Select Page
Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension

Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension

If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new, unpatched vulnerability that has been made public and could allow attackers to compromise your online store.

A WordPress security company—called “Plugin Vulnerabilities“—that recently gone rogue in order to protest against moderators of the WordPress’s official support forum has once again dropped details and proof-of-concept exploit for a critical flaw in a widely-used WordPress plugin.

To be clear, the reported unpatched vulnerability doesn’t reside in the WordPress core or WooCommerce plugin itself.

Instead, the vulnerability exists in a plugin, called WooCommerce Checkout Manager, that extends the functionality of WooCommerce by allowing eCommerce sites to customise forms on their checkout pages and is currently being used by more than 60,000 websites.

The vulnerability in question is an “arbitrary file upload” issue that can be exploited by unauthenticated, remote attackers if the vulnerable sites have “Categorise Uploaded Files” option enabled within WooCommerce Checkout Manager plugin settings.

“From the more technical aspect, vulnerability occurs inside ‘includes/admin.php’ file at line 2084 on which application is moving given files to a directory using ‘move_uploaded_file’ without prior proper check for allowed files,” explains a blog post published Thursday by web application security platform WebARX, who warned their users after Plugin Vulnerabilities made the flaw public.

If exploited, the flaw could allow attackers to execute arbitrary server-side script code in the context of the web server process and compromise the application to access or modify data or gain administrative access.

images from Hacker News

‘Highly Critical’ Unpatched Zero-Day Flaw Discovered In Oracle WebLogic

‘Highly Critical’ Unpatched Zero-Day Flaw Discovered In Oracle WebLogic

A team of cybersecurity researchers today published a post warning enterprises of an unpatched, highly critical zero-day vulnerability in Oracle WebLogic server application that some attackers might have already started exploiting in the wild.

Oracle WebLogic is a scalable, Java-based multi-tier enterprise application server that allows businesses to quickly deploy new products and services on the cloud. It’s popular across both, cloud environment and conventional environments.

Oracle WebLogic application reportedly contains a critical deserialisation remote code execution vulnerability that affects all versions of the software, which can be triggered if the “wls9_async_response.war” and “wls-wsat.war” components are enabled.

The vulnerability, spotted by the researchers from KnownSec 404, allows attackers to remotely execute arbitrary commands on the affected servers just by sending a specially crafted HTTP request—without requiring any authorisation.

images from Hacker News

Unpatched Zero-Days in Microsoft Edge and IE Browsers Disclosed Publicly

Unpatched Zero-Days in Microsoft Edge and IE Browsers Disclosed Publicly

Exclusive — A security researcher today publicly disclosed details and proof-of-concept exploits for two ‘unpatched’ zero-day vulnerabilities in Microsoft’s web browsers after the company allegedly failed to respond to his responsible private disclosure.

Both unpatched vulnerabilities—one of which affects the latest version of Microsoft Internet Explorer and another affects the latest Edge Browser—allow a remote attacker to bypass same-origin policy on victim’s web browser.

Same Origin Policy (SOP) is a security feature implemented in modern browsers that restricts a web-page or a script loaded from one origin to interact with a resource from another origin, preventing unrelated sites from interfering with each other.

In other words, if you visit a website on your web browser, it can only request data from the same origin [domain] the site was loaded from, preventing it from making any unauthorised request on your behalf in order to steal your data, from other sites.

However, the vulnerabilities discovered by 20-year-old security researcher James Lee, who shared the details with The Hacker News, could allow a malicious website to perform universal cross-site scripting (UXSS) attacks against any domain visited using the vulnerable Microsoft’s web browsers.

To successfully exploit these vulnerabilities, all attackers need to do is convince a victim into opening the malicious website [created by hacker], eventually allowing them to steal victim’s sensitive data, like login session and cookies, from other sites visited on the same browser.

“The issue is within Resource Timing Entries in Microsoft Browsers which inappropriately leak Cross-Origin URLs after redirection,” Lee told The Hacker News in an email.

The researcher contacted Microsoft and responsibly shared his finding with the company ten months ago, that’s almost a year, but the tech giant ignored the issues and did not respond to the disclosure till the date, leaving both the flaws unpatched.

images from Hacker News

Thousands of Unprotected Kibana Instances Exposing Elasticsearch Databases

Thousands of Unprotected Kibana Instances Exposing Elasticsearch Databases

In today’s world, data plays a crucial role in the success of any organisation, but if left unprotected, it could be a cybercriminal’s dream come true.

Poorly protected MongoDB, CouchDB, and Elasticsearch databases recently got a lot more attention from cybersecurity firms and media lately.

More than half of the known cases of massive data breaches over the past year originated from unsecured database servers that were accessible to anyone without any password.

Since the database of an organisation contains its most valuable and easily exploitable data, cybercriminals have also started paying closer attention to find other insecure entry points.

Though the problems with unprotected databases are no news and are widely discussed on the Internet, I want cybersecurity community and industry experts to pay some attention to thousands of unsafe Kibana instances that are exposed on the Internet, posing a huge risk to many companies.

Kibana is an open-source analytics and visualisation platform designed to work with Elasticsearch. The platform makes it easy for data analysts to quickly and easily understand complex big data streams and logs through graphic representation.

Kibana comes as a browser-based interface that has been designed to fetch data from Elasticsearch databases in real time and then perform advanced data analysis to present it in a variety of charts, tables, and maps.

Upon installation, the default settings configure Kibana to run on localhost at port 5601, but some administrators may choose to change this setting to make it remotely accessible anywhere from the Internet.

images from Hacker News

New Apache Web Server Bug Threatens Security of Shared Web Hosts

New Apache Web Server Bug Threatens Security of Shared Web Hosts

Mark J Cox, one of the founding members of the Apache Software Foundation and the OpenSSL project, today posted a tweet warning users about a recently discovered important flaw in Apache HTTP Server software.

The Apache web server is one of the most popular, widely used open-source web servers in the world that powers almost 40 percent of the whole Internet.

The vulnerability, identified as CVE-2019-0211, was discovered by Charles Fol, a security engineer at Ambionics Security firm, and patched by the Apache developers in the latest version 2.4.39 of its software released today.

The flaw affects Apache HTTP Server versions 2.4.17 through 2.4.38 and could allow any less-privileged user to execute arbitrary code with root privileges on the targeted server.

“In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected,” the advisory says.

Though the researcher has not yet released a working Proof-of-Concept (PoC) exploit code for this flaw, Charles today published a blog post explaining how an attacker can exploit this flaw in 4 before mentioned steps:

  1. Obtain R/W access on a worker process,
  2. Write a fake prefork_child_bucket structure in the SHM,
  3. Make all_buckets[bucket] point to the structure,
  4. Await 6:25AM to get an arbitrary function call.

According to Cox, the vulnerability is more concerning for shared web hosting services, where malicious customers or a hacker with ability to execute PHP or CGI scripts on a website can make use of the flaw to gain root access on the server, eventually compromising all other websites hosted on the same server.

Besides this, the latest Apache httpd 2.4.39 version also patches three low and two other important severity issues.

images from Hacker News