Updates on the security status of WordPress and Yoast – 10 minute mail

WordPress is amazing, we can’t argue with that. It’s efficient, powerful, and functional. However, given that it is the most popular Content Management System (CMS) in use, it is also the most vulnerable CMS platform out there.

The WordPress Pingback Vulnerability – Check old campaign sites!

The WordPress Pingback vulnerability allows an attacker to use your WordPress instance as a proxy server. The vulnerability itself is pretty old, but still the reason behind many DDoS attacks. It can be used to camouflage criminal behaviour and make it appear to originate from your service or gain access to internal networks.

SOLUTION: All default installations of WordPress 3.5 come with the vulnerable feature enabled, so we recommend you to run scans on old campaign sites to see if they are affected. If they are, make sure to reconfigure your WordPress version.

With great websites, come great plugins… and more vulnerabilities

Are you using the SEO plugin Yoast to increase search engine traffic? Many plugins have vulnerabilities, and Yoast has had both SQL injections and CSRF vulnerabilities in the past. This is yet another reminder of how important it is to update your plugins on a regular basis.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Joomla security | Disposable mail Blog – 10 minute mail

Joomla is a widely used open-source Content Management System that simplifies working with sites and web applications. To help you keep up to date on Joomla vulnerabilities and security, we have put together a list of Joomla articles and news updates.

ALERTS & RELEASE UPDATES

New findings: Joomla, JBoss, Jenkins and others!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How To Improve Your WordPress Security – 10 minute mail

WordPress is a great Content Management System, it’s easy to use, maintain and there is an ocean of plugins and themes from developers worldwide. What started out as a very simple blogging platform is now much more.

In the early versions, vulnerabilities were found much more frequently than today. Some of them were really bad – take this one for example:

“WordPress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6) edit-link-form.php, (7) edit-page-form.php, and (8) edit-tag-form.php in wp-admin/.”

This nasty vulnerability was found back in 2009.

However, fewer and fewer vulnerabilities are found in the core and WordPress takes security very seriously. Despite that, there are still several outdated WordPress installations out in the wild. According to WP White Security – in 2014 over 70% of all WordPress installations were vulnerable. The core is relatively secure but the more you add to the installation, themes, and plugins, the higher the risk of your site becoming vulnerable.

You can never be 100% secure and this also applies to WordPress. However, there are easy fixes that can make your site more difficult to target.

  • Don’t use admin or any variants of this username on any account
  • Of course – set a strong password and have a good password policy if you have multiple users
  • Don’t use ‘wp_’ as any table prefix, choose something that is less obvious
  • Avoid posting with the administrator account
  • Enable two factor authentication for each of your users
  • And again – keep everything updated
  • This may be obvious to most people, but download WordPress from the official site, WordPress.org!
  • Keep an eye on vulnerabilities by using a security monitoring tool like Disposable mail

Remember, it’s not just the WordPress CMS you need to keep secure and updated, don’t forget about the WEB server, FTP server, database, file permissions, etc.

Read more:
WordPress
How to Improve Your WordPress Security: Plugins and Themes
http://www.wpbeginner.com/wordpress-security/

Stay safe!


Author: Anders Raldin

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How to Improve Your WordPress Security: Plugins and Themes – 10 minute mail

A clean WordPress installation is not much fun, but plugins and themes can have security issues that should not be ignored. In this blog post, we explain what is good to take into consideration when installing a plugin or theme, and give tips on some useful WordPress security plugins that can make your WordPress experience safer.

Plugin Security Checklist

Themes and plugins open up a whole new world of possibilities and allow you to do more with WordPress. But what about security? Before you start installing themes and plugins, stop to consider the following:

  • Take some time to do some research about the developers.
  • Check the ratings – this could be a good indicator, but don’t trust it blindly.
  • Check the reviews – if people take their time to write a review, it’s awesome or terrible.
  • Has the plugin or theme had known vulnerabilities previously? If so, how did the developers or security team handle it?

Use your favorite search engine and search for ‘wordpress + plugin name + exploit’ or ‘wordpress + plugin name + vulnerabilities’ and take a look at the results, also search in databases like  https://web.nvd.nist.gov/view/vuln/search and https://www.exploit-db.com. Doing so will give you a pretty good idea about the plugin or theme. Things like how many vulnerabilities have been discovered, is there any known vulnerability in the latest version, and so on.

Security plugins

There are a lot of plugins made to enhance your WordPress site’s security, some of them are good and some of them never should have been made from the beginning.

Below are three of the most popular security plugins.

1. Wordfence

Wordfence

This safety plugin protects you against malware and several other things. It will scan all your files – core, plugins and themes for malware infections, it will stop bruteforce attacks, check for known backdoors such as c99, R75, WSO, etc., and you can add two-factor authentication.

In 2014 ‘vexatioustendencies.com’ discovered two stored XSS vulnerabilities in Wordfence. The vulnerabilities should never have existed, however the Wordfence team acted quickly and patched them within 12 hours.

The vulnerabilities are pretty interesting, you can read more about them here.

