h4ck3r _ N3w5

The users of WordPress, a free and open source blogging tool as well as content management system (CMS), that have a popular unpatched wordPress plugin installed are being cautioned to upgrade their sites immediately.

A serious vulnerability in the WordPress plugin, MailPoet, could essentially allows an attacker to inject any file including malware, defacements and spam, whatever they wanted on the server and that too without any authentication.

MailPoet, formerly known as Wysija Newsletter, is a WordPress plugin with more than 1.7 million downloads that allows developers running WordPress to send newsletters and manage subscribers within the content management system.

In a blog post, the security researcher and CEO of the security firm Sucuri, Daniel Cid, pointed out the vulnerability to be serious and said that within three weeks since the vulnerability unveiled, over 50,000 websites have been remotely exploited by the cybercriminals to install backdoors targeting the vulnerable MailPoet plugin.

Some of those compromised websites don’t even run WordPress or don’t have MailPoet plugin enabled in it, as the malware can infect any website that resides on the server of a hacked WordPress website, according the researcher.

“The malware code had some bugs: it was breaking many websites, overwriting good files and appending various statements in loops at the end of files,” Cid said in a blog post. “All the hacked sites were either using MailPoet or had it installed on another sites within the same shared account — cross-contamination still matters.”

“To be clear, the MailPoet vulnerability is the entry point, it doesn’t mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighbouring website, it can still affect your website.“

The security firm first reported about the vulnerability on the beginning of this month. The backdoor installed is a very nasty and creates an admin account that gives attackers full administrative control. It also injects backdoor code into all themes and core files.

The worst part with this infection is that the malicious code also overwrites valid files, which are very difficult to recover without a good backup in place. It causes many websites to fall over and display the message:

Parse error: syntax error, unexpected ‘)’ in /home/user/public_html/site/wp-config.php on line 91.

The Security firm is clarifying that every build of MailPoet is vulnerable except the only version which is the most recent released 2.6.7. So, users are recommended to update it as soon as possible.

Sucuri security firm is very dedicated in finding vulnerabilities in the WordPress CMS and encouraging users to install the updates. A week ago, it urged the users to upgrade WordPress version due to a vulnerability found in the WPtouch WordPress plugin that could potentially allow any non-administrative logged-in user to upload malicious PHP files or backdoors to the target server without any admin privileges.
Sucuri also found two serious vulnerabilities in the popular WordPress SEO plugin called “All in One SEO Pack” and a critical Remote Code Execution (RCE) flaw in “Disqus Comment System” Plugin of WordPress few weeks before.

via The Hacker News http://ift.tt/1kX3bRb

Till Now we have seen many traditional way of tracking web users, such as using cookies that get saved on user’s system may not be available forever to many companies, but a new method of tracking users has emerged that worked without the use of cookies.

From last two years, many websites and tracking softwares are utilizing the fingerprinting power of HTML5 Canvas, which is a HTML element used to dynamically generated image in your browser’s web page.

EACH BROWSER GENERATES DIFFERENT IMAGE

Basically, web browsers uses different image processing engines, export options, compression level, so each computer draws the image slightly differently, the images can be used to assign each user’s device a number (a fingerprint) that uniquely identifies it i.e. Browser fingerprinting.

According to a research paper published by computer security experts from Princeton University and KU Leuven University in Belgium, the Canvas fingerprint tracking has made it more difficult for even the sophisticated computer users to protect their privacy.

Canvas takes advantage of HTML5 Canvas API and JavaScript to create any dynamically generated graphics you want. Like other tracking tools, canvas fingerprint method is being used by thousands of websites, from WhiteHouse.gov to YouPorn.com, to profile their website visitors from past two years.

The paper describes three recently developed online tracking mechanisms — “canvas fingerprinting,” “evercookies” and “cookie syncing” — that can be used to track and potentially identify users across the websites around the world without even their knowledge or consent.

