Portfolio Archives -

WordPress 4.2.4 Security and Maintenance Release

L3gsman — Tue, 04 Aug 2015 19:21:05 +0000

WordPress 4.2.4 Security and Maintenance Release

Posted August 4, 2015 by Samuel Sidler. Filed under Releases, Security.

WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.4 also fixes four bugs. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.4 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.4.

Already testing WordPress 4.3? The second release candidate is now available (zip) and it contains these fixes. For more on 4.3, see the RC 1 announcement post.

The post WordPress 4.2.4 Security and Maintenance Release appeared first on .

Adding an Admin User to the WordPress Database via MySQL

L3gsman — Mon, 01 Jun 2015 18:10:06 +0000

How to Add an Admin User to the WordPress Database via MySQL

Few days ago, we ran into an issue where a user’s site got hacked and their admin account was deleted from the database. This locked them out of their site without any other entry. We went in to the phpMyAdmin and created a new admin user to grant them access. In this article, we will show you a step by step guide on how to create an admin user in WordPress Database via MySQL.

Note: You should always make a backup of your database before performing any MySQL edits. This tutorial requires basic understanding of how phpMyAdmin works.

First, you need to login to phpMyAdmin and locate your WordPress database.

Once inside phpMyAdmin;

Once you are in, we will be making changes to the wp_users and wp_usermeta tables. Lets go ahead and click on wp_users table.

phpMyAdmin wp_users table

We need to insert our new admin user’s information, so click on the Insert tab like it shows in the image above. In the insert form, add the following:

ID – pick a number (in our example, we will use the number 4).
user_login – insert the username you want to use to access the WordPress Dashboard.
user_pass – add a password for this username. Make sure to select MD5 in the functions menu (Refer to the screenshot below).
user_nicename – put a nickname or something else that you would like to refer yourself as.
user_email – add the email you want to associate with this account.
user_url – this would be the url to your website.
user_registered – select the date/time for when this user is registered.
user_status – set this to 0.
display_name – put the name you like to display for this user on the site (it can be your user_nicename value as well).
Click on the Go Button

The post Adding an Admin User to the WordPress Database via MySQL appeared first on .

WordPress 4.2.2 Security and Maintenance Release

L3gsman — Tue, 12 May 2015 22:04:03 +0000

WordPress 4.2.2 Security and Maintenance Release

Posted May 7, 2015 by Samuel Sidler. Filed under Releases, Security.

WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Version 4.2.2 addresses two security issues:

The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. Reported separately by Rice Adu and Tong Shi from Baidu[X-team].

The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.2 also contains fixes for 13 bugs from 4.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.

Thanks to everyone who contributed to 4.2.2:

The post WordPress 4.2.2 Security and Maintenance Release appeared first on .

WordPress 4.2.1 released new patch

L3gsman — Mon, 27 Apr 2015 21:48:29 +0000

WordPress 4.2.1 Released to Patch Comment Exploit Vulnerability

Sarah Gooding April 27, 2015 4

photo credit: Will Montague – cc

This morning we reported on an XSS vulnerability in WordPress 4.2, 4.1.2, 4.1.1, and 3.9.3, which allows an attacker to compromise a site via its comments. The security team quickly patched the vulnerability and released 4.2.1 within hours of being notified.

WordPress’ official statement on the security issue:

The WordPress team was made aware of a XSS issue a few hours ago that we will release an update for shortly. It is a core issue, but the number of sites vulnerable is much smaller than you may think because the vast majority of WordPress-powered sites run Akismet, which blocks this attack. When the fix is tested and ready in the coming hours WordPress users will receive an auto-update and should be safe and protected even if they don’t use Akismet.

That auto-update is now being rolled out to sites where updates have not been disabled. If you are unsure of whether or not your site can perform automatic background updates, Gary Pendergast linked to the Background Update Tester plugin in the security release. This is a core-supported plugin that will check your site for background update compatibility and explain any issues.

Since Akismet is active on more than a million websites, the number of affected users that were not protected is much smaller than it might have been otherwise.

WordPress 4.2.1 is a critical security release for a widely publicized vulnerability that you do not want to ignore. Users are advised to update immediately. The background update may already have hit your site. If not, you can update manually by navigating to Dashboard → Updates.

