WPML vulnerabilities

SQL-Banner

WPML Vulnerabilities

Original Articel

Overview

WPML is the industry standard for creating multi-lingual WordPress sites. Several vulnerabilities were found in the plug-in. The most serious of them, an SQL injection problem, allows anyone to read the contents of the WordPress database, including user details and password hashes, without authentication.

System administrators should update to version 3.1.9 released earlier this week to resolve the issues.

Details

1. SQL injection

When WPML processed a HTTP POST request containing the parameter ”action=wp-link-ajax”, the current language is determined by parsing the HTTP referer. The parsed language code is not checked for validity, nor SQL-escaped. The user doesn’t need to be logged in.

By sending a carefully crafted referer value with the mentioned POST request parameter, an attacker can perform SQL queries on arbitrary tables and retrieve their results. In addition to the standard WordPress database and tables, the attacker may query all other databases and tables accessible to the web backend.

The following HTML snippet demonstrates the vulnerability:

The results of the SQL query will be shown in the comments feed XML-formatted.

2. Page/post/menu deletion

WPML contains a ”menu sync” function which helps site administrators to keep WordPress menus consistent across different languages. This functionality lacked any access control, allowing anyone to delete practically all content of the website – posts, pages, and menus.

Example:

Submitting the above form would delete the row with the ID 12345 in the wp_posts database. Several items can be deleted with the same request.

3. Reflected XSS

The ”reminder popup” code intended for administrators in WPML didn’t check for login status or nonce. An attacker can direct target users to an URL like:

https://YOUR.WORDPRESS.BLOG/?icl_action=reminder_popup&target=javascript%3aalert%28%2fhello+world%2f%29%3b%2f%2f

to execute JavaScript in their browser. This example bypasses the Chrome XSS Auditor.

In the case of WordPress, XSS triggered by an administrator can lead to server-side compromise via the plugin and theme editors.

4. Unauthenticated administrative functions

An unauthenticated attacker may bypass WPML’s nonce check and perform administrative functions.

The administrative ajax functions are protected with nonces to prevent unauthorized use. If the nonce check failed with $_REQUEST values, there was a secondary check that also had to fail before the request was denied:

if (!( isset( $_GET[ 'icl_ajx_action' ] ) && $_GET[ 'nonce' ] == wp_create_nonce( $_GET[ 'icl_ajx_action' ] ) )) {
        die('Invalid nonce');
}

The problem is the mixed use of $_REQUEST and $_GET. If the above check succeeds, subsequent code again uses $_REQUEST instead of $_GET to determine the ajax action to perform.

If the attacker has a valid nonce generated by the target WordPress site – any plug-in or the core system – then they can pass the above check. They can then define a different ajax action in POST parameters to perform administrative functions without authentication.

An unauthenticated attacker could then execute any of the about 50 WPML ajax actions intended for administrators only. There is a lot of choice for manipulating or destroying data. For instance, it’s possible to define a root html file which is evaluated as

include $html_file;

This would allow reading server-side files or evaluating PHP code hosted on remote sites (if allowed by PHP settings).

A default WordPress installation with only WPML installed apparently doesn’t generate nonces for unauthenticated users, so this is probably not exploitable unless there are other plug-ins installed or the user can login. For example bbpress generates nonces for unauthenticated users.

Proof of concept:

In the above example, a toggle-subscription nonce generated by bbpress is used. It can be retrieved by unauthenticated users (go to a forum page, view source). On submitting the form, WPML will pass the ajax action because the bbpress nonce is valid.

The ajax action is determined from the POST parameters. In this example, the settings would be changed so that contents of /etc/passwd would be shown as the default page on the website.

This PoC was successfully tested with WPML 3.1.7.2.

Credits

The vulnerabilities were found by Jouko Pynnonen of Klikki Oy while researching WordPress plugins falling in the scope of the Facebook bug bounty program.

The vendor was notified on March 2, 2015 and the patch was released on March 10.

