Joomla! (< 3.6.4) Account Creation/Elevated Privileges write-up and exploit

Yesterday, Melvin Lammerts wrote an article on the account creation with elevated privileges vulnerability in Joomla! < 3.6.4. And included a PoC exploit. This Joomla! vulnerability makes it easy for an attacker to create an user account, even when user registration is turned off. Yikes!

Continue reading “Joomla! (< 3.6.4) Account Creation/Elevated Privileges write-up and exploit"

WordPress advisory: Akal premium theme XSS vulnerability & abandonded

Over the course of one week I had the opportunity to audit two hacked WordPress websites. I could quickly discover two vulnerabilities: a Cross Site Scripting, or XSS, in a premium WordPress theme Akal, and a SQL injection Denial-of-Service in a later to be disclosed plugin. This post describes the Akal theme XSS vulnerability.

Continue reading “WordPress advisory: Akal premium theme XSS vulnerability & abandonded”

Cracking PHP rand()

Sjoerd Langkemper writes about Cracking PHP rand(): Webapps occasionaly need to create tokens that are hard to guess. For example for session tokens or CSRF tokens, or in forgot password functionality where you get a token mailed to reset your password. These tokens should be cryptographically secure, but are often made by calling rand() multiple times and transforming the output to a string. This post will explore how hard it is to predict a token made with rand().

Continue reading “Cracking PHP rand()”

Joomla! websites abused as open proxy for Denial-of-Service attacks

Joomla websites using the Googlemaps plugin for Joomla are actively abused as open proxy for launching Denial-of-Service (DoS) attacks. Even though the Googlemaps plugin vulnerability plugin_googlemap2_proxy.php was released over one and a half (1,5) years ago, I still see these DoS-attacks happening on a regular basis…

Continue reading “Joomla! websites abused as open proxy for Denial-of-Service attacks”

WordPress Plugin Vulnerability Dump – Part 1

This post contains information on vulnerabilities for 7 (at least somewhat) popular WordPress plugins. All of these vulnerabilities were trivial to discover (and are trivial to fix). The state of WordPress plugin security is very sad indeed. None of the developers were contacted in advance of this post (except where otherwise noted). Additional vulnerabilities will be posted as time permits. WordPress Plugin Vulnerability Dump – Part 1

Mod_evasive on IIS

Mod_evasive is a module for Apache and Windows Server IIS (using Helicon Ape), to provide protection and evasive action in the event of an HTTP DoS-, DDoS or brute force attack. Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denies an IP address access to a website if it’s requesting the same page more than 10 times a second. This is configurable.

Continue reading “Mod_evasive on IIS”

Validate MIME types with PHP Fileinfo

How to check the file type in PHP and secure file uploads: it is important to validate MIME types in PHP. Especially of files uploaded through an upload form to your website. Using PHP, the best way to validate MIME types is with the PHP extension Fileinfo. Any other method might not be as good or secure, and unfortunately those other methods are still wildly used…

Continue reading “Validate MIME types with PHP Fileinfo”

“Simple Hack Threatens Outdated Joomla Sites”

Update your Joomla site… yet again. If you run a site powered by the Joomla content management system and haven’t yet applied a critical update for this software released less than two weeks ago, please take a moment to do so: A trivial exploit could let users inject malicious content into your site, turning it into a phishing or malware trap for visitors., Says Brian Krebs

Continue reading ““Simple Hack Threatens Outdated Joomla Sites””