10 vulnerabilities as temptation targets for malicious actors
Mass hacking of Word Press sites is in progress through related post plugins also known as “yuzo-related- post” and “YelowPencil” plugin putting thousands of sites at risk. Also, in the last few weeks, flaws were discovered in other plugins. Here is the complete list:
- Related Posts (yuzo – related – post)
- YellowPencil Visual CSS Style Editor (waspthemes-yellow-pencil)
“The vulnerability in Yuzo Related Posts stems from missing authentication checks in the plugin routines responsible for storing settings in the database.” reads the blog post published by WordFence.
The Plugin author Lenin Zapata provided the following suggestion to halt the attack:
- Remove / Uninstall the plugin immediately.
- Within your database go to the wp_options table and look for the value yuzo_related_post_options delete that record.
- Do not delete the table of visits wp_yuzoviews, this does not influence the problem.
The Yuzo Related Posts plugin was removed from the WordPress plugin store on March 30th, 2019.
Security experts discovered two software vulnerabilities in another WordPress plugin, Yellow Pencil Visual Theme Customizer. This visual-design plugin allows users to style their websites and has an active install base of more than 30,000 websites.
The first flaw allows an unauthenticated user to perform site admin actions. There is a privilege-escalation vulnerability in the yellow-pencil.php file. This file has a function that checks if a specific request parameter (yp_remote_get) has been set – and if it has, the plugin promptly escalates the users’ privileges to that of an administrator.
Researchers said that the second flaw is “a cross-site request forgery (CSRF) check is missing in the function below that would have made it much more difficult to exploit”.
Yellow Pencil urged users to update to the latest version of the plugin, 7.2.0, as soon as possible.
If you are using any of these plugins, update them immediately except yuzo-related- a post that needs to be uninstalled as soon as possible.
Here are the rest of the top 10 app security vulnerabilities to watch out for in the current year.
1. jQuery File Upload (CVE-2018-9206)
jQuery File Upload files Upload widget with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video for jQuery. Supports cross-domain, chunked and resumable file uploads and client-side image resizing. Works with any server-side platform (PHP, Python, Ruby on Rails, Java, Node.js, Go, etc.) that supports standard HTML form file uploads.
This extremely popular plugin has been integrated into countless web applications and thousands of projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, etc. Hackers discovered a vulnerability in this plugin and used it to upload malicious files on servers, such as backdoors and web shells and take over web servers. Vulnerability is in the plugin’s source code that handles file uploads to PHP servers and has been estimated that hackers have abused a zero-day in jQuery plugin for at least 3 years, since 2016.
3.WordPress Denial of Service
4. Drupalgeddon 2
When the Drupal security team released a highly critical vulnerability nicknamed drupalgeddon2, hackers wasted no time. They infected servers with backdoors leaving over 100 000 Drupal websites vulnerable. The exploit worked by manipulating the functionality to inject a render array containing executable code and then trick the application into rendering the injection, the security team released a patch but it did not resolve the problem, it only mitigated it and opened a new vulnerability – drupalgeddon 3.
5. Drupalgeddon 3
After the first attempt to patch the issue with drupalgeddon 2 a group of hackers was able to uncover another RCE exploit in Drupal’s system opened up by the fix.
With the Drupalgeddon 3.0 RCE exploit, hackers were able to breach websites and inject them with malware or spam. Also, websites were undergoing extortion attempts as well as lots of interruptions.
Upgrading to the most recent version of Drupal 7 or 8 core mitigates the Drupalgeddon 2 and Drupalgeddon3 vulnerability but there is a great possibility that it will be further exploited.
6. Telerik’s RadAsyncUpload
Telerik AD is a company offering software tools for web, mobile, desktop application development, tools and subscription services for cross-platform application development. Telerik sells a platform for web, hybrid, and native app development. They make a custom control for the .net framework.
Telerik’s RadAsyncUpload feature is configured with a default, hard-coded encryption key. Default key allows decryption of parameter, which enables a malicious actor to change the file upload location. If this key is not changed, a malicious actor can capture the file upload request and use a key to decrypt the data then modify and re-encrypt the file upload location. This allows the attacker to upload an arbitrary file to any location on the server.
7. Spring Data Commons
The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java Enterprise Edition platform. Spring Framework has become popular in the Java community and it is open source.
Within the Spring Framework, Spring Data Commonsprovides a common API for accessing NoSQL and relational databases, basic implementation, and interfaces to the other SpringData projects. Versions prior to 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions contain a property binder vulnerability which allows an attacker to perform a remote code execution attack. The MapDataBinder class in Spring data Commons was unsafely parsing and evaluating a Spring Expression Language. Because of this unsafe evaluation, an attacker can send a “specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data’s projection-based request payload binding.”
8. MathJax XSS (CVE-2018-1999024)
9. Flash Player Hack (CVE-2018-4878)
South Korea’s CERT identified a use-after-free exploit that impacted Adobe Flash versions 126.96.36.199 and earlier and could allow for remote code execution across Windows, macOS, Linux, and Chrome OS. North Korean hackers exploited this critical flaw in Flash Player trough delivering maliciously crafted Excel documents. Hackers known as Group 123 were using the zero-day Flash flaw and Excel sheets to deliver the ROKRAT remote-administration tool. Although this vulnerability was patched, security researchers at Morphisec have uncovered a massive hacking campaign that is exploiting this Adobe Flash Player vulnerability.
10. Spring OAuth Approval (CVE-2018-1260)
Spring Security OAuth provides support for using Spring Security with OAuth (1a) and OAuth2 using standard Spring and Spring Security programming models and configuration idioms. The default approval endpoint for Spring Security OAuth is vulnerable to remote code execution through a Spring Expression Language Injection. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to a remote code execution when the resource owner is forwarded to the approval endpoint.
Although these vulnerabilities were active in the past year there is a great chance that they are still being used by malicious actors.