Zero Day SQL Injection Vulnerability in WordPress Video Gallery

wordfenceBlogHead2Original Articel

Zero Day SQL Injection Vulnerability in WordPress Video Gallery

Looks like they have now yanked the affected plugin until the vulnerability is fixed, so the link below to the plugin will be a dead link until the author fixes the issue.

There is currently a zero day SQL injection vulnerability in the WordPress Video Gallery plugin. Our researchers are seeing exploits in the wild for this and the exploits claim the vendor has been notified on the 9th of February.

The plugin still has not been updated by the vendor. Because this is being exploited actively and the vendor has been notified, we are now publicly disclosing the existence of this vulnerability.

The vulnerability allows an attacker to download all databases that your WordPress system has access to. We have verified this in our lab by exploiting one of our internal systems with the newest version of this plugin installed.

At this time we recommend you disable and remove the plugin code immediately to close the security hole. When the vendor releases a security fix you can consider reinstalling this plugin.

Note: In our testing, disabling this plugin does appear to remove the ability to exploit this vulnerability. However we recommend that just to be safe, you also delete this plugin’s code.

A ‘googledork’ is also available in the exploit which allows attackers to use Google to find sites which suffer from this vulnerability in order to exploit them.

Please share/tweet/mail this to your fellow WordPress administrators to help create awareness about this serious issue.

Brute Force Attacks Explained

Brute-Force Attacks Explained: How All Encryption is Vulnerable

banner_hacked_1

Original Articel

Brute-force attacks are fairly simple to understand, but difficult to protect against. Encryption is math, and as computers become faster at math, they become faster at trying all the solutions and seeing which one fits.

These attacks can be used against any type of encryption, with varying degrees of success. Brute-force attacks become faster and more effective with each passing day as newer, faster computer hardware is released.
Brute-Force Basics

Brute-force attacks are simple to understand. An attacker has an encrypted file — say, your LastPass or KeePass password database. They know that this file contains data they want to see, and they know that there’s an encryption key that unlocks it. To decrypt it, they can begin to try every single possible password and see if that results in a decrypted file.

They do this automatically with a computer program, so the speed at which someone can brute-force encryption increases as available computer hardware becomes faster and faster, capable of doing more calculations per second. The brute-force attack would likely start at one-digit passwords before moving to two-digit passwords and so on, trying all possible combinations until one works.

A “dictionary attack” is similar and tries words in a dictionary — or a list of common passwords — instead of all possible passwords. This can be very effective, as many people use such weak and common passwords.
Why Attackers Can’t Brute-Force Web Services

There’s a difference between online and offline brute-force attacks. For example, if an attacker wants to brute-force their way into your Gmail account, they can begin to try every single possible password — but Google will quickly cut them off. Services that provide access to such accounts will throttle access attempts and ban IP addresses that attempt to log in so many times. Thus, an attack against an online service wouldn’t work too well because very few attempts can be made before the attack would be halted.

For example, after a few failed login attempts, Gmail will show you a CATPCHA image to verify you aren’t a computer automatically trying passwords. They’ll likely stop your login attempts completely if you managed to continue for long enough.

gmail-captcha

On the other hand, let’s say an attacker snagged an encrypted file from your computer or managed to compromise an online service and download such encrypted files. The attacker now has the encrypted data on their own hardware and can try as many passwords as they want at their leisure. If they have access to the encrypted data, there’s no way to prevent them from trying a large number of passwords in a short period of time. Even if you’re using strong encryption, it’s to your benefit to keep your data safe and ensure others can’t access it.
Hashing

Strong hashing algorithms can slow down brute-force attacks. Essentially, hashing algorithms perform additional mathematical work on a password before storing a value derived from the password on disk. If a slower hashing algorithm is used, it will require thousands of times as much mathematical work to try each password and dramatically slow down brute-force attacks. However, the more work required, the more work a server or other computer has to do each time as user logs in with their password. Software must balance resilience against brute-force attacks with resource usage.
Brute-Force Speed

Speed all depends on hardware. Intelligence agencies may build specialized hardware just for brute-force attacks, just as Bitcoin miners build their own specialized hardware optimized for Bitcoin mining. When it comes to consumer hardware, the most effective type of hardware for brute-force attacks is a graphics card (GPU). As it’s easy to try many different encryption keys at once, many graphics cards running in parallel are ideal.

