SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
5 May 2015

Just-released WordPress 0day makes it easy to hijack millions of websites

The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full control of the Web server.

Attack code has been released that targets one of the latest versions of WordPress, making it a zero-day exploit that could touch off a series of site hijackings throughout the Internet.

Both vulnerabilities are known as stored, or persistent, cross-site scripting (XSS) bugs. They allow a hacker to inject code into the HTML content received by administrators who maintain the website. Both attacks work by embedding malicious code into the comments section that appear by default at the bottom of a WordPress article post or blog. From there, attackers can change passwords, add new administrators, or take just about any other action legitimate admins can perform. The most serious of the two vulnerabilities is in WordPress version 4.2 because as of press time there is no patch.

The exploit works by posting some simple JavaScript code as a comment and then adding a massive amount of text—about 66,000 characters or more than 64 kilobytes worth. Once the comment is processed by someone logged in with WordPress administrator rights to the site, the malicious code will be executed with no outward indication that an attack is under way. By default, WordPress doesn't automatically publish comments to a post unless the user has already been approved by an administrator. Attackers can work around this limitation by posting a benign comment that gets approved. By default, subsequent comments from that person will be automatically approved and published to the same post.

"If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors," Jouko Pynnönen, a researcher with Finland-based security firm Klikki Oy, wrote. "Alternatively the attacker could change the administrator's password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system."

Klikki Oy has published a proof-of-concept attack code that looks like this: <a title='x onmouseover=alert(unescape(/hello%20world/.source))  style=position:absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAA [64 kb] ...'>

Here's a video of the proof-of-concept attack in progress:

The attack is similar to one disclosed last week by security researcher Cedric Van Bockhaven. That attack also embedded malicious comments into comments that were executed when viewed by admins. The underlying vulnerability was fixed with last week's release of WordPress 4.2. A swarm of WordPress plugins were also recently updated to kill XSS vulnerabilities.

At the moment, there's no fix for the most recently disclosed bug. Once a patch is available, WordPress admins should install it right away. In the meantime, they should consider disabling comments or installing a comment plugin such as Akismet to mitigate exploits. Earlier this year, the US Federal Bureau of Investigation (FBI) just released a public service announcement (PSA) to the public about a large number of websites being exploited and compromised through WordPress plugin vulnerabilities.

Tags:
WordPress information leaks
Source:
Ars Technica
Author:
Dan Goodin
1978
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015