Eleven disclosures this week, with two issues unfixed.
We have one theme joining the list this week: GamePlan – Event and Gym Fitness by cactusthemes.com. I mention it specifically because while I doubt most of us are using a gym-based theme (though possibly for a student rec center), cactusthemes.com does offer several other themes, including a university-based theme, that appear to share a similar vulnerability. If you are using one of their themes, I strongly recommend you contact them and ask them when an update will be available.
The two Authenticated SQL Injection vulnerabilities disclosed this week by DefenseCode are also interesting because they require an authenticated user with permissions to access the plugin’s settings in order to execute the exploit. In a default set-up, only Administrators have this role, in which case, an admin user would be able to over-take the site using much easier methods. However, it is possible to create custom roles, and therefore it is possible for a non-admin user to have access to these plugins’ settings but not other administrative areas. This should remind us to routinely evaluate what users have access to our sites and whether they have the minimum amount of permissions to perform their duties. As developers, it should also serve as a reminder that even though we might check to make sure a user has permissions to access an area (are they authorized), we can’t also assume that every site has been set up in a default manner. Always parameterize your queries and run them through prepare before executing.
Other WordPress Security News
WordFence released their July 2017 WordPress Attack Report yesterday. My favorite plugin was back up to the number one spot for attacks on plugins. One of the interesting items was the increased attacks on wp-rocket which had a Local File Inclusion vulnerability disclosed at the end of July (see the July 28th Vulnerable Plugins Report). This highlights how critical it is to keep your plugins up-to-date as attackers are most definitely targeting these vulnerabilities.
Next, Sucuri did a great post earlier this week on creating website backups with no plugins, just ssh + command line tools. Having a good, clean back up of your files and database is a critical, yet often over-looked component of a solid security strategy. If you already have a plugin that creates scheduled backups and stores them offsite (please don’t store your backups on the same server as your website), then you are one step ahead of most. However, if you’ve ever been in the situation where a plugin won’t work, or you can’t find one that supports storing to a particular storage service, you don’t necessarily need a plugin. By using ssh and some bash scripting you can back up your site(s) and store them to any service needed. Definitely check out their post and don’t be afraid to get your hands dirty in the terminal!
Other Security News
PostgreSQL released critical updates yesterday for all of their supported versions (9.6.X, 9.5.X, 9.4.X, 9.3.X, and 9.2.X). The update addresses three vulnerabilities: empty passwords accepted as valid in certain authentication methods, information disclosure, and privilege escalation. If you administer a system that runs PostgreSQL, you are encouraged to update as soon as possible.
The Apache Software Foundation also released critical updates yesterday for the Subversion client. The updates address two vulnerabilities: denial of service attack, and arbitrary code execution. These vulnerabilities are particularly interesting because the attacks target subversion clients not necessarily the subversion server, with the code execution being especially concerning:
“A maliciously constructed svn+ssh:// URL would cause Subversion clients to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a[sic] honest server (to attack another user of that server’s repositories), or by a proxy server.”
You’ll need to update your subversion client, which could prove interesting if your subversion client is embedded in your IDE, or the package you use sits on top of subversion’s client. You’ll need to check with your vendor for an update.