Mass hacking of Word Press sites is in progress through
related post plugins also known as “yuzo-related- post” and “YelowPencil”
plugin putting thousands of sites at risk. Also, in the last few weeks, flaws
were discovered in other plugins. Here is the complete list:
- Related
Posts (yuzo – related – post) - YellowPencil
Visual CSS Style Editor (waspthemes-yellow-pencil)
Yuzo Related Posts enables WordPress
websites to display “related posts” segments and it is installed on over 60,000
websites. According to experts a vulnerability in the popular WordPress plugin
Yuzo Related Posts is exploited by attackers to redirect users to malicious
sites. Users of this popular plugin are being urged to uninstall the plugin
after a flaw was discovered being exploited in the wild. The XSS flaw allows
attackers to inject a JavaScript into the sites that redirect visitors to
websites displaying scams, including tech support scams, and sites promoting unwanted
software.
“The vulnerability in
Yuzo Related Posts stems from missing authentication checks in the plugin
routines responsible for storing settings in the database.” reads the blog
post published by WordFence.
The Plugin author Lenin Zapata provided the following
suggestion to halt the attack:
- Remove / Uninstall the
plugin immediately. - Within your database go
to the wp_options table and look for the value yuzo_related_post_options
delete that record. - Do not delete the table
of visits wp_yuzoviews, this does not influence the problem.
The Yuzo Related Posts plugin was removed from the WordPress
plugin store on March 30th, 2019.
Security experts discovered two software vulnerabilities in
another WordPress plugin, Yellow Pencil Visual Theme Customizer. This
visual-design plugin allows users to style their websites and has an active
install base of more than 30,000 websites.
The first flaw allows an unauthenticated user to perform site
admin actions. There is a
privilege-escalation vulnerability in the yellow-pencil.php file. This file has
a function that checks if a specific request parameter (yp_remote_get) has been
set – and if it has, the plugin promptly escalates the users’ privileges to
that of an administrator.
Researchers said that the second flaw is “a
cross-site request forgery (CSRF) check is missing in the function below that
would have made it much more difficult to exploit”.
Yellow Pencil urged users to update to the latest version of
the plugin, 7.2.0, as soon as possible.
If you are using any of these plugins, update them
immediately except yuzo-related- a post that needs to be uninstalled as soon as
possible.
Here are the rest of the top 10 app security vulnerabilities
to watch out for in the current year.
1. jQuery File Upload (CVE-2018-9206)
jQuery File Upload files Upload widget with multiple file
selection, drag&drop support, progress bars, validation and preview images,
audio and video for jQuery. Supports cross-domain, chunked and resumable file
uploads and client-side image resizing. Works with any server-side platform
(PHP, Python, Ruby on Rails, Java, Node.js, Go, etc.) that supports standard
HTML form file uploads.
This extremely popular plugin has been integrated into
countless web applications and thousands of projects, such as CMSs, CRMs,
Intranet solutions, WordPress plugins, Drupal add-ons, etc. Hackers discovered
a vulnerability in this plugin and used it to upload malicious files on
servers, such as backdoors and web shells and take over web servers.
Vulnerability is in the plugin’s source code that handles file uploads to PHP
servers and has been estimated that hackers have abused a zero-day in jQuery
plugin for at least 3 years, since 2016.
2. Magecart
Magecart is the name used to categorize the tactics of at
least six different hacker group and it is a leading web-based card skimming
threat. Magecart techniques are simple but highly effective. They hack into
retailer websites and insert card payment “skimming codes” replacing
the JavaScript that handles payments with malicious code. Then they are able to
read and record the card numbers and security codes of shoppers using the
website. Some of their victims are British Airways, Ticketmaster, Newegg, etc.
Magecart is the key behind an extension of e-commerce platform Magento.
3.WordPress Denial of Service
The DoS attack is a method in which an attacker sends
“requests” through compromised networks and computers to a single
target. This “requests” make a targeted system so busy that it stops
responding to requests coming from legitimate users. These techniques are being
used by attackers to blackmail specific sites and demand ransom. WordPress is
among the best content management system solutions. It holds almost 30 percent
share of the entire web but it is prone to vulnerabilities so it is not a big
surprise that is a popular target for malicious actors. In WordPress, malicious
actors perform a DoS attack by abusing the functionality of the
load-scripts.php file to request mass quantities of JavaScript files. This
overloads server and DoS attack are successful.