CANVAS TRACKING IN WEB ADVERTISEMENTS

These methods of tracking is most likely being used by online advertising companies, those want to understand consumer’s online behavior and they get to know this by building interest-based profiles of the individual visitors to their websites.

Generally, when people clear the cookie files that websites place on their computer systems or block them, advertisers may not realise about the visitors watching their advertisements, which makes advertising less effective and less profitable for online advertising companies. So, the companies have always been experimenting and trying to invent better ways to get information about website visitors.

A Few big advertising companies have already been migrated their Flash-based banners ads to HTML5 Canvas based animated graphics.

“Canvas fingerprinting, a recently developed form of browser fingerprinting, has not previously been reported in the wild; our results show that over 5% of the top 100,000 websites employ it,” wrote the researchers.

One of the biggest U.S based media web-tracking technology and Social sharing widget company, ‘AddThis’ is responsible for most of the canvas fingerprinting (95%).

HTML5 Canvas is not just limited to image processing, but also can respond to a user’s actions by listening for keyboard, mouse, or touch events. You can get detailed tutorial of HTML5 Canvas on the Mozilla’s website and Sample scripts are available on Github.

CANVAS FINGERPRINTING SUPPORTED BY ALL MAJOR BROWSERS

HTML5 Canvas is supported by all major browsers and can be accessed on a wide range of devices including desktops, tablets, and smart phones. Users can visit this link to check Canvas Support and fingerprint test for their web browsers.

There is no doubt, Canvas Fingerprint is a method that is apparently quite difficult to block, but if you’re using Tor Browser, your track is clear.

via The Hacker News http://ift.tt/1neWgrk

A distasteful trend among the cyber crooks have began these days that they left no occasion, either good or bad, to snatch users’ financial information in order to make money as well as spread malware to victimize users.

The tragedy of the crashed Malaysia Airlines flight MH17 is no exception for the criminal minds. They are exploiting the disaster that took place last week in the disputed territory.

All related to Malaysian Airline Flight MH17, a Boeing 777 aircraft carrying 283 passengers and 15 crew members, that was shot down over eastern Ukraine on July 17 by a ground-to-air missile. So far, its unclear that who is behind the tragic incident, while Ukraine and the insurgents blamed each other.

Within just a week, at least six bogus Facebook pages that popped up the names of the Boeing 777 victims. According to the Australia’s Sydney Morning Herald, three of the fraudulent pages were created in the names of children who were on the plane and died.

The bogus Facebook pages were came out to be click fraudsters, in which the site visitors are served a link to a phony website containing detailed information about the MH17 plane crash. Once clicked, users are then hit with a series of pop-up ads for online gambling sites and other shady services. The pages have since been shut down by Facebook , but this doesn’t stop scammers.

I too caught a fake video circulating on Facebook with a fake message that promises to provide a real footage of the missile bringing down the aircraft. It baited people to click on another website with a link purporting to show footage of the MH17 disaster.

‘Video Camera Caught the moment plane MH17 Crash over Ukraine.Watch here the video of Crash,‘ the link read.

As other click fraudsters, when I clicked on the video purporting to provide access to entire footage of the tragic incident, it prompted me to share it with my other Facebook friends in order to play the video, so that the bogus video could spread to other users and so on.

Obviously, I didn’t chose that, but even if you do or not , in both cases the site will redirect users to another domain that will prompt users to download a video player (windows executable file) in order to play the video successfully.

People who desires to watch the MH17 Flight’s shot down video, it will lead users downloading malware into their systems or potentially unwanted applications (PUPs), similar to what we have seen in many other spam campaigns of the types.
This is neither the first nor will be the last attempt of cyber criminals to leverage the tragedy of MH17 Malaysian airliner. Last week, cyber crooks used Twitter platform to widely spread short links that directed victims to the web pages known to have been linked with a variant of Zeus Trojan and the Sality malware as well, in order to steal financial information of the victims and to infect their systems with the malwares.