At the end of 2012, Ars Technica reported that a 25-GPU cluster could crack every Windows password under 8 characters in less than six hours. The NTLM algorithm Microsoft used just wasn’t resilient enough. However, when NTLM was created, it would have taken much longer to try all these passwords. This wasn’t considered enough of a threat for Microsoft to make the encryption stronger.

Speed is increasing, and in a few decades we may discover that even the strongest cryptographic algorithms and encryption keys we use today can be quickly cracked by quantum computers or whatever other hardware we’re using in the future.

25-gpu-password-cracking-cluster
Protecting Your Data From Brute-Force Attacks

There’s no way to protect yourself completely. It’s impossible to say just how fast computer hardware will get and whether any of the encryption algorithms we use today have weaknesses that will be discovered and exploited in the future. However, here are the basics:

Keep your encrypted data safe where attackers can’t get access to it. Once they have your data copied to their hardware, they can try brute-force attacks against it at their leisure.
If you run any service that accepts logins over the Internet, ensure that it limits login attempts and blocks people who attempt to log in with many different passwords in a short period of time. Server software is generally set to do this out of the box, as it’s a good security practice.
Use strong encryption algorithms, such as SHA-512. Ensure you’re not using old encryption algorithms with known weaknesses that are easy to crack.
Use long, secure passwords. All the encryption technology in the world isn’t going to help if you’re using “password” or the ever-popular “hunter2″.

Brute-force attacks are something to be concerned about when protecting your data, choosing encryption algorithms, and selecting passwords. They’re also a reason to keep developing stronger cryptographic algorithms — encryption has to keep up with how fast it’s being rendered ineffective by new hardware.


logo3


 

Creating Your Back Up Plan: Backing Up 101

DataBackup_Banner


Because data is the heart of the enterprise, it’s crucial for you to protect it. And to protect your organization’s data, you need to implement a data backup and recovery plan. Backing up files can protect against accidental loss of user data, database corruption, hardware failures, and even natural disasters. It’s your job as an administrator to make sure that backups are performed and that backup tapes are stored in a secure location.

Creating a Backup and Recovery Plan:

Data backup is an insurance plan. Important files are accidentally deleted all the time. Mission-critical data can become corrupt. Natural disasters can leave your office in ruin. With a solid backup and recovery plan, you can recover from any of these. Without one, you’re left with nothing to fall back on.

Figuring Out a Backup Plan

It takes time to create and implement a backup and recovery plan. You’ll need to figure out what data needs to be backed up, how often the data should be backed up, and more. To help you create a plan, consider the following:

  • How important is the data on your systems? The importance of data can go a long way in helping you determine if you need to back it up—as well as when and how it should be backed up. For critical data, such as a database, you’ll want to have redundant backup sets that extend back for several backup periods. For less important data, such as daily user files, you won’t need such an elaborate backup plan, but you’ll need to back up the data regularly and ensure that the data can be recovered easily.
  • What type of information does the data contain? Data that doesn’t seem important to you may be very important to someone else. Thus, the type of information the data contains can help you determine if you need to back up the data—as well as when and how the data should be backed up.
  • How often does the data change? The frequency of change can affect your decision on how often the data should be backed up. For example, data that changes daily should be backed up daily.
  • How quickly do you need to recover the data? Time is an important factor in creating a backup plan. For critical systems, you may need to get back online swiftly. To do this, you may need to alter your backup plan.
  • Do you have the equipment to perform backups? You must have backup hardware to perform backups. To perform timely backups, you may need several backup devices and several sets of backup media. Backup hardware includes tape drives, optical drives, and removable disk drives. Generally, tape drives are less expensive but slower than other types of drives.
  • Who will be responsible for the backup and recovery plan? Ideally, someone should be a primary contact for the organization’s backup and recovery plan. This person may also be responsible for performing the actual backup and recovery of data.
  • What is the best time to schedule backups? Scheduling backups when system use is as low as possible will speed the backup process. However, you can’t always schedule backups for off-peak hours. So you’ll need to carefully plan when key system data is backed up.
  • Do you need to store backups off-site? Storing copies of backup tapes off-site is essential to recovering your systems in the case of a natural disaster. In your off-site storage location, you should also include copies of the software you may need to install to reestablish operational systems.
The Basic Types of Backup

