Seven disclosures since last week, with only one issue unfixed.
View this week’s vulnerable plugins list.
Please note there are a couple of fairly popular plugins in this week’s list: MainWP-Child, and WP Fastest Cache. Make sure to get these updates into your change management cycle as soon as possible.
Other Security News
Earlier this week, an authentication bypass vulnerability was announced in several SAML libraries, including Shibboleth. In addition, SimpleSAMLPHP announced a critical update that is unrelated to the disclosure by Duo. The specifics of the vulnerability are currently embargoed. If you use SimpleSAMLPHP, you are strongly encouraged to update to 1.15.4 as soon as possible.
There’s been quite a bit of talk over the last couple of weeks about a CSS-based keylogger Proof-of-Concept that was released recently. While its exploitability is fairly limited right now, it is an excellent reminder that no third-party code is safe, be it CSS, JS, a composer or npm dependency, a plugin or a theme. When you add third-party code you are essentially opening up the doors to your site/project to that code, and placing your faith in them that what they do won’t harm you or your users. It’s good practice to keep your dependencies to a bare minimum, and audit those dependencies on a continual basis.
Speaking of reminders, as an institution, it’s a good idea to go out snooping every once in awhile for leaks from your organization. It’s been awhile since I went looking and decided to see what I could find. Within a couple of minutes, I found several working credentials for systems on our campus, as well as a collection of pdfs containing student names and IDs. If you’ve never done exploring like this, exploit-db.com has a large database of google dorks to get you started. Combine some of those search patterns with either known systems in your networks, or nicknames for those systems to root out potential leaks. You might also take a look at this leaks search tool which searches across several potential leak sources (e.g. github, pastebin, shodan, censys, netcraft, etc.).
The call for proposals for HighEdWeb 2018 is officially open! Everyone has an experience that others can learn from. Help spare someone else from the pain or struggle you went through, help others reach the awesomeness you’ve obtained by presenting at HighEdWeb.