We strictly recommend you to do not trust such videos rather follow various reputed news websites in order to get legitimate information about the incidents. Stay Safe!

via The Hacker News http://ift.tt/WvDbqt

Any occasion that captures public attention – regardless of how sensitive – comes out to be an opportunity for spammers and hackers to snatch users’ personal information and spread malware, and the tragedy of the crashed Malaysia Airlines flight MH17 is no exception.

According to the U.S. intelligence officials, Malaysia Airline Flight MH17, a Boeing 777 aircraft carrying 283 passengers and 15 crew members, was struck by a ground-to-air missile. So far, it’s unclear, whether the missile was launched by the Russian military or pro-Russian separatist rebels. Ukraine and the insurgents blamed each other.

Spammers and cybercriminals are quick to take advantage of the tragedy and started spreading malware through the social media websites, abusing the mystery behind the crash of Malaysia Airline Flight MH17.

Researchers at the anti-virus firm Trend Micro came across some suspicious tweets written in Indonesian language. The cybercriminals are using the trending #MH17 to lure innocent users who are actually looking for news related to Malaysian Airplane Flight MH17 crash down.

The suspicious tweets started spreading just after Malaysian Airline tweeted on July 17: “Malaysia Airlines has lost contact of MH17 from Amsterdam. The last known position was over Ukrainian airspace.”

Hundreds of users have already retweeted those malicious tweets that indirectly encourage their individual followers to visit the malicious links.

The website belongs to a shared hosting located in U.S which also host number of legitimate domains and researchers concluded that the purpose behind the spam campaign could be to gain attention of the visitors in order to make money from the advertisement.

Moreover, the shared hosting also provide hostage to a number of malicious domains as well, that are connected to a ZeuS variant and SALITY malware. ZeuS are very well known to steal financial information of the users, while SALITY is a “malware family of file infectors that infect .SCR and .EXE files,” researchers said in a blog post.

“Once systems are infected with this file infector, it can open their systems to other malware infections thus compromising their security.”

This is not first time cyber criminals targeted Malaysian airlines. Also few months back, spammers targeted missing Malaysian plan and spread malware on the social networking sites including Facebook, abusing the mystery behind the Malaysia Airline Flight MH370, a Boeing 777-200 aircraft that had gone missing by the time it flew from Kuala Lumpur to Beijing.

via The Hacker News http://ift.tt/1oTXVyM

At the beginning of the month, we have reported about the new surge of a Stuxnet-like malware “Havex”, which was previously targeting organizations in the energy sector, had been used to carry out industrial espionage against a number of companies in Europe and compromised over 1,000 European and North American energy firms.

Recently, researchers at security firm FireEye have discovered a new variant of Havex remote access Trojan that has capability to actively scan OPC (Object linking and embedding for Process Control) servers, used for controlling SCADA (Supervisory Control and Data Acquisition) systems in critical infrastructure, energy, and manufacturing sectors.

OPC is a communications standard that allows interaction between Windows-based SCADA or other industrial control systems (ICS) applications and process control hardware. New Havex variant gathers system information and data stored on a compromised client or server using the OPC standard. OPC is pervasive and is one of the most common ICS protocols.

“Threat actors have leveraged Havex in attacks across the energy sector for over a year, but the full extent of industries and ICS systems affected by Havex is unknown,” wrote the researchers from FireEye in a blog post. “We decided to examine the OPC scanning component of Havex more closely, to better understand what happens when it’s executed and the possible implications.”

Researchers set up a typical OPC server environment to conduct a real time test of the new variant’s functionality. ICS or SCADA systems consist of OPC client software that interacts directly with an OPC server, which works in tandem with the PLC (Programmable Logic Controller) to control industrial hardware.

Once after getting into network, the Havex downloader calls the runDll export function and then starts scanning of OPC servers in the SCADA network.

To identify potential OPC server, the OPC Scanner module use the Windows networking (WNet) functions i.e. WNetOpenEnum and WNetEnumResources, that enumerates network resources or existing connections.

