Just FYI, I’m also posting the weekly list over at WPCampus so that the information reaches more people, specifically in Higher Education.
This week’s list.
There are nine unfixed vulnerabilities across five plugins this week. The vast majority of this week’s unfixed vulnerabilities all come from a single author. Unfortunately, he reused the same chunk of vulnerable code across all of his plugins. Specifically, when processing POST data, he did not include a nonce or other check to ensure that user intended to initiate the save action, leaving his code open to a Cross-Site Request Forgery vulnerability. In addition, there is no validation, filtering or sanitation performed on the data before he saves the information to the database. He then later echoes that data back out to the browser without any escaping leaving the code, and more importantly the user, open to Cross-Site Scripting vulnerabilities. An attacker could therefore combine these two vulnerabilities to steal an Admin’s session IDs on a target WordPress site.
Speaking of WPCampus, they just announced this week that WPCampus 2017 will be livestreamed for FREE!! The lineup looks fantastic this year, with a ton of incredible information. Even if you don’t work with WordPress, there are numerous sessions that are platform-agnostic. Go ahead and block off your calendar for Friday, July 14th and make time to tune back in on Saturday, July 15th. You definitely don’t want to miss this.
HighEdWeb also announced their schedule for the upcoming annual conference in Hartford, CT. I’ll be doing a pre-conference workshop this year, but will otherwise not be speaking. Instead I’m serving as co-chair for the Development, Programming and Architecture (DPA) track. And let me just warn you, the DPA track has some amazing talks lined up this year. You should probably just go ahead and plan on staying in the track for both days. 😀
Even if you aren’t interested in DPA, HighEdWeb is always an amazing conference. I understand budgets are tight, but it is well worth your money, even if you have to pay for trip yourself. I highly encourage you to go ahead and register today.
This week’s report.
The other big news this week was the two disclosures concerning WordPress core: Unauthorized Password Reset and Unauthenticated Remote Code Execution vulnerabilities. Ryan Dewurst (of the WPScan team) did an excellent write-up on these two vulnerabilities, and I encourage you to read it. The TL;DR: keep your WordPress instance up-to-date and if you aren’t on the latest branch (4.7.X) you need to get moved over.
For the Password Reset vulnerability it’s important to note that the scenarios under which this attack can be exploited are limited. In addition, if you are limiting access to the login area by IP address, which I strongly recommend, then this attack is mostly mitigated unless the attack is happening from inside your allowed network ranges. I’ll admit though, I’m a little disappointed in the Core team that they didn’t fix this when it was first reported to them, considering it shouldn’t be that hard to fix. Hopefully we’ll see them address it v4.7.5.
Interestingly, both issues revolve around the same issue I corrected in the last update to my wpDirAuth plugin: using the _SERVER variables SERVER_NAME and HTTP_HOST. As I have said previously, all data is tainted. If you didn’t write it into your code yourself, you can’t trust it.
This week’s report.
This week’s report is, fortunately, not too bad. Just six disclosures. There were two more that I saw information on, but was unable to confirm. My guess is that if they turn out to be legit, we’ll see them pop up in the next week.
Probably the biggest piece of news this week is the announcement by Matt that WordPress will be officially dropping support for Internet Explorer less than version 11.
“…we are officially ending support for Internet Explorer versions 8, 9, and 10, starting with WordPress 4.8.”
The other piece of news (well, less “news” and more awareness) is that of WordPress 4.7.4 they included the latest release of TinyMCE. That version of TinyMCE includes a change to how it handles links that open in new windows.
“…all links with a target of _blank will get a rel attribute of noopener noreferrer.”
If you’re unfamiliar with noopener, it prevents a page being opened in a new window/tab from having access to the window.opener object, an issue called Tabnapping. Firefox doesn’t support noopener, so you have to include noreferrer. Read more about how the vulnerability manifests itself. If you noticed these showing up in your links, now you know it’s there to protect your users.
WordCamp Kansas City
WordCamp Kansas City (#wckc) kicks off today. Unfortunately, I won’t be there today, but will be speaking tomorrow morning at nine, and then will be attending the rest of the day. Definitely looking forward to seeing everyone!
Sorry I didn’t do a report for last week. I had the honor of speaking at WordCamp Miami last week so was a bit busy. Speaking of which, if you weren’t there, or were but was at one of the other excellent presentations, they’ve now posted the recorded version (I start at roughly 0:33:00). In addition, my talk from WordCamp St. Louis is now posted over at WordPress.tv. And if you prefer to see it live, I’ll be presenting it again at WordCamp Kansas City on April 29th.
This week’s vulnerable plugins report.
You should have already noticed that WordPress released version 4.7.3 update on Monday. 4.7.3 addresses six security vulnerabilities (one of which was discovered by my buddy Delta!) in addition to 39 bug fixes. Equally important is that security patches were issued for all WordPress branches back to version 3.7. If you are running any version of WordPress from 3.7 forward you should update immediately as there are now attacks in the wild targeting the vulnerabilities that were corrected.
