Fourteen disclosures this week, with five issues unfixed, and one that is critical.
View this week’s vulnerable plugins list.
The critical disclosure this week is an Arbitrary File Upload vulnerability in the plugin All Post Contact Form. It appears that the plugin doesn’t do any checking on the file type that is being uploaded and saves it to the uploads directory. This means an attacker could upload a backdoor script to your site and then access it in your site’s /wp-content/uploads/ directory. If you remember back to my Access Denied presentation, this scenario is precisely why I suggest denying access to all file types in the uploads directory except for those you specifically want the public to have access to. It is highly recommended that you remove this plugin immediately.
While not in the report this week, I came across a google dork entry in exploit-db.com that targets the .user.ini file generated by the WordFence plugin. The .user.ini file contains a full path listing to the wordfence-waf.php file. By default, the plugin should include an entry in the site’s .htaccess file to deny access to this file. In addition, it should warn nginx user’s to include an entry in their configuration file. However, it doesn’t appear that the plugin verifies an .htaccess file is actually in use, or that the nginx configuration has been made. IIS users are simply out-of-luck with no warning or instructions on how to deny access to the file. A quick search shows that there are quite a few sites out there using Wordfence with no protection against disclosing this information. Now, the disclosure of the full path by itself won’t compromise your site. However, this information can be used in combination with other attacks that require knowing the server path. Regardless, if you use Wordfence, I would suggest checking your site to see if you can access the .user.ini file. If so, make sure to add the configuration changes needed in order to block it from public access. If you run into issues figuring out how to do so, reach out to me and I’ll assist.
WordPress Security News
In other WordPress security news, version 4.8.2 was released earlier this week. 4.8.2 addresses nine security issues, and six maintenance issues. Hopefully you have auto-updates enabled and have already received the update, but if not, you should update as soon as feasibly possible.
Other Security New
In other security news that might affect you, a new Apache vulnerability dubbed OptionsBleed was disclosed this week that affects versions of Apache 2.2.34 and earlier, and version 2.4.27 and earlier. Apache has released a patch to fix the issue. Without getting too technical, if a misconfiguration has occurred in a user’s web account, a malicious actor can send a request to the server, and due to the misconfiguration, Apache will leak contents from memory. Since the misconfiguration can occur in the user’s account, a malicious actor could intentionally cause the misconfiguration in a shared hosting environment. NakedSecurity has a great write-up if you’re interested in the technical specifics. If you are on shared hosting, I would suggest talking to your host and make sure they have patched their systems.
Next up, many of us use slack as a way to collaborate among workers, friends and community members. Most often, those slack teams are meant only for people who should have access. Researcher Inti De Ceukelaire recently discovered a way to bypass that gateway and gain access to many companies’ internal communications by using their online ticket systems, or online help desk systems. By using a company’s support email (e.g. firstname.lastname@example.org), he was then able to sign into a company’s slack channel. He’s dubbed the bypass TicketTrick and unfortunately, the same issue affects Yammer and Facebook Workplace. As for remediation, one option is to make your team invite-only instead of basing it on company email. The other is to consider using different domain names for their email issue trackers and support help desks.