The danger of disabling automatic updates on WordPress – 10 minute mail

As soon as WordPress launch a new version they publish a changelog on their website where you can find what has been changed. This also includes all potential security vulnerabilities that have been patched.

For example, in the latest version released in early September, two vulnerabilities in core WordPress were fixed. In addition, you can see where in the code the vulnerability lies. With the help of the newer version, any developer with an interest in security can find the vulnerabilities in the older one.

WordPress Auto-update

Hackers are clever, so they are doing the exact same thing. The moment a new WordPress version is out, hackers have access to vulnerabilities in the previous one, and it is therefore of great importance that a WordPress owner always use the very latest version.

This is something that WordPress has also realized, and in the end of 2013, an automatic update feature was launched in order for users to always have the latest and most secure version. This was enabled by default so that as many as possible would start to automatically update.

“Going forward, this will be one of the best ways to guarantee your site stays up to date and secure and, as such, disabling these updates is strongly discouraged.”

WordPress.com about the auto-update feature

And yet people do disable this feature. It is not uncommon for us at Disposable mail to find old, outdated and vulnerable installations when scanning customers’ websites.

Why do users disable automatic updates?

The reason is a fear, often greatly exaggerated, that the update will somehow break the website. Searching the web for discussions about this makes it clear that it does happen, but it is very, very rare. WordPress runs on hundreds of thousands of websites, and their testing is therefore obviously very rigorous before releasing something that risks crashing even a small percentage of those websites.

Can disabling automatic updates ever be a good idea?

There are a few valid reasons for disabling auto-update. You might disable the feature if:

  • the website is managed by a version control system;
  • it is a larger website with its own deployment mechanism, possibly towards multiple servers;
  • it is a WordPress host confident in being able to manually push out new updates in time. This is the case if the company’s focus is hosting WordPress installations.

However, as long as the website is not part of any of the categories above, there is no need to disable auto-updates and no good excuse for doing so. It cannot be emphasized enough how important updates are, and it is genuinely sad to see that sites still get hacked on a daily basis because of this. Make sure to enable automatic updates and test your website with Disposable mail on a regular basis!

Do you have questions about your WordPress site’s security? Check out our WordPress security tips or get in touch at hello[at]detectify.com.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail security updates for 6 September – 10 minute mail

For continuous coverage, we push out major Disposable mail security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

 

Apache Struts RCE

A Remote Code Execution vulnerability was disclosed in Apache Struts in late August, meaning an attacker is able to craft code that will be executed on the target’s server. This is a framework for Java applications and is used by many enterprises around the world.

A PoC was submitted to us through Crowdsource, and has since been implemented.

Fingerprint for exposed administration tools

We fingerprint and warn about accidentally exposed administration tools. The severity of such exposure increases when no authentication is used.

This release we added/improved:

  • Apache CouchDB
  • TYPO3 Install Tool
  • FileMaker WebDirect

PrestaShop

PrestaShop is a platform used to run webshops. By default, no headers preventing iFrames are used even when logged in as an admin, meaning an attacker could do a clickjacking attack.

ACME Redirection

After blogging about how different implementation of ACME could lead to XSS or how we were able to issue certificates on domains that use a shared hosting, we have now also implemented a finding for an issue that once again could allow for malicious issuing of certificates if the server use redirections in a certain way.

Liferay

After adding Liferay as a prioritised technology for Disposable mail Crowdsource, we received several submissions with vulnerabilities that we since implemented. So far, the XSS and a server side vulnerabilities reported are affecting older versions.

Socket.IO

Socket.IO is a library for realtime communication between the browser and the server. When this is used with misconfigured CORS-headers, it will result in a session ID exposure, which can be used by an attacker to takeover that session. An attacker will be able to send requests to the server posing as the victim, as well as receiving messages intended for the victim.

The full potential impact of this varies a lot depending on what it is used for. There are instances where this is a core part of the application, which means this issue leads to account takeover.

Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Already have an account? Login to check your assets.

Disposable mail is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

A security overview of Content Management Systems – 10 minute mail

Any developer would probably agree Content Management Systems (CMS) make it easier for web development teams and marketing to work together. However CMS assets like blog.company.com are also web application based and could be targets of hacker attacks. Why’s that? Simply because they are based on commonly used technologies, communicate with end users, bring in organic or paid reader traffic and build brand awareness.

Many companies spend resources on securing their main applications and neglect to also audit the security of the CMS platform because who would want to hack a blog? More often than not it is more about the technology than content itself that’s interesting to hack, which is why CMS security needs attention as well. Here is our overview including expert advice from our security team:

Deciding between closed- vs open-source CMS platforms: 

Once you’ve decided to go with a CMS you’ll have to decide which vendor to go with and part of that is if it will be closed- or open-sourced. Cost and usability are key factors in the decision, but it’s also important to keep in mind the security maintenance expected to keep it up and running. Using an open-source program means that anyone can access the source code and there is freedom to make changes to the source code and customize it for your website needs. A lot of eyes on the code also means there are people out there interested in testing and breaking the code, especially in widely used platforms.

