subsequently they are picked up by Google’s spiders and can rank quite well for some keywords both in Google Web search and Google Images search. The malicious redirects occur only when users click on Google Images search results. The redirects take the users to a landing pages that pushes a fake anti-virus tool.

The details where posted on the Unmask Parasites blog. Unmask Parasites is an online web site security service that helps reveal hidden content that hackers have inserted into web pages.

Denis goes on to give some good advice to webmasters:

  1. Regularly check statistics for suspicious requests.
  2. Check Google Webmaster Tools for suspicious search queries and indexed pages.
  3. Make sure your WordPress is up-to-date.
Filed Under: Vulnerability, WordPress Tagged With: , ,

Vulnerability Discovered in WordPress Themes That Use TimThumb

August 4, 2011 By

(LiveHacking.Com) - TimThumb, a PHP script that is used in many popular WordPress themes, contains a vulnerability that allows a remote attacker to upload arbitrary PHP code to an affected site.

The problem is that the script does not check remotely cached files properly. By crafting a special image file with a valid MIME-type, and appending a PHP file at the end of this, it is possible to fool TimThumb into believing that it is a legitimate image, thus caching it locally in the cache directory.

All WordPress administrators are advised to:

  • determine if any hosted blogs use TimThumb by searching for timthumb.php or thumb.php
  • review the blog entry on the issue and apply any necessary updates or workarounds to help mitigate the risks

Mark Maunder, who found the vulnerability, has posted technical details of the hack here.

Filed Under: Vulnerability, WordPress Tagged With: , ,

Security Update: WordPress 3.1.4. Released

June 30, 2011 By

The WordPress team has released WordPress 3.1.4. This release is a security update for all previous WordPress versions.

This new release fixes a security issue that could allow an intruder in Editor-level user to gain further access to the site. The vulnerability has been discovered by K. Gudinavicius and reported to the WordPress development team.

Also include in WordPress version 3.1.4 other security fixes and hardening measures.

List of Files Revised

  • readme.html
  • wp-settings.php
  • wp-includes/taxonomy.php
  • wp-includes/post.php
  • wp-includes/version.php
  • wp-includes/bookmark.php
  • wp-includes/wp-db.php
  • wp-includes/formatting.php
  • wp-includes/script-loader.php
  • wp-content/themes/twentyten/languages/twentyten.pot
  • wp-admin/includes/post.php
  • wp-admin/includes/deprecated.php
  • wp-admin/includes/update-core.php
  • wp-admin/includes/media.php
  • wp-admin/js/user-profile.dev.js
  • wp-admin/js/user-profile.js
  • wp-admin/custom-header.php
  • wp-admin/options-general.php

All WordPress website administrators are encouraged to upgrade to this latest version. You can update automatically from the Dashboard > Updates menu in your site’s admin area or download 3.1.4 directly.

Filed Under: News, WordPress Tagged With: ,

WordPress.org Force-resets All Passwords

June 24, 2011 By

WordPress.org has come under an unusual attack where hackers have attempted to upload new version of popular WordPress plugins with cleverly disguised backdoors. Once the WordPress team noticed these suspicious commits they rolled back the affected plugins, told the authors and shut down access to the plugin repository to check for anything else unsavory.

As a preventive measure the WordPress team have decided to force-reset all passwords on WordPress.org. To use the forums, trac, or commit to a plugin or theme, you’ll need to reset your password to a new one. (This also applies to bbPress.org and BuddyPress.org.)

Any users of AddThisWPtouch, or W3 Total Cache should upgrade each to the latest version to ensure you are not running a hacked version.

Filed Under: Attack, Attacks, WordPress Tagged With: , , ,

WordPress 3.1.2 Closes Unauthorized Posting Hole

April 27, 2011 By

A security update to WordPress 3.1 has  been released to address a vulnerability that allowed Contributor-level users to improperly publish posts. The problem is to do with the “press this” bookmarklet and a lack of validation on the rights of the user submitting the post. The problem was found by WordPress’ Andrew Nacin working with Benjamin Balter. Wordpress recommend an immediate update to 3.1.2, especially if you allow users to register as contributors or if you have untrusted users.

This release also fixes a few bugs that didn’t make it into 3.1.1:

  • Fix a vulnerability that allowed Contributor-level users to improperly publish posts. (r17710)
  • Fix user queries ordered by post count. (#17123)
  • Fix multiple tag queries. (#17054)
  • Prevent over-escaping of post titles when using Quick Edit for pages. (#17218)

You can download 3.1.2 from here or update automatically from the Dashboard → Updates menu in your site’s admin area.

Filed Under: Vulnerability, WordPress Tagged With: ,

WordPress Releases Security Hardening Update

February 8, 2011 By

The WordPress project has announced the releases of WordPress 3.0.5. Dubbed as a security hardening release it is an essential update for those with any untrusted user accounts, but it also comes with other important security enhancements and hardening for all WordPress installations.

Two cross site scripting bugs have been squashed:

  • Properly encode title used in Quick/Bulk Edit, and offer additional sanitization to various fields. Affects users of the Author or Contributor role.
  • Preserve tag escaping in the tags meta box. Affects users of the Author or Contributor role.

Also included in 3.0.5 are two security enhancements one of which improves the security of any plugins which were not properly leveraging the WordPress security API.

All WordPress administrators are encouraged to upgrade to this latest version. You can update automatically from the Dashboard > Updates menu in your site’s admin area or download 3.0.5 directly.

Filed Under: Security, Vulnerability, Wep Application, WordPress Tagged With: ,

Critical Security Update for WordPress

December 30, 2010 By

Version 3.0.4 of WordPress has released. This version is available from the update page in the WordPress dashboard or for download here. This is a critical update to fixes a core security bug in WordPress HTML sanitation library, called KSES. This security issue has been discovered by Mauro Gentile and Jon Cave (duck_).

More technical information is available here.

Filed Under: Security, Vulnerability, Wep Application, WordPress Tagged With: , , , , ,
« Older Posts