June 15, 2021

WP-Slimstat vulnerability exposes WordPress websites to SQL injection attacks

wp-slimstat-plugin-logo(LiveHacking.Com) – A recent security advisory from Sucri has revealed that the popular WordPress plugin WP-Slimstat is vulnerable to SQL injection attacks because of a weak secret key.

If exploited fully the bug could allow hackers to use SQL injection attacks to download sensitive information from a susceptible site’s database, including username, and (hopefully) hashed passwords. According to Sucri it could even be possible, in certain situations, for the attacker to find the WordPress Secret Keys and then takeover the site completely.

The problem is with the secret key used by the plugin to sign data sent to/from the client. The key used is in fact the MD5 hash of the plugin’s installation timestamp. Although it would be impossible to guess the exact date and time of the plugin installation, it might be possible to guess the approximate date and therefore drastically reduce the number of combinations.

Only the correct year is needed to reduce the number of possibilities down to 30 million values, which according to Sucri is computable in around 10 minutes using modern setups. Part of the problem is that MD5 hashes are quite breakable using modern CPU/GPU combinations.

Once the correct MD5 hash has been discovered then fake data can be sent to the plugin. Then, due to a second bug – which allows an attacker to insert arbitrary data into an unserialize() call, the attacker can execute arbitrary SQL queries and allow them  to get any data they want from the database.

“This is a dangerous vulnerability, you should update all of your websites using this plugin as soon as possible,” wrote  Marc-Alexandre Montpas on Sucri’s blog.

WP-Slimstat is an analytics tool. Its listing on WordPress shows it has been downloaded more than 1.3 million times. People who operate websites that use the plugin should update immediately. All versions before 3.9.6 are vulnerable.

WordPress 3.5.1 released to fix bugs and security vulnerabilities

wordpress logo(LiveHacking.Com) – WordPress 3.5.1 has been released with 37 bug fixes and three patches for three security issues. Two of the issues fixed where related to cross-site scripting vulnerabilities while the other was a server-side request forgery vulnerability. The full details are as follows:

  • A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team.
  • Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
  • A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.

The WordPress team passed on its thanks to  security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing the fix to the  server-side request forgery vulnerability.

Of the 37 bugs fixed, the WordPress team highlighted the following fixes

  • Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
  • Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
  • Networks: Suggest proper rewrite rules when creating a new network.
  • Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
  • Work around some misconfigurations that may have caused some JavaScript in the WordPress admin area to fail.
  • Suppress some warnings that could occur when a plugin misused the database or user APIs.

You can download WordPress 3.5.1 from here or click on Dashboard → Updates in your site admin section to update automatically.

Maintenance and Security Update for WordPress

(LiveHacking.com) – The WordPress team has released WordPress 3.4.1 to fix an important information disclosure vulnerability, in addition to Cross-Site Scripting (XSS) and privilege escalation vulnerabilities.

According to the WordPress blog, this release also addresses 18 bugs with version 3.4, including:

  • Fixes an issue where a theme’s page templates were sometimes not detected.
  • Addresses problems with some category permalink structures.
  • Better handling for plugins or themes loading JavaScript incorrectly.
  • Adds early support for uploading images on iOS 6 devices.
  • Allows for a technique commonly used by plugins to detect a network-wide activation.
  • Better compatibility with servers running certain versions of PHP (5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which had caused warnings or in some cases prevented emails from being sent.

WordPress 3.4.1 can be downloaded from here or you can update from the Dashboard → Updates menu in your site’s admin area.

Security Update for WordPress 3.3

(LiveHacking.Com) – The WordPress team has released WordPress 3.3.2 to fix 6 security vulnerabilities including two cross-site scripting vulnerabilities and a privilege escalation. The fixed vulnerabilities come in two distinct parts. First, three external libraries included in WordPress received security updates and second, the WordPress core security team have fixed three further vulnerabilities.

