Release 2015-05-27: New Magento exploits and the start of workflow capabilities – 10 minute mail

You are now starting to see some of results of the updated backend. The introduction of the first step towards a workflow tool with tags. We did include multiple Magento specific vulnerabilities. Our phpMyAdmin modules also got an update.

Workflow

The plan forward is to make Disposable mail an integrated part of the workflow. It will be possible to flag, export and assign individual findings. The first step is that you are now able to mark individual post at resolved. Work your way down the list of vulnerabilities and improve the security of for web app.

Mark fixed

Magento vulnerabilities

Multiple Magento-specific vulnerabilities were included in this release. Some of the included are:

  • Magento Shoplift SQL Injection
  • Magento SWF “bridgeName” XSS
  • Magento MAGMI XSS & LFI
  • Magento Admin Panel XSS’es

The Shoplift vulnerability allows a remote attacker to gain full control over the target system and impacts almost two hundred thousand Magento e-commerce shops. We’ve added a test to spot vulnerable installations. If you run a Magento e-commerce website run at test with Disposable mail. Visit http://magento.com/security-patch for further information

phpMyAdmin updates

phpMyAdmin is still one of the most common tools for administrating MySQL on the internet, and many people forget to update it. We’ve massively improved our collection of exploits towards older PMA installations. Some of the updates are:

  • phpMyAdmin Remote Code Execution through setup.php
  • phpMyAdmin “ServerSync” Backdoor
  • phpMyAdmin Directory Listing through db_details_importdocsql.php
  • phpMyAdmin Local File Inclusion through export.php
  • phpMyAdmin Local File Inclusion through grab_globals.lib.php

 

Just login and run a new scan to check it out! Also, don’t forget to keep an eye on our Magento security page to stay updated.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Disposable mail security updates for 4 October – 10 minute mail

For continuous coverage, we push out major Disposable mail security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

 

Iframe busters used by several advertisements network were found vulnerable to XSS. That means that all the websites hosting selected iframe busters are vulnerable to XSS. In a recent query on the most popular websites, we found that 2% of websites were vulnerable.

More details about that can be found here.

There is a CSRF-vulnerability in older versions of phpMyAdmin, giving an attacker the ability to send a crafted link to someone being logged in to phpMyAdmin and by doing so force the one being logged in to execute SQL commands. This can in turn be used to upload files and thereby take over the server.

Caucho Resin admin interface has a page with a few reflected XSS vulnerabilities. Those are exploitable without logging in.

This is a few years old, but as the researcher discovered several websites still vulnerable against this which is why we decided to implement it.

The plugin logs a lot of information in a publicly available log file. This information includes error messages, path disclosure and depending on circumstances could contain other sensitive information as well.

This is not a vulnerability per se, but rather a backdoor left from another hacker attack. This backdoor seems to be commonly used in recent attacks.

The backdoor has no authorization at all, meaning anyone can use it to execute code on the server. This itself is a problem, but it is also proof of an existing hacker attack.

Nagiso is a network monitoring tool used by many large organizations. This is intended for internal use, but it happens that developers expose it to the internet. As there is no authorization required, anyone could access it and thereby get information just intended for internal use.

Umbraco creates a few folders, that according to their documentation, should be locked down. However, security through documentation do not always work when not everyone reads everything, meaning there are vulnerable instances out there.

 

Questions or comments on our latest security updates? Let us know in the section below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Already have an account? Login to check your assets.

Disposable mail is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.