“The scanner builds a list of all servers that are globally accessible through Windows networking,” researchers wrote. “The list of servers is then checked to determine if any of them host an interface to the Component Object Models (COM).”

Using OPC scan, the new Havex variant could gather any details about connected devices and sends them back to the command-and-control server for the attackers to analyze. It appears that this new variant is used as a tool for future intelligence gathering.

“This is the first “in the wild” sample using OPC scanning. It is possible that these attackers could have used this malware as a testing ground for future utilization, however,” researchers wrote.

So far, researchers have not seen any attempt to control the connected hardware. The attack path, the developer and the intention behind the development of the malware is still not known, but researchers are investigating and trying to gather all the information about the new variant.

via The Hacker News http://ift.tt/1ryxpPv

The 31-year-old former US National Security Agency (NSA) contractor Edward Snowden has warned that during surveillance, among other things, NSA system administrators also intercepted and routinely passed the nude photos of people in “sexually compromising” situations among other NSA employees.
In a video interview, NSA whistleblower speaks with the Guardian editor-in-chief Alan Rusbridger and reporter Ewen MacAskill in Moscow, which was then published by the Guardian on Thursday.

WOOOH!! ATTRACTIVE NUDIE PICS – PASS IT ON TO BILL TOO

“You’ve got young enlisted guys, 18 to 22 years old. They’ve suddenly been thrust into a position of extraordinary responsibility where they now have access to all of your private records,” he said in the video interview.

“During the course of their daily work they stumble upon something that is completely unrelated to their work in any sort of necessary sense – for example, an intimate nude photo of someone of in a sexually compromising situation, but they’re extremely attractive. So what they do? They turn around in their chair and show their co-worker.”

“The co-worker says: ‘Hey that’s great. Send that to Bill down the way.’ And then Bill sends it to George and George sends it to Tom. And sooner or later this person’s whole life has been seen by all of these other people. It’s never reported.”

When Guardian’s Alan Rusbridger asked Snowden, “You saw instances of that happening?”

Snowden responded positively saying, “Yeah.”

“Numerous?”

“It’s routine enough, depending on the company that you keep, it could be more or less frequent,” Snowden says. “These are seen as the fringe benefits of surveillance positions.”

NO COMEBACK OF THOSE PICS

The person’s whose private life has been exposed never know about it, because the internal auditing procedures at the NSA are incredibly weak that there is no comeback of those intercepted naked photos.

“The fact that your private images, records of your private lives, records of your intimate moments have been taken from your private communications stream from the intended recipient and given to the government without any specific authorization without any specific need is itself a violation of your rights,” he added and questioned, “Why is that in a government database?”

DROPBOX – HOSTILE TO PRIVACY

Edward Snowden said cloud storage service Dropbox is “hostile to privacy,” and called for more companies to offer services that prevent government snooping.

Snowden spread light on the cloud storage provider company, Spideroak, which offers greater protection to its users. The only fact behind it is that the company stores all the users data for backups, but in an encrypted form. So, its employees do not have access to the encrypted user data. Also if the government ask for user data, the company cannot hand over any meaningful or decrypted content.

Snowden calls Dropbox, a “PRISM wannabe.” He asserted that the cloud storage Dropbox has recently appointed former US Secretary of State Condoleezza Rice to its board of directors, who Snowden said is “hostile to privacy” and described him as “the most anti-privacy official you can imagine.”

Accountants, lawyers, and doctors should all level up their skills, Snowden said, and journalists in particular should be aware that a single slip up could compromise their sources.

I COULD LIVE IN U.S. PRISON — SNOWDEN

Snowden addressed a number of things, noting that if he ended up in US prison facility at Guantánamo Bay, Cuba, he could “live with” that. He again dismissed any claim that he was or is a Russian spy or agent, describing those allegations “bullshit.”