There are people out there testing the security of closed-source CMSes but it’s not at the same rate since they are only available with purchase; however, such platforms have internal security teams doing the testing and making fixes to keep up security. We receive vulnerability submissions for both closed- and open-sourced platforms from our Disposable mail Crowdsource community of 150+ handpicked white hat hackers.

Crowdsource module developer Kristian Bremberg reviews many of these submissions, and contrasts the two:

“Open source lets anyone look at the code, and therefore increases the chances of finding vulnerabilities. However, there’s no guarantee that the code will be reviewed by independent security researchers. Closed-source software is often owned by a company which spends money on internal code review and security testing.” A comparison of open- vs closed-source CMS tools

How to secure your CMS or blog site:

There’s a lot you can do to make sure security risks are alleviated when it comes to maintaining a CMS tool. We previously shared best practices on securing the Magento CMS application, and these same practices can be applied to any other CMS option too. Exploitation can be done through the hosting service, blog themes, plugins or extensions or user management, and it seems like a no-brainer to use the mentioned best practices:

Clean up your plugins In addition to the mentioned measures, it’s also imperative to ensure the plugins added to your CMS application are also secure to use. If you don’t use it, then uninstall it so it doesn’t become a security risk. Many plugins are hobby projects that are only updated once in while which means they can become vulnerable without the owners notice, and for that reason we recommend running automated scans that cover plugins. We often receive submissions for CMS plugins and it is something we are continuously open to receive from our Disposable mail Crowdsource white hat hackers.

Scan your CMS platforms for common vulnerabilities It’s common for Content Management Systems to be hosted on a platform that’s different from the main web application. For example, blog.company.com may be hosted on a CMS like WordPress which is not regularly monitored by a web development team and the code may not always be reviewed after updates or adding features. By using a tool like Disposable mail to check a CMS for vulnerabilities, a findings report will show any vulnerabilities that may exist in the web application and with remediation tips. A code-savvy marketer could try to then fix the issue on their own or share it with a web developer or agency for the issue to be resolved.

Additional best practices:

  • 2FA and requirements for complicated passwords
  • Always use the latest version of the software
  • Subscribe to product and security updates from the vendor via social media or mailing lists

Expert point of view: how secure are CMSes and plugins?

We asked our co-founder and top-ranked security researcher, Fredrik Nordberg Almroth, about CMS security and here is what he had to say:

“If I were to approach this [an open-source CMS], I would not start with the main application since this where most security resources are spent and where most people are looking. I would look for other points of entry where few people are monitoring yet highly used like blog themes and plugins. In fact, plugins are the biggest concern, and small but chainable vulnerabilities are mostly here.”

Image: Disposable mail co-founder and top-ranked ethical hacker, Fredrik Nordberg Almroth, has legally hacked many tech giants including Google and Dropbox.

Fredrik Nordberg Almroth says:

“exploiting such chained vulnerabilities can usually impact other assets and infrastructure not directly related to the affected CMS. An example could be a simple reflected XSS that can be used to steal login credentials, which may be used elsewhere on other systems to a cookie XSS that affects sibling subdomains. An other example could be a server-side request forgery (SSRF) attack, that could be leveraged to access internal databases, CI systems and other internal assets.”

Although there is this risk whenever downloading a plugin or theme for open-source CMSes like WordPress and Joomla, Fredrik assures that in general open-source options are quite secure as long as you work proactively with security. There can be rare cases like Drupalgeddon 2.0 (CVE-2018-7600), and since they have high severity impact, they are often short-lived as patches are made as soon as possible to save the masses. CMSes that are SaaS-based are automatically updated making it even easier for users.

However not everyone checks the compatibility and security of a plugin or bundled application, and popular ones are downloaded at least 50,000 times so you can imagine the damage one web vulnerability could have. Some infamous examples include the bundling of ImageMagick and CK Editor applications, where a hacker was able to execute a RCE and XSS respectively. When it comes to closed-source CMSes, there are fewer people looking at these systems outside of the product security teams since one would need paid license access to get to the source code. However vulnerabilities could be found by the vendor’s own security testing activities or bug bounty hunters before a malicious actor gets to it.

Closing comments:

Overall CMSes are secure to use, and from a security standpoint, open-source platforms have an edge because they have more eyes examining the code and updates including security patches are automatic if they are web-based. If you have a CMS it’s most important to keep good user access security, use updated versions of the software and do research on plugins before using them.

CMSes are easy to use but can also be an easy way into your main application if its security is not monitored. Adding these pages like blog.company.com to the security scanning routine is a simple step to take to eliminate the risks.

Disposable mail is a SaaS-based web application scanner powered by ethical hackers. Our tool tests for 1000+ commonly found vulnerabilities including tests for WordPress, Joomla, Drupal, Liferay, Serendipity and other CMS and plugins/extensions. Have you checked the security of your CMS web applications? Try our tool for free and start securing your CMS today.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.