The external libraries are all connected with the way WordPress uploads files. Plupload, which WordPress currently uses for uploading media, has been updated to  version 1.5.4. Plupload, which gives WordPress the ability to upload files using HTML5 Gears, Silverlight, Flash, BrowserPlus or normal forms, fixed a the way the Flash part of the library worked to avoid CSRF issues.

Two other Flash related libraries were also updated, SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins and SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.

The other three vulnerabilities, which the WordPress core security team fixed, are:

  • Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
  • Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
  • Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.

WordPress 3.3.2 can be downloaded from here or you can update from the Dashboard → Updates menu in your site’s admin area.

Hacked WordPress Sites Infecting Visitors with Malware

(LiveHacking.Com) – A variety of different blogs (here, here and here) are reporting that  hundreds of WordPress websites have been compromised and altered to redirects users to pages that infect a PC using the Phoenix Exploit Kit. The hack works when the attackers upload a HTML page to the standard WordPress uploads folder, however since the uploads folder is not part of the normal web site and isn’t included in the normal navigation then accessing any page on these compromised WordPress sites, other than the uploaded page, will not infect the user’s machine.

However in an attempt to get users to view the uploaded malcious HTML page, the hackers have started several large spam campaigns which include embedded URL links or HTML attachments that trick users into visiting the infected web pages. These fake emails come from well known organizations like the Better Business Bureau or LinkedIn and urge recipients to open the attachment with Internet Explorer or Mozilla Firefox. The exploit kit targets vulnerabilities cited in CVE-2010-0188 and CVE-2010-1885.

After the target machine is successfully exploited, the Phoenix exploit kit downloads a Trojan to the victim’s machine. The Trojan goes by the following names: Cridex, Carberp and Dapato. Unfortunately antivirus detection is low and only 10 out of 43 antivirus scanners able to detect it.

According to h-online.com, eight people have been arrested in Moscow on suspicion of having used Carberp to make $4.3 million. The trojan works by intercepting users’ banking data and transferring it to a command & control server. The Russian intelligence service, FSB, arrested the men in a joint operation with Russian security firm Group-IB and the Russian Interior Ministry, MVD.

Millions of WordPress Sites Exposing Potentially Private Photos Due to Misconfiguration

(LiveHacking.Com) – A security researcher has discovered that millions of web sites which run on the popular WordPress blogging plaform are exposing potentially private photos and images due to misconfiguration and a privacy vulnerability in the NextGEN Gallery plugin. The problem is that the NextGEN Gallery plugin allows unrestricted HTTP browsing of its ‘gallery’ directory and so exposes all the photos which have been uploaded to the blog but not necessarily published via the plugin.

To access the gallery the following URL is used http://www.example.com/wp-content/gallery/ where example.com is the domain name of the WordPress site. Variations of this could be http://blog.example.com/wp-content/gallery/ or http://www.example.com/blog/wp-content/gallery/ depending where WordPress has been installed.

A search engine can also be used to find vulnerable sites by using the following search inurl:”/wp-content/gallery/”. Google returns over 7 millions results for this search. A alternative search is: “Index of /wp-content/gallery” which returns over 3 million results.

The impact of this vulnerability is that photos and images are being exposed which the system administrator has not published. Secondly there are privacy issues with the search engines crawling sections of web sites which the admins thought had remained private.

There are however some workarounds which I recommend every WordPress / NextGEN Gallery site use:

  1. Add the following lines to WordPress .htaccess to prevent directory browsing:
    # Disable Directory Browsing
    Options All -Indexes
  2. Create an empty file with the name of index.html or index.php and save it in http://www.example.com/wp-content/gallery/
  3. Use Disable Directory Listings plugin, http://wordpress.org/extend/plugins/disable-directory-listings/.

At this time US-CERT has been notified along with the plugin author. According to the statistics on the WordPress site, NextGEN Gallery has been downloaded over 4.5 million times.