There are many techniques for backing up files. The techniques you use will depend on the type of data you’re backing up, how convenient you want the recovery process to be, and more.

If you view the properties of a file or directory in Windows Explorer, you’ll note an attribute called Archive. This attribute often is used to determine whether a file or directory should be backed up. If the attribute is on, the file or directory may need to be backed up. The basic types of backups you can perform include

  • Normal/full backups All files that have been selected are backed up, regardless of the setting of the archive attribute. When a file is backed up, the archive attribute is cleared. If the file is later modified, this attribute is set, which indicates that the file needs to be backed up.
  • Copy backups All files that have been selected are backed up, regardless of the setting of the archive attribute. Unlike a normal backup, the archive attribute on files isn’t modified. This allows you to perform other types of backups on the files at a later date.
  • Differential backups Designed to create backup copies of files that have changed since the last normal backup. The presence of the archive attribute indicates that the file has been modified and only files with this attribute are backed up. However, the archive attribute on files isn’t modified. This allows you to perform other types of backups on the files at a later date.
  • Incremental backups Designed to create backups of files that have changed since the most recent normal or incremental backup. The presence of the archive attribute indicates that the file has been modified and only files with this attribute are backed up. When a file is backed up, the archive attribute is cleared. If the file is later modified, this attribute is set, which indicates that the file needs to be backed up.
  • Daily backups Designed to back up files using the modification date on the file itself. If a file has been modified on the same day as the backup, the file will be backed up. This technique doesn’t change the archive attributes of files.

In your backup plan you’ll probably want to perform full backups on a weekly basis and supplement this with daily, differential, or incremental backups. You may also want to create an extended backup set for monthly and quarterly backups that includes additional files that aren’t being backed up regularly.

Tip You’ll often find that weeks or months can go by before anyone notices that a file or data source is missing. This doesn’t mean the file isn’t important. Although some types of data aren’t used often, they’re still needed. So don’t forget that you may also want to create extra sets of backups for monthly or quarterly periods, or both, to ensure that you can recover historical data over time.

Differential and Incremental Backups

The difference between differential and incremental backups is extremely important. To understand the distinction between them, examine table below. As it shows, with differential backups you back up all the files that have changed since the last full backup (which means that the size of the differential backup grows over time). With incremental backups, you only back up files that have changed since the most recent full or incremental backup (which means the size of the incremental backup is usually much smaller than a full backup).

Incremental and Differential Backup Techniques:

Day of Week Weekly Full Backup with Daily Differential Backup Weekly Full Backup with Daily Incremental Backup
Sunday A full backup is performed. A full backup is performed.
Monday A differential backup contains all changes since Sunday. An incremental backup contains changes since Sunday.
Tuesday A differential backup contains all changes since Sunday. An incremental backup contains changes since Monday.
Wednesday A differential backup contains all changes since Sunday. An incremental backup contains changes since Tuesday.
Thursday A differential backup contains all changes since Sunday. An incremental backup contains changes since Wednesday.
Friday A differential backup contains all changes since Sunday. An incremental backup contains changes since Thursday.
Saturday A differential backup contains all changes since Sunday. An incremental backup contains changes since Friday.

Once you determine what data you’re going to back up and how often, you can select backup devices and media that support these choices. These are covered in the next section.

