Worst WordPress hole for five years affects 86% of sites

image

An estimated 86 per cent of WordPress websites harbour a dangerous cross-site scripting (XSS) hole in the popular comment system plugin, in what researcher Jouko Pynnonen calls the most serious flaw in five years. The bug could provide a pathway for attacking visitors’ machines.

The WP-Statistics plugin lets attackers inject JavaScript into comments, which can then infect reader computers or those of administrators.

The flaw has existed for about four years, affecting versions between 3.0 to 3.9.2 – but not version 4.0, which handles regular expressions differently.

Version 4.0.1 patched a separate and also critical set of XSS flaws discovered by the internal security team, along with a cross-site request forgery hole.

Klikki Oy security bod Jouko Pynnonen revealed the earlier flaw last week in technical advisory.

“An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication,” Pynnonen said.

He continued:

Program code injected in comments would be inadvertently executed in the blog administrator’s web browser when they view the comment. The rogue code could then perform administrative operations by covertly taking over the administrator account.

Such operations include creating a new administrator account (with a known password), changing the current administrator password, and in the most serious case, executing attacker-supplied PHP code on the server. This grants the attacker operating system level access on the server hosting WordPress.

In light of the server-side impact the unauthenticated default exploit is “probably the most serious WordPress core vulnerability that has been reported since 2009”, according to Pynnonen.

He developed a proof-of-concept exploit that mopped up evidence of injected scripts before quietly using the plugin editor to write attacker-supplied PHP code on the server, changing the user’s password and creating an administrator account.

Attackers could then write more PHP code to the server through the editor. This code was instantly executed using an AJAX request to gain operating system-level access.

Other plugins that allow unprivileged users to enter HTML text could offer more attack vectors, Pynnonen said.

He has created a work-around plugin for administrators who are unable to upgrade their WordPress servers.

A third set of recently patched XSS in WP-Statistics has been discovered by Sucuri researcher Marc-Alexandre Montpas. The stored and reflected XSS in versions 8.3 and below of the WordPress plug-in also turned attackers into admins, permitting black hats to inject search engine optimisation (SEO) content into unrelated blog posts.

“… the problem is very simple,” Montpas wrote in a Nov 20 blog post. “The plugin fails to properly sanitise some of the data it gathers for statistical purposes, which are controlled by the website’s visitors.”

“If an attacker decided to put malicious Javascript code in the affected parameter, it would be saved in the database and printed as-is in the administrative panel, forcing the victim’s browser to perform background tasks on its behalf.”

To finish the article and for more information follow the source link below! 

Source: The Register

Advertisements

Wikipedia has been visualized as an interactive galaxy powered by WebGL

image

Wikipedia is an almost boundless source of information — as close to a true compendium of human knowledge as we’ve ever come. It’s not very pretty, though, is it? Page after page of black text on a white background, and enough hyperlinks to suck you into a never ending vortex of related articles. Rendering Wikipedia as a nebula is more befitting its true nature, don’t you think? I just so happens there’s a Chrome experiment that does just that, and it’s called WikiGalaxy.

This Wikipedia visualization was created by French computer science student Owen Cornec. Each “star” in WikiGalaxy is a single article on Wikipedia. Highly related articles are placed close to each other in space with connections between them. So if you click on one point of light, you’ll see the text of the article in the left info panel. Over on the right are all the linked articles, which show up on the map as lines connecting the points of light. It’s interesting to see how wide-ranging some of the articles are. The beams of light might be confined to a little corner of the virtual galaxy on one article, then a neighboring page has its tendrils of influence creeping all the way across the map. To get a better feel of your meandering, you can enable the history path, which connects all the articles you’ve clicked on with a green line, winding through the stars.

The map view is the default mode, but you can also dive into fly mode for a more interactive experience. This places you in the middle of the galactic disc, surrounded by articles. The arrow keys move forward, back and side to side. The movement control is good enough, but anyone who has played a 4X game will be missing mouse zoom in map view. It just seems like you should be able to zoom in any out more quickly, and the buttons toward the upper left don’t quite cut it.

image

image

So it’s neat for poking around Wikipedia in a superficial way, but what about reading articles? The preview pane on the left is okay for getting the gist, but you can click on the title for a full page version. You can read through a whole article in this view, but the lack of links and busted table formatting make it less than ideal for in-depth research. Hey, it’s still Wikipedia in galaxy form. What more do you want? If you would like to simply enjoy the interface and click around, there’s a button up top to turn off the UI and get all those boxes out of the way. The beta version only has 100,000 articles, but that’s still a sizeable galaxy.

Cornec’s next project will be to color-code the different article categories so you’ll be able to tell what sort of article each star represents without clicking on it. More stars should be added along the way too. While this is a Chrome experiment running WebGL and HTML5, WikiGalaxy should work in most modern browsers. However, it might not play as nicely with Chrome on Macs. You can blame either Google or Apple for that — take your pick.

For more information and the original story follow the source link below.

Source: Extreme Tech