Tag Archives: HTML

Worst WordPress hole for five years affects 86% of sites

image

An estimated 86 per cent of WordPress websites harbour a dangerous cross-site scripting (XSS) hole in the popular comment system plugin, in what researcher Jouko Pynnonen calls the most serious flaw in five years. The bug could provide a pathway for attacking visitors’ machines.

The WP-Statistics plugin lets attackers inject JavaScript into comments, which can then infect reader computers or those of administrators.

The flaw has existed for about four years, affecting versions between 3.0 to 3.9.2 – but not version 4.0, which handles regular expressions differently.

Version 4.0.1 patched a separate and also critical set of XSS flaws discovered by the internal security team, along with a cross-site request forgery hole.

Klikki Oy security bod Jouko Pynnonen revealed the earlier flaw last week in technical advisory.

“An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication,” Pynnonen said.

He continued:

Program code injected in comments would be inadvertently executed in the blog administrator’s web browser when they view the comment. The rogue code could then perform administrative operations by covertly taking over the administrator account.

Such operations include creating a new administrator account (with a known password), changing the current administrator password, and in the most serious case, executing attacker-supplied PHP code on the server. This grants the attacker operating system level access on the server hosting WordPress.

In light of the server-side impact the unauthenticated default exploit is “probably the most serious WordPress core vulnerability that has been reported since 2009”, according to Pynnonen.

He developed a proof-of-concept exploit that mopped up evidence of injected scripts before quietly using the plugin editor to write attacker-supplied PHP code on the server, changing the user’s password and creating an administrator account.

Attackers could then write more PHP code to the server through the editor. This code was instantly executed using an AJAX request to gain operating system-level access.

Other plugins that allow unprivileged users to enter HTML text could offer more attack vectors, Pynnonen said.

He has created a work-around plugin for administrators who are unable to upgrade their WordPress servers.

A third set of recently patched XSS in WP-Statistics has been discovered by Sucuri researcher Marc-Alexandre Montpas. The stored and reflected XSS in versions 8.3 and below of the WordPress plug-in also turned attackers into admins, permitting black hats to inject search engine optimisation (SEO) content into unrelated blog posts.

“… the problem is very simple,” Montpas wrote in a Nov 20 blog post. “The plugin fails to properly sanitise some of the data it gathers for statistical purposes, which are controlled by the website’s visitors.”

“If an attacker decided to put malicious Javascript code in the affected parameter, it would be saved in the database and printed as-is in the administrative panel, forcing the victim’s browser to perform background tasks on its behalf.”

To finish the article and for more information follow the source link below! 

Source: The Register

Advertisements

POPCORN TIME: Open Source Torrent Streaming

image

Popcorn Time, a cross-platform and BitTorrent-powered movie streaming app, may very well be Hollywood’s worst nightmare. The software can be best described as a Netflix for pirates, allowing users to stream the latest blockbusters at no cost. TF talks to one of the developers to find out how the app came about.

Over the years BitTorrent has become fairly mainstream, with hundreds of millions of people using torrent clients to download the latest entertainment.

Despite its popularity the downloading process can be cumbersome at times, especially for novices. Faced with this challenge Sebastian, a designer from Buenos Aires, Argentina, decided to come up with a piece of software that would make the process as easy as Netflix.

“As a designer I love the challenge of simplification. Take something hard for the common user and make it usable. I have a lot of friends who don’t understand torrents and I wanted to make it easy and effortless to use torrent technology,” Sebastian tells Torrent Freak.

image

What started out as an experiment for a group of friends soon developed into something much bigger. Popcorn Time now has 20 collaborators on Github and continues to expand at a rapid pace. Developers from all over the world have added new features and within 24 hours it was translated into six languages.

Sebastian explains that Popcorn Time uses node-webkit and is available for Windows, Mac and Linux. It’s basically a browser that uses HTML, CSS and JavaScript to serve the movie streams.

“The technology behind the app is very simple. We consume a group of APIs, one for the torrents, another for the movie info, and another for the poster. We also have an API for the subtitles. Everything is automated, we don’t host anything, but take existing information and put it together,” Sebastian says

The torrent files all come from YTS (formerly YIFY), which has an API Popcorn Time taps into. The application can search this database and allows users to stream the torrent on demand. When finished the app will continue to share for a while after the download is finished, to avoid leeching.

For more information and details follow the source link below.

Source: Torrent Freak

Link: Popcorn Time

iOS Mobile Banking Apps Vulnerable to Man in the Middle Attacks

image

It’s mighty convenient to load up a mobile banking app with a slick interface as opposed to logging into the website via your smartphone’s web browser, but in doing so, you may inadvertently be putting yourself at a greater risk of so-called mail-in-the-middle attacks, hijack attempts, and other unfriendly behavior. A recent study suggests that mobile banking apps for iOS may be less secure than you think.

A researcher at IOActive tested 40 mobile apps from 60 of the leading banks from around the world. His various tests covered transport security, compiler protection, UIWebViews, insecure data storage, logging, and binary analysis. What he found is pretty alarming.

Some 40 percent of the audited apps did not validate the authenticity of SSL certificates presented, which makes them susceptible to man-in-the-middle attacks. Almost all of them — around 90 percent — contained several non-SSL links throughout the application. According to IOActive, this allows an attacker to intercept the traffic and inject arbitrary JavaScript and HTLM code in an attempt to create a fake login prompt or some other similar scam.

The list of vulnerabilities goes on, such as half of the apps being found susceptible to JavaScript injections via insecure UIWebView implementations.

Home banking apps that have been adapted for mobile devices, such as smartphones and tablets, have created a significant security challenge for worldwide financial firms. As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions,” the report concludes.

Source: Hot Hardware