 

2.  Bulletproof security

BPS Security Shield

Another security plugin that is very popular, it also protects against XSS, RFI, CRLF, CSRF, Base64, Code Injection, and SQL injections among other things.

Update: In March 2016, XSS vulnerabilities were discovered in Bulletproof Security. The issues that affected version 53.3 were fixed, but the incident illustrates both the importance of responsible disclosure and continuous security testing and research.

3. All In One WP Security & Firewall

All In One Security and WP wall

This popular plugin has a web application firewall. This plugin protects against  XSS, SQL injections and other attacks, it has backup functions and more.

In 2013 Checkmarx did a static code analysis of the 50 most popular plugins and came to the conclusion that 18 were vulnerable. These plugins, together had 18.5 million downloads. You can read their full analysis here.

Several of the plugins and themes out there have had problems with security and they are going to have more problems in the future. That’s ok. What’s more important is how the situation gets handled when the vulnerability is discovered.

See Mark Jaquith talk about Theme & Plugin Security:

Read more: Do you know how to set up WordPress for maximum security? Check out our WP security tips!

Stay safe!


Author: Anders Raldin

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

WordPress Security | Disposable mail Blog – 10 minute mail

WordPress is amazing, we can’t argue with that. It’s efficient, powerful, and functional. However, given that it is the most popular Content Management System (CMS) in use, it is also the most vulnerable CMS platform out there. To learn more about WordPress vulnerabilities and ways to improve the security of your site, take a look at this list of our WordPress articles and updates.

How To Improve Your WordPress Security

Although WordPress is safer then it used to be, outdated installations and vulnerable plugins are still a threat. We list a few easy fixes that can help you improve your site’s security.

How to Improve Your WordPress Security: Plugins and Themes

A clean WordPress installation is not much fun, but plugins and themes can have security issues that should not be ignored. In this blog post, we explain what is good to take into consideration when installing a plugin or theme, and give tips on some useful WordPress security plugins that can make your WordPress experience safer.

IT Security FAQ

We love talking about security and we believe that security knowledge should be easily accessible and fun. This is why we came up with our IT Sec FAQ series! In 10 short Q&A format posts, we explain basic web security concepts combined with tips and comments from our very own security experts.

IT Security FAQ 2: What should you think about when installing a new plugin on WordPress?

So many plugins, so little time! One of the great things about WordPress is the wide variety of plugins available. What about security?

IT Security FAQ 6: What CMS is the most vulnerable?

Trying to settle on a CMS and not sure what to choose? We explain what you should keep in mind when choosing a CMS.

Alerts & Release Updates

[Alert] Stored XSS in WordPress Plugin Jetpack
[Alert] New WordPress XSS Vulnerability Discovered
Updates on the security status of WordPress and Yoast
Release: Improved PDF report and new WordPress vulnerabilities

More reading 

OWDT: Check out 8 tips on how to protect your WordPress website in 2017 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[Alert] New WordPress XSS Vulnerability Discovered – 10 minute mail

Are you running WordPress 4.2.0 to 4.5.1? Time to upgrade to 4.5.2!

It was recently discovered that WordPress versions 4.2.0 to 4.5.1 are vulnerable against a reflected XSS vulnerability in a specific WordPress SWF-file: flashmediaelement.swf. The vulnerability could lead to leaked WordPress credentials, or be used as a stepping stone to more severe attacks.

3 things you can do to protect your website:

  • Upgrade to WordPress version 4.5.2 as soon as possible.
  • Remove the flashmediaelement.swf file (if you do not know how to proceed, the best option is to simply upgrade the WordPress-version).
  • A third option is to limit the allowed IP addresses to your office or VPN IP.

As always, we recommend you to run regular security tests on your website to keep up with all the latest vulnerabilities.

Stay safe!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[Alert] New Magento Vulnerability – Unauthenticated Remote Code Execution – 10 minute mail

Are you running Magento version before 2.0.6.? Time to upgrade!
It was recently discovered that all Magento versions before 2.0.6. (both Community and Enterprise Edition) are vulnerable against an unauthenticated Remote Code Execution. The vulnerability (CVE-2016-4010) could allow an attacker to take over the vulnerable process, consequently even take complete control over the machine, putting your customer data, transaction history and revenues at risk.

[Solution] Upgrade to the 2.0.6 patch as soon as possible

As always, we recommend you to run regular security tests on your website and keep up with all the latest vulnerabilities on our blog.

Stay safe!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

OWASP TOP 10: Using Components with Known Vulnerabilities – 10 minute mail

Using components with known vulnerabilities is one of the vulnerability categories on OWASP‘s list of the ten most common vulnerabilities. A proof of concept video follows this article. OWASP is a non-profit organization with the goal of improving the security of software and the internet. We cover their Top 10 list one by one in our OWASP Top 10 blog series. 

Description

It is very common for web services to include a component with a known security vulnerability. When that happens it falls under this category, independently of what kind of component is vulnerable, making this a very frequent finding.

The component with a known vulnerability could be the operating system itself, the CMS used, the web server, some plugin installed or even a library used by one of these plugins.

Prevalence

It is one of the most common vulnerability types, with one of the reasons being that it is hard to find. The attack surface is wide as any layer could be vulnerable. As stated above any used component, everything between the core of the OS to libraries used by plugins, could have known vulnerabilities making the site vulnerable.