WordPress 3.3 Patched to Fix Cross-Site Scripting Vulnerability

(LiveHacking.Com) – WordPress 3.3.1 has been released to fix a Cross-Site Scripting (XSS) vulnerability discovered by  security researchers, Aditya Modha & Samir Shah. As well as fixing the XSS problem, 3.3.1 fixes 15 issues with WordPress 3.3. Once the vulnerability was made public other researchers tried to test the vulnerability but without success. It transpires that if WordPress is installed using an IP address the vulnerability is exploitable. If however, like many people, WordPress is installed via a domain name, the site isn’t vulnerable. This is because of some logic with the WordPress codebase which treats urls differently depending on whether WP_SITEURL is set or unset.

The WordPress team mentioned thanks to Joshua H., Hoang T., Stefan Zimmerman, Chris K. and the Go Daddy security team for responsibly disclosing the bug to the WordPress security team.

WordPress 3.3.1 can be downloaded from here or use Dashboard → Updates in your site admin.

Non-updated Versions of TimThumb Still Causing Problems for WordPress

(LiveHacking.Com) – Nearly three months ago it was discovered that TimThumb, a PHP script that is used in many popular WordPress themes, contains a vulnerability that allows a remote attacker to upload arbitrary PHP code to an infected site.

By crafting a special image file with a valid MIME-type, and appending a PHP file at the end of this, it is possible to fool TimThumb into believing that it is a legitimate image, thus caching it locally in the cache directory.

Researchers at the AVAST Virus Labs in Prague have seen an increase in malware infections that are exploiting non-updated versions of TimThumb.

Researchers from AVAST were contacted with relation to the blog theJournal.fr, the online site for The Poitou-Charentes Journal, which had been infected. According to AVAST. the Poitou-Charentes Journal is just one part of a much bigger attack.

The compromised sites where infected with the Blackhole Toolkit, a set of malware tools available on the black market for around $1500. AVAST have spotted 151,000 hits to one of the locations where this exploit redirects users. AVAST estimates that anywhere up to 3,500 sites have been infected.

More details about the surge in infections can be found here and details of the Blockhole Toolkit can be found on AVAST’s blog here.

Google Images Poisoned by Hacked WordPress Blogs

(LiveHacking.Com) – Russian security researcher Denis Sinegubko has posted details of 4,358 WordPress blogs that are poisoning Google Images to insert doorway pages that redirect visitors to fake anti virus sites.

These doorway pages replace the original content with twenty or so “thumbnails” and short text snippets relevant to different keyword searches. Subsequently they are picked up by Google’s spiders and can rank quite well for some keywords both in Google Web search and Google Images search. The malicious redirects occur only when users click on Google Images search results. The redirects take the users to a landing pages that pushes a fake anti-virus tool.

The details where posted on the Unmask Parasites blog. Unmask Parasites is an online web site security service that helps reveal hidden content that hackers have inserted into web pages.

Denis goes on to give some good advice to webmasters:

  1. Regularly check statistics for suspicious requests.
  2. Check Google Webmaster Tools for suspicious search queries and indexed pages.
  3. Make sure your WordPress is up-to-date.

Vulnerability Discovered in WordPress Themes That Use TimThumb

(LiveHacking.Com) – TimThumb, a PHP script that is used in many popular WordPress themes, contains a vulnerability that allows a remote attacker to upload arbitrary PHP code to an affected site.

The problem is that the script does not check remotely cached files properly. By crafting a special image file with a valid MIME-type, and appending a PHP file at the end of this, it is possible to fool TimThumb into believing that it is a legitimate image, thus caching it locally in the cache directory.

All WordPress administrators are advised to:

  • determine if any hosted blogs use TimThumb by searching for timthumb.php or thumb.php
  • review the blog entry on the issue and apply any necessary updates or workarounds to help mitigate the risks

Mark Maunder, who found the vulnerability, has posted technical details of the hack here.