The post WordPress 4.2.1 released new patch appeared first on .

WordPress Security Alert

L3gsman — Mon, 13 Apr 2015 20:26:39 +0000

WordPress Security Alert – WP Super cache

Credit: Wikipedia

Upgrade immediately

ITWorld|April 8, 2015

Security firm Sucuri revealed on their blog this week that they had uncovered a persistent cross-site scripting vulnerability in the popular WordPress plugin WP Super Cache. The effects of this vulnerability can be severe as an attacker can potentially insert malicious code into WordPress pages without your knowledge. Anyone who has experienced this type of attack due to a plugin security flaw knows how difficult and time consuming remediation can be.

Cypress North

WP Super Cache is deployed across all of the WordPress sites we host in our data center, and for good reason. The excellent plugin dramatically boosts the performance of WordPress sites while simultaneously reducing load on the web servers. The code for this plugin is mature and stable, rarely requiring updates. That’s part of the reason why it’s trusted by over 7 million websites. It’s popularity makes this security flaw a big concern for site owners.

Cypress North

The update process is quick and easy so you should take the time to log in and click the update now link as soon as you’re able. If you’re fortunate enough to maintain your sites under a multi-site install you’ll be able to take care of this issue in one shot. Otherwise, like us, you’re stuck logging into each installation and manually updating each site like we spent all yesterday doing.

According to the blog post by Marc-Alexandre Montpas:

Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually.

The nonce requirement lowers the odds of the backdoor taking effect since the cached page gets purged periodically, but still, better safe than sorry. The scale of the vulnerable sites makes exploitation an inevitable event. Do your part to protect the web and get updating.

The post WordPress Security Alert appeared first on .

WordPress 4.0.1 Security Release

L3gsman — Fri, 03 Oct 2014 09:54:13 +0000

Posted November 20, 2014 by Andrew Nacin. Filed under Releases, Security.

WordPress 4.0.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Sites that support automatic background updates will be updated to WordPress 4.0.1 within the next few hours.

If you are still on WordPress 3.9.2, 3.8.4, or 3.7.4, you will be updated to 3.9.3, 3.8.5, or 3.7.5 to keep everything secure.

(We don’t support older versions, so please update to 4.0.1 for the latest and greatest.)

WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Jouko Pynnonen. This issue does not affect version 4.0, but version 4.0.1 does address these eight security issues:

Three cross-site scripting issues that a contributor or author could use to compromise a site. Discovered by Jon Cave, Robert Chapin, and John Blackbourn of the WordPress security team.
A cross-site request forgery that could be used to trick a user into changing their password.
An issue that could lead to a denial of service when passwords are checked. Reported by Javier Nieto Arevalo and Andres Rojas Guerrero.
Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. Reported by Ben Bidner (vortfu).
An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding). Reported by David Anderson.
WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. Reported separately by Momen Bassel, Tanoy Bose, and Bojan Slavković of ManageWP.

Version 4.0.1 also fixes 23 bugs with 4.0, and we’ve made two hardening changes, including better validation of EXIF data we are extracting from uploaded photos. Reported by Chris Andrè Dale.

We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 4.0.1 or venture over to Dashboard → Updates and simply click “Update Now”.

Already testing WordPress 4.1? The second beta is now available (zip) and it contains these security fixes. For more on 4.1, see the beta 1 announcement post.

The post WordPress 4.0.1 Security Release appeared first on .

New Zero-Day Vulnerability Discovered in TimThumb Script

L3gsman — Fri, 03 Oct 2014 09:51:21 +0000

WordPress Security Alert: New Zero-Day Vulnerability Discovered in TimThumb Script

Sarah Gooding June 25, 2014 20

photo credit: kama17 – cc

Security vulnerabilities have plagued the TimThumb script for years. It is most commonly used in cropping, zooming and resizing images in WordPress themes. After the large scale attacks launched against the script a few years ago, one might think that theme and plugin developers would be less likely to continue building with it. However, this is not the case and many websites are again in danger, according to the exploit disclosure issued today.