Developers usually focus on securing their own code and often forget about the code they have imported from others. In many cases developers are not even aware of all the code that is running. This is mainly due to plugins which in turn import libraries which in turn have their own dependencies etc.

Potential impact

The potential impact is impossible to grade for this as it completely depends on the vulnerable component and what vulnerability it suffers from. The vulnerability could be an XSS on some unimportant subdomain, but it could just as well lead to a full system takeover.

Exploitability

When a vulnerability is published on the internet, someone often uploads a ready to use payload which an attacker could simply download and use against the target. This means that an attacker can use it towards the site without even knowing how and why it works. Even when a PoC is not available, documentation about the vulnerability is easy to access, so all the attacker would need to know is how to follow instructions.

However, there are of course also exceptions to this. Some vulnerabilities require existing knowledge about the system, and if the component that is vulnerable is not directly exposed to the internet, the attacker would need to figure out a solution to that as well.

In short, this is often really easy to exploit, but can be as hard as any other vulnerability.

Over the last few years about 4500 CVEs have been published every single year, and there are of course even more vulnerabilities. It is thus hardly surprising that it is impossible for most developers to keep up-to-date with all this information.

Well-known events

A few years ago Reuters got hacked and someone was able to take over their Twitter account to spread false news. Reuters is one of the biggest news agencies and the possible impact of such attack should be obvious.

According to Wall Street Journal they used an outdated version of WordPress when the attack happened, making it likely that was the way attackers were able to comprise the site. It is, however, possible the attack was carried out in some other way as well.

How to discover

The first step is to identify all components that are being used and could possibly be vulnerable, i.e. the ones that somehow process user data. This includes CMS solutions, web servers, operating systems, plugins and everything in between.

The next step is to look up every component for vulnerabilities and exploits. The first step would be to use Google to search for this, and then proceed to look into different vulnerabilities and exploit databases.

To increase the likelihood of hearing about vulnerabilities before someone else uses them for malicious purposes, mailing lists, forums and word of mouth are examples of means that would be necessary to take advantage of.

How Disposable mail can help

We provide a quick and easy way to check whether your site passes or fails OWASP Top 10 tests. Disposable mail is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including OWASP Top 10, and can be used on both staging and production environments. Sign up for a free trial to find out if you are vulnerable » 

Example of a vulnerable application

One of many examples would be running a WordPress installation with the plugin Jetpack with a version lower than 4.0.3 as stated in our blog post about that specific vulnerability.

There are thousands more ways this vulnerability can occur, so one concrete example does not necessarily say much. However, the Jetpack case might help illustrate how vulnerabilities can be found in popular plugins, affecting a wide range of users.

Remediation

The first step to get rid of vulnerabilities in the components you are using would be to always keep everything up to date. Build the system in a way that allows security patches to be installed in a timely manner.

Be careful when external components, plugins, softwares or even the dependencies of those plugins are used. Make sure that everything fulfils the requirements that have been set for custom code regarding regularly maintenance, passing security tests, etc.

Slim down the system as much as possible. Delete plugins that are not used, disable features that are of no use, block ports that are not in use.

Regularly scan the site with a security scanner that updates with new vulnerabilities. When using our own service the default is to scan once a week as we constantly update it with more vulnerabilities, and we would recommend something similar if another service was used as well.

As always in life, the following rule applies: do not use anything that sounds too good to be true.

Using Components with Known Vulnerabilities Proof of Concept video:

Just leave a comment or contact [email protected] if there are any questions, we are happy to help!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Drupalgeddon 2.0 (CVE-2018-7600) | Disposable mail Blog – 10 minute mail

On March 28th, Drupal released a security update that fixes a critical remote code execution vulnerability nicknamed Drupalgeddon 2.0. Disposable mail scans your site for this vulnerability and will alert you if you are running a vulnerable version of Drupal.

What can happen if I’m vulnerable?

The issue (CVE-2018-7600) is a remote code execution vulnerability that allows attackers to take over a Drupal site, accessing all non-public data as well as being able to modify or delete it. The vulnerability can be exploited by simply accessing a URL, which is why it has been assigned a high severity score.

Who is affected by this vulnerability?

Sites running Drupal versions 8, 7, and 6 (note that Drupal 6 is no longer supported) are all at risk. According to an FAQ post written by the Drupal security team, this adds up to over one million sites.

What should I do if I see this finding in my Disposable mail report?

Immediately upgrade to the most recent version of Drupal core. If you are running 7.x, the latest release is 7.58, and if you are running 8.5.x, you should upgrade to 8.5.1.

The Drupal security team has confirmed that exploits for this vulnerability have been developed and that evidence of automated attack attempts emerged last week. This is why we recommend you to inspect your logs for signs of malicious activity.

If you are unable to install the latest version of Drupal straightaway, you can use the patches suggested in the security advisory to temporarily fix the vulnerability until you can upgrade your installation.

More information

Drupal Public Service Announcement
Drupal Security Advisory
Drupalgeddon 2.0 FAQ

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.