10 vulnerabilities as temptation targets for malicious actors

RapidVPN/ May 30, 2019/ Blog/

Mass hacking of Word Press sites is in progress through related post plugins also known as “yuzo-related- post” and “YelowPencil” plugin putting thousands of sites at risk. Also, in the last few weeks, flaws were discovered in other plugins. Here is the complete list:

  • Related Posts (yuzo – related – post)
  • YellowPencil Visual CSS Style Editor (waspthemes-yellow-pencil)

Yuzo Related Posts enables WordPress websites to display “related posts” segments and it is installed on over 60,000 websites. According to experts a vulnerability in the popular WordPress plugin Yuzo Related Posts is exploited by attackers to redirect users to malicious sites. Users of this popular plugin are being urged to uninstall the plugin after a flaw was discovered being exploited in the wild. The XSS flaw allows attackers to inject a JavaScript into the sites that redirect visitors to websites displaying scams, including tech support scams, and sites promoting unwanted software.

 “The vulnerability in Yuzo Related Posts stems from missing authentication checks in the plugin routines responsible for storing settings in the database.” reads the blog post published by WordFence.

The Plugin author Lenin Zapata provided the following suggestion to halt the attack:

  • Remove / Uninstall the plugin immediately.
  • Within your database go to the wp_options table and look for the value yuzo_related_post_options delete that record.
  • Do not delete the table of visits wp_yuzoviews, this does not influence the problem.

The Yuzo Related Posts plugin was removed from the WordPress plugin store on March 30th, 2019.

Security experts discovered two software vulnerabilities in another WordPress plugin, Yellow Pencil Visual Theme Customizer. This visual-design plugin allows users to style their websites and has an active install base of more than 30,000 websites. 

The first flaw allows an unauthenticated user to perform site admin actions.  There is a privilege-escalation vulnerability in the yellow-pencil.php file. This file has a function that checks if a specific request parameter (yp_remote_get) has been set – and if it has, the plugin promptly escalates the users’ privileges to that of an administrator.

Researchers said that the second flaw is “a cross-site request forgery (CSRF) check is missing in the function below that would have made it much more difficult to exploit”.

Yellow Pencil urged users to update to the latest version of the plugin, 7.2.0, as soon as possible.

If you are using any of these plugins, update them immediately except yuzo-related- a post that needs to be uninstalled as soon as possible.

Here are the rest of the top 10 app security vulnerabilities to watch out for in the current year.

1. jQuery File Upload (CVE-2018-9206)

jQuery File Upload files Upload widget with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads and client-side image resizing. Works with any server-side platform (PHP, Python, Ruby on Rails, Java, Node.js, Go, etc.) that supports standard HTML form file uploads.

This extremely popular plugin has been integrated into countless web applications and thousands of projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, etc. Hackers discovered a vulnerability in this plugin and used it to upload malicious files on servers, such as backdoors and web shells and take over web servers. Vulnerability is in the plugin’s source code that handles file uploads to PHP servers and has been estimated that hackers have abused a zero-day in jQuery plugin for at least 3 years, since 2016.

2. Magecart

Magecart is the name used to categorize the tactics of at least six different hacker group and it is a leading web-based card skimming threat. Magecart techniques are simple but highly effective. They hack into retailer websites and insert card payment “skimming codes” replacing the JavaScript that handles payments with malicious code. Then they are able to read and record the card numbers and security codes of shoppers using the website. Some of their victims are British Airways, Ticketmaster, Newegg, etc. Magecart is the key behind an extension of e-commerce platform Magento.

3.WordPress Denial of Service

The DoS attack is a method in which an attacker sends “requests” through compromised networks and computers to a single target. This “requests” make a targeted system so busy that it stops responding to requests coming from legitimate users. These techniques are being used by attackers to blackmail specific sites and demand ransom. WordPress is among the best content management system solutions. It holds almost 30 percent share of the entire web but it is prone to vulnerabilities so it is not a big surprise that is a popular target for malicious actors. In WordPress, malicious actors perform a DoS attack by abusing the functionality of the load-scripts.php file to request mass quantities of JavaScript files. This overloads server and DoS attack are successful.