“I’m not going to presume to know what a jury would think, or to say what they should or should not think. But I think it’s fair to say that there are reasonable and enduring questions about the extent of these surveillance programs, how they should be applied and that should be the focus of any trial,” he said.

UPDATE

The NSA’s spokesperson said such activity wouldn’t be tolerated, but didn’t explicitly deny the Snowden’s claim.

“NSA is a professional foreign-intelligence organization with a highly trained workforce, including brave and dedicated men and women from our armed forces,” said spokesperson Vanee Vines by email. “As we have said before, the agency has zero tolerance for willful violations of the agency’s authorities or professional standards, and would respond as appropriate to any credible allegations of misconduct.”

via The Hacker News http://ift.tt/1tdbXzQ

One of the oldest active malware families, Pushdo, is again making its way onto the Internet and has recently infected more than 11,000 computers in just 24 hours.
Pushdo, a multipurpose Trojan, is primarily known for delivering financial malware such as ZeuS and SpyEye onto infected computers or to deliver spam campaigns through a commonly associated components called Cutwail that are frequently installed on compromised PCs. Pushdo was first seen over 7 years ago and was a very prolific virus in 2007.
Now, a new variant of the malware is being updated to leverage a new domain-generation algorithm (DGA) as a fallback mechanism to its normal command-and-control (C&C) communication methods.
DGAs are used to dynamically generating a list of domain names based on an algorithm and only making one live at a time, blocking on ‘seen’ Command & Control domain names becomes nearly impossible.

With the help of a DGA, cyber criminals could have a series of advantages like overcoming domain blacklisting, resisting domain takedowns by simply registering another domain generated by the same DGA, avoiding dynamic analysis and extraction of C&C domain names.

According to researchers at Bitdefender, about 6,000 compromised systems in the 1.5 million-strong botnet now host this new PushDo variant. The most affected countries so far by the new Pushdo variant are in India, Vietnam and Turkey, but systems in the United Kingdom, France and the United States have also been targeted, according to the security software firm Bitdefender.

MOST AFFECTED COUNTRIES

• Vietnam – 1319
• India – 1297
• Indonesia – 610
• United States – 559
• Turkey – 507
• Iran, Islamic Republic of – 402
• Thailand – 345
• Argentina – 315
• Italy – 302
• Mexico – 274

The Romanian firm reckons 77 systems have been compromised in the UK just in the past 24 hours, with more than 11,000 infections reported worldwide over the same period of time.

“We managed to successfully intercept Pushdo traffic and gain some idea of the size of this botnet,” states Catalin Cosoi, chief security strategist at Bitdefender.

“The sheer scale of this criminal operation, unsophisticated as it may be, is rather troubling and there are indications that the botnet is still in a growth phase. We shall be continuing our investigation as a key priority and further updates shall be made available in the coming days.”

Despite four takedowns in past years of PushDo command-and-control (C&C) servers, the botnet endures, evolving and flourishing by continuously adding evasion techniques to mask its C&C communications.

Apart from DGA, attackers have also resurfaced the public and private encryption keys used to protect the communication between the bots and the Command and Control Servers, but the protocol used for the communication remained the same.

They have also added an “encrypted overlay” to the latest Pushdo binaries, which acts as a “checkup,” making sure the malware sample doesn’t run properly unless certain conditions specified in the overlay are not met, said the blog post.

This new approach of cyber criminals would make life harder for the FBI and law enforcement agencies who are trying every effort to take down Botnets across the world.

via The Hacker News http://ift.tt/1tWoYBX

So far we have heard that using privacy tools by every individual and offering encrypted communication by every company is the only solution to Mass Surveillance conducted by the government and law enforcement authorities. But, Germany says the only solution to guard against surveillance is – Stop using Computers!!

Ohh Please!! Is it a joke?

No, it does not mean that they are going to completely throw out all of their computer systems, but rather they would use it preposterous.