TimThumb 2.8.13 has a vulnerability with its “Webshot” feature that, when enabled, allows attackers to execute commands on a remote website. At this time there is no patch. Security experts at Sucuri break down the threat as follows: “With a simple command, an attacker can create, remove and modify any files on your server.”

Although the Webshot feature should be disabled by default, Sucuri recommends that you check your timthumb file to make sure it’s disabled. Search for “WEBSHOT_ENABLED” and verify that it’s set to “false,” as shown below:

define (‘WEBSHOT_ENABLED’, false);

This vulnerability affects many WordPress themes, plugins, and third party components. According to the disclosure, all themes from Themify utilize this script, as well as several plugins, including WordPress Gallery Plugin and the IGIT Posts Slider Widget.

It’s important to recognize that your theme or plugin may also use this script, even if it’s not listed in the disclosure. If you’ve ever lost an entire weekend fixing client sites that fell victim to TimThumb exploits, then you know that disabling the WebShot option is probably a good idea. This is a simple thing that you can do now to prevent your sites from getting hacked.

Who is Sarah Gooding

Sarah Gooding is an Editorial Ninja at Audrey Capital. When not writing about WordPress, she enjoys baking, knitting, judging beer competitions and spending time with her Italian Greyhound.

The post New Zero-Day Vulnerability Discovered in TimThumb Script appeared first on .

Web Security Issues

L3gsman — Fri, 03 Oct 2014 09:49:57 +0000

A serious vulnerability in the WP eCommerce Plugin was announced within the last 24 hours (321st Oct 2014) . A fix has been released and some hosting companies are already auto-upgrading customers to the newest version.

Upgrade to 3.8.14.4 of WP eCommerce immediately if you use this plugin. Please spread the word because with almost 3 million downloads this is a very popular plugin.

Details on our blog…

The post Web Security Issues appeared first on .

How to upgrade to SSL certificates from SHA1 to SHA2

L3gsman — Fri, 03 Oct 2014 09:46:48 +0000

With Chrome version 39 which is in the process of being released (see footnote), Google has started issuing warnings if a website is using a certificate that has a signature algorithm that uses the older and less secure SHA1.

To find out which signature algorithm your secure website is using, in Chrome click on the green lock in the location bar. Then click on ‘connection’, then click on ‘certificate information’. You should see something like the image below. Note the ‘Signature algorithm’ is SHA-256 which is one of the SHA2 hashing functions. If you see SHA-1, you need to immediately reissue your certificate using SHA-2 and install the new version.

So what does it look like in the new version of Chrome when you’re using SHA-1? This is taken from a well known website that has not upgraded yet. Notice the lock with the warning triangle in the location bar. This is the main indication for a site visitor that something is awry. If you then click on the lock it has a further warning with explanation.

If you do have a website that is using SHA-1, don’t panic. Just sign into GoDaddy or whoever your SSL issuer is. Then go to manage your certificates and they’ll have an option there to reissue your certificate. You’ll need to resubmit your certificate signing request (CSR) but you can just resubmit your old CSR and it will work fine.

Then make sure that you’ve selected SHA-2 or SHA-256 or another SHA-2 compatible function. Then reissue the certificate. In GoDaddy’s case it takes about a minute for them to approve your request. If you have an EV certificate it may take longer.

Please share this with other site administrators to make sure that their customers aren’t getting warnings when visiting those all-important secure pages.

Footnote: Chrome 39 has officially been pushed into the “Stable” channel which is the release channel. It will be pushed out via auto-update to millions of customers in the coming days. The demo above was done with Chrome 40 beta, but what the user sees is identical.

The post How to upgrade to SSL certificates from SHA1 to SHA2 appeared first on .

Portfolio Archives -

WordPress 4.2.4 Security and Maintenance Release

WordPress 4.2.4 Security and Maintenance Release

Share this:

Adding an Admin User to the WordPress Database via MySQL

WordPress 4.2.2 Security and Maintenance Release

WordPress 4.2.2 Security and Maintenance Release

WordPress 4.2.1 released new patch

WordPress Security Alert

Upgrade immediately

WordPress 4.0.1 Security Release

New Zero-Day Vulnerability Discovered in TimThumb Script

Who is Sarah Gooding

Web Security Issues

How to upgrade to SSL certificates from SHA1 to SHA2