4. Drupalgeddon 2
When the Drupal security team released a highly critical
vulnerability nicknamed drupalgeddon2, hackers wasted no time. They infected servers with backdoors
leaving over 100 000 Drupal websites vulnerable. The exploit worked by
manipulating the functionality to inject a render array containing executable
code and then trick the application into rendering the injection, the security team released a
patch but it did not resolve the problem, it only mitigated it and opened
a new vulnerability – drupalgeddon 3.
5. Drupalgeddon 3
After the first attempt to patch the issue with drupalgeddon
2 a group of hackers was able to uncover another RCE
exploit in Drupal’s system opened up by the fix.
With the Drupalgeddon 3.0 RCE exploit, hackers were able to
breach websites and inject them with malware or spam. Also, websites were
undergoing extortion attempts as well as lots of interruptions.
Upgrading to the most recent version of Drupal 7 or 8 core
mitigates the Drupalgeddon 2 and Drupalgeddon3 vulnerability but there is a
great possibility that it will be further exploited.
6. Telerik’s RadAsyncUpload
Telerik AD is a company
offering software tools for web, mobile, desktop application development, tools
and subscription services for cross-platform application development. Telerik sells a
platform for web, hybrid, and native app development. They make a custom
control for the .net framework.
Telerik’s RadAsyncUpload
feature is configured with a default, hard-coded encryption key. Default key
allows decryption of parameter, which enables a malicious actor to change the
file upload location. If this key is not changed, a malicious actor can capture
the file upload request and use a key to decrypt the data then modify and
re-encrypt the file upload location. This allows the attacker to upload an
arbitrary file to any location on the server.
7.
Spring Data Commons
The framework’s core features can be used by any Java
application, but there are extensions for building web applications on top of
the Java Enterprise Edition platform. Spring Framework has become popular in
the Java community and it is open source.
Within the Spring Framework, Spring Data Commonsprovides a
common API for accessing NoSQL and relational databases, basic implementation,
and interfaces to the other SpringData projects. Versions prior to 1.13 to
1.13.10, 2.0 to 2.0.5, and older unsupported versions contain a property binder
vulnerability which allows an attacker to perform a remote code execution
attack. The MapDataBinder class in Spring data Commons was unsafely parsing and
evaluating a Spring Expression Language. Because of this unsafe evaluation, an
attacker can send a “specially
crafted request parameters against Spring Data REST backed HTTP resources or
using Spring Data’s projection-based request payload binding.”
8. MathJax XSS (CVE-2018-1999024)
MathJax version prior to version 2.7.4 contains a Cross Site
Scripting (XSS) vulnerability in the unicode{} macro that can result in
Potentially untrusted Javascript running within a web browser. This alters the
appearance and makes it possible to initiate further attacks against site
visitors. This attack appears to be exploitable via the victim must view a page
where untrusted content is processed using Mathjax.
9. Flash Player Hack (CVE-2018-4878)
South
Korea’s CERT identified a use-after-free exploit that impacted Adobe Flash
versions 28.0.0.137 and earlier and could allow for remote code execution
across Windows, macOS, Linux, and Chrome OS. North Korean hackers exploited this critical flaw in
Flash Player trough delivering maliciously
crafted Excel documents. Hackers known as Group
123 were using the zero-day Flash flaw and Excel sheets to
deliver the ROKRAT remote-administration tool. Although this vulnerability was
patched, security researchers at Morphisec have
uncovered a massive hacking campaign that is exploiting this Adobe Flash Player vulnerability.
10. Spring OAuth Approval (CVE-2018-1260)
Spring Security OAuth provides support for using Spring
Security with OAuth (1a) and OAuth2 using standard Spring and Spring Security
programming models and configuration idioms. The default approval endpoint for
Spring Security OAuth is vulnerable to remote code execution through a Spring
Expression Language Injection. A malicious user or attacker can craft an
authorization request to the authorization endpoint that can lead to a remote
code execution when the resource owner is forwarded to the approval endpoint.
Although these vulnerabilities were active in the past year
there is a great chance that they are still being used by malicious actors.