A year ago, when it came to light that German Chancellor Angela Merkel’s own personal mobile phone had been spied by the U.S. National Security Agency (NSA) for years, Surveillance has become a big issue for Germany. Such a big that prominent politicians are seriously considering using manual typewriters for sensitive documents instead of computers.

The head of the Germany’s NSA Inquiry Committee, Patrick Sensburg said in an interview with the Morgenmagazin TV show on Monday night, that the government is seriously considering a low-tech solution to the ongoing espionage problem and to keep American eyes off of sensitive documents.

According to the Guardians translation of the German interview:

Interviewer: Are you considering typewriters?

Sensburg: As a matter of fact, we have – and not electronic models either.

Surprised interviewer: Really?

Sensburg: Yes, no joke.

Sensburg is heading up the Bundestag’s parliamentary inquiry into the NSA’s activities on German soil and is the one who know about the serious concerns caused by foreign states surveillance programs.

Germany’s NSA Inquiry Committee was established in March to investigate allegations by NSA whistle blower and former contractor Edward Snowden that the United States government has been eavesdropping Germans and even bugged Chancellor Angela Merkel’s personal cell phone, an issue that has strained relationships and raised trust issues between old allies, Berlin and Washington.

The relations between the two became even more worse when earlier this month, Germany arrested a German intelligence officer who worked as a double agent and passed information to the CIA about the parliament’s NSA investigation. According to Sensburg, US snooping is ongoing.

After Edward Snowden released his first document about the U.S. government’s surveillance activities, even Russia also thought to revert again to the old-school forms of communication, and bought 20 electric typewriters last year to keep inside communications more private, according to the Moscow Times.

“Any information can be taken from computers,” a Russian member of parliament said. “[F]rom the point of view of keeping secrets, the most primitive method is preferred: a human hand with a pen or a typewriter.”

IN-SHORT

But, Just think that How much is this Practically possible? Just to safeguard ourselves from spying, we should start using Typewriters instead of emails, What it means? Means we should go on-foot instead of using cars, just to protect ourselves from an accident. Agree? Well, I am not!

Every individual, even government authorities should be encouraged to make use of best privacy tools and encrypted communication only, this would protect them from the risk of spying.

via The Hacker News http://ift.tt/1l3cgIb

Today, Oracle has released its quarterly Critical Patch Update (CPU) for the month of July, as part of its monthly security bulletin, in which it fixes a total of 113 new security vulnerabilities for hundreds of the company’s products.

The security update for Oracle’s popular browser plug-in Java addresses 20 vulnerabilities in the software, all of which are remotely exploitable without authentication, that means an attacker wouldn’t need a username and password to exploit them over a network.

MOST CRITICAL ONE TO PATCH FIRST

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. One or more of the Java vulnerabilities received the most “critical” rating according to Oracle’s Common Vulnerability Scoring System (CVSS), i.e. base score of 10 or near.

Although, numerous other Oracle products and software components addressed in the latest security updates, which address around 29 vulnerabilities in Oracle Fusion Middleware out of which 27 enable remote code execution, seven vulnerabilities in Hyperion products and five apiece for Oracle database and E-Business Suite. But, Java was the only impacted with security issues scoring the highest critical rating.

So, Java patches are the most urgent and should be at the top of your list, as one of the Java SE vulnerabilities (CVE-2014-4227) in this patch update, scores ten out of ten in the common vulnerability rating system, and seven of the other Java SE client vulnerabilities received a CVSS score of 9.3.

Oracle Database Server will also be updated for five vulnerabilities, one of which is remotely exploitable, while there will be 10 patches released for MySQL Server, but none of them are remotely exploitable.

JAVA WILL CONTINUE TO SUPPORT WINDOWS XP

The company recently announced that it would no longer support Java on Windows XP, though it expect Java 7 to continue to work on Windows XP platform and Oracle security updates for Java on XP machines will continue.

“This end of support announcement has been misread as ‘Java no longer works on Windows XP’ or ‘Oracle will stop Java updates from being applied on Windows XP.’ These statements are not correct,” said Oracle vice-president of product management in the Java Platform Group Henrik Stahl.

