Tag Archives: Security

WordPress still insecure by design

Some major WordPress design flaws have led to widespread attacks on our and your servers. The only hope is reasonably long and strong passwords or WordPress security plugins.

The first flaw. By default WordPress have enabled “feature”, when you visit your blog with author query string appended, it nicely reveals your usernames. For example, if you have:

http://blog.example.com

just add

http://blog.example.com/?author=1

and default WordPress installation redirects you to the:

http://blog.example.com/author/admin/

In you need next valid username, change 1 to 2:

http://blog.example.com/?author=2

The second flaw. WordPress have two separate login error messages:

ERROR: Invalid username

and

ERROR: The password you entered for the username admin is incorrect.

So basically, you can check if particular username is valid.

The third flaw. Many users use .htaccess to secure the wp-admin directory, but WordPress coders decided to include public accessible script in the admin folder. So securing admin folder breaks your site in many ways. Of course you can write more advanced .htaccess rules, but it is not excuse for including public script in the admin folder.

Both front-end and back-end Ajax requests use admin-ajax.php

Forth flaw. Allow hackers to iterate hundreds of usernames/passwords in the single web request (system.multicall), and do it via public accessible script, that is not hidden behind wp-admin folder. Just brilliant! By the way, flaw is still not fixed, and even if you have not so popular site, you will still see your log files full of password guessing requests from different IP addresses:

10.20.30.40 - - [13/Oct/2015:17:26:55 -0400] "POST /xmlrpc.php HTTP/1.0" 200 561 "-" "-"

Note, that IP 10.20.30.40 is given as an example.

Read more about this system.multicall thing here: Brute Force Amplification Attacks Against WordPress XMLRPC

The fifth flow (and not the last). If you have some flaws / vulnerabilities, please share them in comments. Of course only publicly known ones. If you have newly discovered flaw, use proper disclosure channels.

Windows Update leads to spam site (hus.parkingspa.com/hc3.asp) today

Today when trying to update one of my Microsoft Windows – Windows 7 Ultimate 64-bit, and clicking to More Information link, it led my browser to SPAM site (DO NOT VISIT IT!):
http://hus.parkingspa.com/hc3.asp - DO NOT VISIT IT!

Windows update KB2505438

It happens only for update – Update for Windows 7 for KB2505438, when you click on more info link, see the screenshot.

Here is a screenshot for that SPAM / domain squatter site:

Spam site from Windows Update


Why and how this happened?

It seems, that someone responsible for update links at Microsoft failed to enter correct Microsoft KB article address:
http://support.micrososft.com/kb/2505438 - DO NOT VISIT IT!

Correct address is:
http://support.microsoft.com/kb/2505438

At first it seemed like computer is infected by some virus / spyware, but it is not a case.

UPDATE:
While I was writing this, Microsoft have already fixed this.

UPDATE 2:
Other people noticed this too:

FireWire port is a big security hole

Today, reading Larry Osterman’s blog, I learned something new. I always knew, that physical access to computer / server almost always means, that it may be compromised in one or another way, like Cryogenically frozen RAM bypasses all disk encryption methods. More here.

One thing I didn’t know, is FireWire (IEEE 1394 interface) Security issues.

From Uwe Hermann’s blog:

… if you gain physical access to a PC or laptop which has Firewire ports … you can read arbitrary RAM contents from the victim’s system, overwrite arbitrary RAM contents with whatever you want …

Read more: Physical memory attacks via Firewire/DMA – Part 1: Overview and Mitigation

P.S. Rebooting my computer into BIOS to disable FireWire.