10% WordPress plugins in top ~1000 is vulnerable, a PHP static code analysis shows

Marcin Probola conducted a PHP static code analysis of the top ~1000 WordPress plugins, and the results showed 103 plugins were vulnerable to at least one vulnerability type (XSS, SQL injection). This is roughly 10 percent! Marcin Probola writes that scanning results were manually verified in his spare time and delivered to official plugins@wordpress.org from 04.07.2015 to 31.08.2015. Most of reported plugins are already patched, some are not. Vulnerable and not patched plugins are already removed from official wordpress plugin repository.

Read more

RewriteProxy with .htaccess in IIS

How to proxy HTTP requests in IIS?

In my case scenario, a website was moved from web server A to B, and the DNS hasn’t been updated yet. Therefore all HTTP requests for the moved website are handled in IIS Default Web Site; that’s the wildcard host, and the original host no longer exists there. We need to somehow match our website hostname and proxy those requests to our new web server. This can either be done using the IIS web.config file and URL Rewrite / IIS Application Request Routing (ARR), or -if it’s installed- an .htaccess file handled by Helicon Ape.

I use the latter for this one…
Read more

WordPress and PHP7

Aaron Jorbin writes to Make WordPress Core about WordPress and PHP7 (I run PHP7 and WordPress for quite some time on Saotn.org, and I think its a great step forward). For the last few months, WordPress Core has been getting ready for the upcoming release of PHP7. PHP7 is bringing a host of improvements to PHP. One of the most notably is substantial performance improvements. Benchmarks of WordPress using PHP7 are showing a 2-3x speed improvement compared to PHP5.6.

Read more

BIND 9.x vulnerable for remote Denial of Service through a magic packet

A vulnerability in BIND, and all it takes is just one tiny little packet…

BIND 9.x is vulnerable for a remote Denial of Service, where a tiny magic packet can cause BIND 9.x to stop and exit named with a REQUIRE assertion failure. All the attacker needs to send is a specially – and deliberately – constructed packet to exploit an error in the handling of queries for TKEY records. The vulnerability in BIND will crash and take down the BIND named daemon…

Read more

Multiple critical vulnerabilities in PHP File Manager

Revived Wire Media’s PHP File Manager got some issues…

Sijmen Ruwhof, who also analysed the malware spread through NU.nl back in 2012, found some serious security vulnerabilities in a PHP web application called “PHP File Manager”. One, among others, is a backdoor for Revived Wire Media to use. How sick is that?! Another vulnerability makes it easy to download confidential files.

Read more