“We expect all versions of Java that were supported prior to the Microsoft de-support announcement to continue to work on Windows XP for the foreseeable future. In particular, we expect that JDK 7 will continue to work on Windows XP.”

However, Java 8 is not designed even to install on Windows XP operating system. So, the installer for the developer releases of Java 8 will not run on it without manual intervention.

PATCH OR SIMPLY DISABLE JAVA?

Java runs on more than 850 million personal computers and on billions of devices worldwide, therefore protecting against Java zero-day exploits is a rising concern among millions of Windows, Mac OS, and Linux users.

Security experts recommend not installing Java if you don’t already have it, and perhaps even disable it if you have it if you do not regularly use an application or visit any Web site that requires Java.

UPDATE YOUR SYSTEMS NOW

The company is urging its customers to update their systems as soon as possible. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible,” the firm warned.

Oracle has published the full details about the list of patches here.

via The Hacker News http://ift.tt/W9Nb8P

If you own a mobile version for your WordPress website using the popular WPtouch plugin, then you may expose to a critical vulnerability that could potentially allow any non-administrative logged-in user to upload malicious PHP files or backdoors to the target server without any admin privileges.
WordPress is a free and an open source blogging tool as well as a content management system (CMS) with 30,000 plugins, each of which offers custom functions and features enabling users to tailor their sites to their specific needs.

That is why, it is easy to setup and used by more than 73 million of websites across the world, and about 5.7 million them uses WPtouch plugin, making it one of the most popular plugins in the WordPress plugin directory.

WPtouch is a mobile plugin that automatically enables a user friendly and elegant mobile theme for rendering your WordPress website contents on the mobile devices. User can easily customize many aspects of its appearance by the administration panel and deliver a fast, user-friendly and stylish version of their site to its mobile visitors, without modifying or affecting the desktop version of the theme.

PHP SHELL UPLOAD VULNERABILITY

Security researchers at Sucuri have warned the WordPress users to update the popular WPTouch plugin after they uncovered a security vulnerability that could allow any logged-in user, without administrative privileges, to take over the website by uploading a backdoor inside your website’s directories.

The vulnerability was discovered during a routine audit for the company’s web application firewall (WAF). Researchers said that only those websites that allow registration of guest users, which is by-default enabled for the comments section of the site, are at great risk.

The vulnerable version of the plugin uses the “admin_init” hook in WordPress as an authentication method, which could lead user to gain unrestricted access to the website by uploading a malicious PHP files to the server.

It is quite simple to compromise the web location. The “admin_initialize()” method is called by the “admin_init” hook in the file “core/classwptouchpro.php.” The admin nonce (number used once) is then generated and included on the WordPress script queue.

“This nonce was also used to verify whether or not a user could upload files to the server. As the script didn’t use any other form of identification to check or authenticate the user’s privilege to upload files, it was possible for any user to complete the upload in there,” says the blog post.

STEPS TO HACK A WORDPRESS WEBSITE

All an attacker had to do in order to compromise a vulnerable website was to:

• Log­in and get his nonce via wp-admin
• Send an AJAX file upload request containing the leaked nonce and his backdoor

“So long story short – don’t only use nonces to protect sensitive methods, always add functions such as “current_user_can()” or the likes to confirm a user’s right to do something.”

The current security vulnerability only affects websites running the plugin versions 3.x. So, the users and website administrators who relies on the previous version have nothing to worry about, but they should update regardless.

The issue with WPTouch is not the only security vulnerability researchers at Sucuri have discovered. At the beginning of June, Sucuri found two serious vulnerabilities in the popular WordPress SEO plugin called “All in One SEO Pack”
The security team also discovered a critical Remote Code Execution (RCE) flaw in ‘Disqus Comment System’ Plugin of WordPress few weeks before.

via The Hacker News http://ift.tt/1rdwJS2