If you are on an older version, please strongly consider upgrading to a more current branch. While I applaud the WordPress team for patching all branches back to 3.7, you can’t rely on them supporting those older branches moving forward. Staying up-to-date is one of the most important ways to protect your site. The WordPress development team has done an amazing job of ensuring backwards compatibility, so unless you have made changes to the core WordPress files, there is a strong chance you can update to the latest version without incident. If you’re unsure of updating, please reach out to me and let’s see if we can get you updated.
I had hoped this week’s report would be quieter, but instead includes five unauthenticated arbitrary file upload disclosures. PLEASE, remove or update these plugins immediately.
This week’s report.
This week’s report is pretty large, due in large part to the disclosure of the remaining discoveries from last year’s sumofpwn that were never fixed, despite repeated attempts to contact/work with the developers.
There are a couple of items in the report I want to address directly. They are listed in the notes section but I want to highlight them. In looking at the svn repository for Adminer, they fixed the issue in v1.4.5, but the plugin has been removed from the public repository. In general, having a world-accessible direct connection to your database is a bad idea. I would suggest going ahead and removing the plugin if you have it installed. You can read more about the initial disclosure.
The disclosure for FormBuilder was for version was 1.0.5 with the latest version being 1.0.8. Though the initial disclosure doesn’t mention it, the plugin does output the contents of user supplied data in other areas (and continues to do so in the most recent version). In addition, the plugin’s description mentions that the plugin is reaching end of life.
Be advised, FormBuilder is nearing end-of-life and may not be actively maintained in the future. It is advisable to switch your WordPress site to some other Form handling plugin at this time.
Given it continues to have potential issues and it’s reaching end-of-life, I would strongly suggest removing.
In regards to the Trust Form plugin, there is a version in the svn repository (2.0.1) where it appears the author tried to address some of the disclosed vulnerabilities. However, there are other areas that are still vulnerable to cross-site scripting, which is most likely why the plugin has been removed from the public repository. I would strongly suggest removing the plugin.
This week’s report.
TL;DR – If you use cloudflare you need to invalidate all sessions for the site and update passwords for accounts immediately.
Cloudflare revealed a serious bug in its software today that caused sensitive data like passwords, cookies, authentication tokens to spill in plaintext from its customers’ websites.
And from the initial disclosure:
if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output
Worse yet, some of that disclosed information was cached by search engines. If you are using WordPress, and are using Cloudflare, you should change the salts in your wp-list.php file and update your passwords. If you can’t have every registered user of your site update their passwords, then at a minimum, update all of the passwords for your administrator accounts.
For other sites that are using Cloudflare, you need to invalidate all sessions and have users update their passwords.
In WordPress specific news, the 4.7.3 update has been scheduled for release Monday, March 6th. If you don’t have auto-updates enabled, make sure you plan to update your site. As far as I know, this update mostly addresses bug fixes, but I haven’t had a chance to look over the full set of changes.
And finally, this week’s vulnerable plugins/themes report.
I do these updates and vulnerable plugin reports for the University of Missouri campus and thought I’d include them here as well.
Everyone should be updated to WordPress version 4.7 by now. If not, please do so as soon as you can. Lots of new, exciting features were added: WordPress 4.7 announcement and changelog.
If you didn’t follow Matt Mullenweg’s State of the Word this year from WordCamp US, you can watch it online (jump to 1:22:27 to see me question Matt on WordPress security issues). If you’re interested, I also wrote up my key take-aways from WordCamp: Part 1 and Part 2.
One of the big announcements from Matt was that he is taking back over as product lead for 2017 and that there will be no scheduled releases for WordPress in 2017. Instead, the core team will be focusing on a simpler, faster UX (specifically the post editor) and more power for developers. Minor point releases for bugs and security issues will be released as necessary, but large point releases will not be on a schedule.
One of the big announcements for v4.7 was the core team added multiple content endpoints for the new REST API. Unfortunately, one of those endpoints is users. This means that anyone can remotely query your site for a list of your users. Despite all of our efforts to lock down this sensitive information leakage, WordPress has added yet another way to retrieve this information. To disable this “feature”, add the code from this gist into your functions.php file in your theme.
You also might have heard quite a bit recently about the remote code execution vulnerability inside of PHPMailer which is included in WordPress core. While it is a critical vulnerability, several pieces have to align correctly in order for it to be exploited inside of WordPress. An attacker would either need to combine multiple successful attacks, or already have an admin account on the site. And if they have an admin account already, you’re already in trouble. I mention it because WordPress will be updating their version in the coming days so make sure to update as soon as it is released. More importantly, I would begin looking through your theme and plugins to see if they have included the vulnerable version. If so, I would suggest manually updating the PHPMailer version, or discontinue use of the theme/plugin until that file has been updated.
Last, but not least, the vulnerable plugins report for 20170104: