According to the blog Unmask Parasites, there is a new version of the Gumblar botnet making the rounds on PHP based websites. Back in May of this year, this malicious botnet was responsible for infecting a large number of websites in a short period of time. This time around however, the Gumblar botnet has buggy code which is leading to a number of infected WordPress sites breaking. WordPress is a complex web application that comprises more than 200 .php files. When you open any page, WordPress loads index.php which, in turn, loads many other .php files using the require() function. WordPress admin interface also relies on multiple .php files. In all cases, WordPress loads wp-config.php file which contains database credentials and other important information required for normal operation. So what happens if both index.php and wp-config.php are infected with the gumblar backdoor scripts? Since Gumblar injects identical backdoor scripts into […]
[Continue Reading...]
Posts Tagged ‘security’
WordPress 2.8.5 has officially been tagged and is now available for download. If you don’t see the upgrade nags in your administration panel already, give it a few hours and upgrade when it becomes available. This release has been dubbed a security hardening release meaning, more preventive measures have been taken to secure WordPress. Worthy of note though is an issue that was addressed dealing with a trackback spam denial of service attack which was discussed on the WP-Hackers mailing list the other day. This exploit takes advantage of the WP-Trackback.php file which would exhaust a servers resources when used. This has specifically been addressed in 2.8.5. Thanks goes out to Steve Fortuna for releasing a fix to this 0 day exploit. The release also contains a few bug fixes as well.
[Continue Reading...]I’m pretty sure by now that you’ve heard about the worm attack on older versions of WordPress. In the trail of destruction, I’ve been reading quite a few blog posts regarding the attacks along with comments attached to those posts and quite honestly, I can’t believe some of the comments I’ve read. One of the most absurd comments I came across stated that upgrading was not an option for them. How on earth do you put yourself in a position where upgrading is not an option? Might as well just leave the door open so the bad guys can come in freely. Unfortunately, the blame game has come back in full force with those affected generally blaming WordPress, and those not affected blaming users who failed to upgrade in a timely fashion. The bottom line is, the issues that lead to this worm attacking older versions of WordPress was fixed […]
[Continue Reading...]If you don’t know by now, WordPress 2.8.4 has hit the public and it addresses a mild but hugely annoying issue. There was no advanced warning regarding the vulnerability but it was quickly patched in the core of WordPress for the next release. Unfortunately, word quickly spread and in fact, even my site WPTavern.com was affected by the problem as I received an email letting me know what my new password was even though I didn’t request one. Here are the details regarding the annoyance: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is […]
[Continue Reading...]I flew solo for episode 35 while Keith cranked out some college work. In this episode, I interviewed Mark E. who is just about ready to release the first beta of his comprehensive WordPress Security plugin called Maximum Security. During our discussion, it was easy to see that this plugin contains just about everything except the kitchen sink as it relates to security and WordPress. If you don’t believe me, view the long list of features this plugin has with more on the way. We also discussed security through obscurity, basic WordPress security practices and much more. Mark has 15 years of experience in network and system security and within this episode, he gave us about 4 years worth of experience in less than an hour! Plugin Of The Week:Comment Luv – Comments are a wonderful thing to receive on your blog and while adding the dofollow plugin is one […]
[Continue Reading...]Speckyboy has created a list of the top 10 security plugins to use with WordPress. The plugins range from AskApache Password Protect to WP Security scan. When asked about security at WordCamp Dallas, Matt Mullenweg responded by saying “The best thing you could do to make sure your blog is secure is to stay up to date with the latest stable versions of WordPress.” Using strong passwords for your administrator account along with not using the default admin account that is created during a WordPress install are also good practices. For more information in regards to securing your WordPress installation, be sure to check out the Hardening WordPress article on the Codex.
[Continue Reading...]Vulnerable WordPress Blogs Not Being Indexed: Technorati has decided to not index vulnerable and exploited WordPress blogs. This comes after the recent spat of hacks that were discovered on various high profile blogs and websites. What was even more interesting was the fact that some of these hacks and exploitations might have come from covert and encrypted code hidden in various themes available for free over the web. The moral of this story is that you need to upgrade your WordPress blog now to WordPress 2.5. Just so that everyone is aware, WordPress 2.5 is the latest stable version and this should be the version that everyone should upgrade to. Any older versions leaves you vulnerable. [EDIT] As mentioned on the legacy 2.0 page, WordPress 2.0.11 is the latest stable download with all the latest security fixes for the 2.0 branch. However, WordPress 2.5 is still the latest and the […]
[Continue Reading...]S@BUN is at it again, this time, reporting multiple SQL Injection Vulnerabilities within the Photo Album plugin for WordPress. According to the security bulletin: Multiple vulnerabilities have been identified in Photo Album (plugin for WordPress), which could be exploited by remote attackers to execute arbitrary SQL queries. These issues are caused by input validation errors in the “wppa.php” script when passing user-supplied parameters (e.g. “photo” or “album”) to certain functions (e.g. “wppa_album_name()” or “wppa_photo_name()”), which could be exploited by malicious people to conduct SQL injection attacks. Multiple security advisory services places this round of vulnerabilities as a Moderate Risk. For example, FrSIRT describes the Moderate risk as being: Remotely and locally exploitable flaws, which could lead to denial of Service or privilege escalation. Versions 1.1 and prior of this plugin are vulnerable. As always, it is recommended that you disable this plugin until a patch for it is released. [EDIT] […]
[Continue Reading...]About the Author
- Jeff Chandler
Categories
- bbpress
- Best of WordPress
- Blog Templates Blog Skins Blog Themes
- Blogging
- Blogging Essays
- Blogging News
- brainstorming
- buddypress
- Business of Blogging
- CMS
- Code
- Cold Fusion
- Community Interviews
- Cool Scripts
- General
- HOW-TO
- LinkyLoo
- Movable Type Plugins
- Photolog Script
- Podcasting
- QuickLinking
- Spam
- SXSW
- TLA
- Tutorials
- User Reviews
- Web Design
- Web Ethics
- Weblog Add-Ons
- Weblog tools blog tools blogging tools
- Weekly Plugin Review
- WLTC Community
- wordcamp
- WordPress
- WordPress Discussions
- WordPress FAQs
- Wordpress for Beginners
- WordPress Hack
- WordPress News
- WordPress Plugin Competition
- WordPress Plugins
- WordPress Polls
- WordPress Security
- WordPress Templates WordPress Skins WordPress Themes
- WordPress Tips
- WordPress Tools
- WordPress Troubleshooting
- WordPress Weekly
- WordPress Widgets
- WordPress WishList
- XHTML Tips
Obviously Powered by WordPress. © 2003-2013
Comment Remix Security Bulletin
Normally, we usually keep a maximum of two posts a day that are published on WeblogTooolsCollection as a means of keeping your dashboard from being overcome by us. However, considering that the following security bulletin has been published concerning the plugin (WP Comment Remix) and it won the WeblogToolsCollection plugin competition, I felt it was important to pass along this security bulletin to you. According to the bulletin that was published by Chxsecurity.org version 1.4.3 contains the following vulnerabilities: SQL Injection: caused by unsanitized variable “p” in the ajax_comments.php file. Cross Site Scripting: This affects authenticated and unauthenticated users. Cross Site Request Forgery: the form generated through wpcr_do_options_page lacks the WordPress wp_nonce security function. These vulnerabilities are considered HIGH risks however, the latest version (1.4.4) apparently addresses these issues. If you are using this plugin on your blog, be sure to upgrade it to the latest version.
[Continue Reading...]