4. Drupalgeddon 2

When the Drupal security team released a highly critical vulnerability nicknamed drupalgeddon2, hackers wasted no time. They infected servers with backdoors leaving over 100 000 Drupal websites vulnerable. The exploit worked by manipulating the functionality to inject a render array containing executable code and then trick the application into rendering the injection, the security team released a patch but it did not resolve the problem, it only mitigated it and opened a new vulnerability – drupalgeddon 3.

5. Drupalgeddon 3

After the first attempt to patch the issue with drupalgeddon 2 a group of hackers was able to uncover another RCE exploit in Drupal’s system opened up by the fix.

With the Drupalgeddon 3.0 RCE exploit, hackers were able to breach websites and inject them with malware or spam. Also, websites were undergoing extortion attempts as well as lots of interruptions.

Upgrading to the most recent version of Drupal 7 or 8 core mitigates the Drupalgeddon 2 and Drupalgeddon3 vulnerability but there is a great possibility that it will be further exploited.

6. Telerik’s RadAsyncUpload

Telerik AD is a company offering software tools for web, mobile, desktop application development, tools and subscription services for cross-platform application development. Telerik sells a platform for web, hybrid, and native app development. They make a custom control for the .net framework.

Telerik’s RadAsyncUpload feature is configured with a default, hard-coded encryption key. Default key allows decryption of parameter, which enables a malicious actor to change the file upload location. If this key is not changed, a malicious actor can capture the file upload request and use a key to decrypt the data then modify and re-encrypt the file upload location. This allows the attacker to upload an arbitrary file to any location on the server.

7. Spring Data Commons

The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java Enterprise Edition platform. Spring Framework has become popular in the Java community and it is open source.

Within the Spring Framework, Spring Data Commonsprovides a common API for accessing NoSQL and relational databases, basic implementation, and interfaces to the other SpringData projects. Versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions contain a property binder vulnerability which allows an attacker to perform a remote code execution attack. The MapDataBinder class in Spring data Commons was unsafely parsing and evaluating a Spring Expression Language. Because of this unsafe evaluation, an attacker can send a  “specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data’s projection-based request payload binding.”

8. MathJax XSS (CVE-2018-1999024)

MathJax version prior to version 2.7.4 contains a Cross Site Scripting (XSS) vulnerability in the \unicode{} macro that can result in Potentially untrusted Javascript running within a web browser. This alters the appearance and makes it possible to initiate further attacks against site visitors. This attack appears to be exploitable via the victim must view a page where untrusted content is processed using Mathjax.

9. Flash Player Hack (CVE-2018-4878)

South Korea’s CERT identified a use-after-free exploit that impacted Adobe Flash versions 28.0.0.137 and earlier and could allow for remote code execution across Windows, macOS, Linux, and Chrome OS. North Korean hackers exploited this critical flaw in Flash Player trough delivering maliciously crafted Excel documents. Hackers known as Group 123 were using the zero-day Flash flaw and Excel sheets to deliver the ROKRAT remote-administration tool. Although this vulnerability was patched, security researchers at Morphisec have uncovered a massive hacking campaign that is exploiting this Adobe Flash Player vulnerability.

10. Spring OAuth Approval (CVE-2018-1260)

Spring Security OAuth provides support for using Spring Security with OAuth (1a) and OAuth2 using standard Spring and Spring Security programming models and configuration idioms. The default approval endpoint for Spring Security OAuth is vulnerable to remote code execution through a Spring Expression Language Injection. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to a remote code execution when the resource owner is forwarded to the approval endpoint.

Although these vulnerabilities were active in the past year there is a great chance that they are still being used by malicious actors.