Selecting Backup Devices and Media

Many tools are available for backing up data. Some are fast and expensive. Others are slow but very reliable. The backup solution that’s right for your organization depends on many factors, including

  • Capacity The amount of data that you need to back up on a routine basis. Can the backup hardware support the required load given your time and resource constraints?
  • Reliability The reliability of the backup hardware and media. Can you afford to sacrifice reliability to meet budget or time needs?
  • Extensibility The extensibility of the backup solution. Will this solution meet your needs as the organization grows?
  • Speed The speed with which data can be backed up and recovered. Can you afford to sacrifice speed to reduce costs?
  • Cost The cost of the backup solution. Does it fit into your budget?
Common Backup Solutions

Capacity, reliability, extensibility, speed, and cost are the issues driving your backup plan. If you understand how these issues affect your organization, you’ll be on track to select an appropriate backup solution. Some of the most commonly used backup solutions include

  • Tape drives Tape drives are the most common backup devices. Tape drives use magnetic tape cartridges to store data. Magnetic tapes are relatively inexpensive but aren’t highly reliable. Tapes can break or stretch. They can also lose information over time. The average capacity of tape cartridges ranges from 100 MB to 2 GB. Compared with other backup solutions, tape drives are fairly slow. Still, the selling point is the low-cost.
  • Digital audio tape (DAT) drives DAT drives are quickly replacing standard tape drives as the preferred backup devices. DAT drives use 4 mm and 8 mm tapes to store data. DAT drives and tapes are more expensive than standard tape drives and tapes, but they offer more speed and capacity. DAT drives that use 4 mm tapes can typically record over 30 MB per minute and have capacities of up to 16 GB. DAT drives that use 8 mm tapes can typically record more than 10 MB per minute and have capacities of up to 36 GB (with compression).
  • Auto-loader tape systems Auto-loader tape systems use a magazine of tapes to create extended backup volumes capable of meeting the high-capacity needs of the enterprise. With an auto-loader system, tapes within the magazine are automatically changed as needed during the backup or recovery process. Most auto-loader tape systems use DAT tapes. The typical system uses magazines with between 4 and 12 tapes. The main drawback to these systems is the high cost.
  • Magnetic optical drives Magnetic optical drives combine magnetic tape technology with optical lasers to create a more reliable backup solution than DAT. Magnetic optical drives use 3.5-inch and 5.25-inch disks that look similar to floppies but are much thicker. Typically, magnetic optical disks have capacities of between 1 GB and 4 GB.
  • Tape jukeboxes Tape jukeboxes are similar to auto-loader tape systems. Jukeboxes use magnetic optical disks rather than DAT tapes to offer high-capacity solutions. These systems load and unload disks stored internally for backup and recovery operations. Their key drawback is the high cost.
  • Removable disks Removable disks, such as Iomega Jaz, are increasingly being used as backup devices. Removable disks offer good speed and ease of use for a single drive or single system backup. However, the disk drives and the removable disks tend to be more expensive than standard tape or DAT drive solutions.
  • Disk drives Disk drives provide the fastest way to back up and restore files. With disk drives, you can often accomplish in minutes what takes a tape drive hours. So when business needs mandate a speedy recovery, nothing beats a disk drive. The drawbacks to disk drives, however, are relatively high costs and less extensibility.

Before you can use a backup device, you must install it. When you install backup devices other than standard tape and DAT drives, you need to tell the operating system about the controller card and drivers that the backup device uses. For detailed information on installing devices and drivers, see the section of Chapter 2 entitled “Managing Hardware Devices and Drivers.”

Buying and Using Tapes

Selecting a backup device is an important step toward implementing a backup and recovery plan. But you also need to purchase the tapes or disks, or both, that will allow you to implement your plan. The number of tapes you need depends on how much data you’ll be backing up, how often you’ll be backing up the data, and how long you’ll need to keep additional data sets.

The typical way to use backup tapes is to set up a rotation schedule whereby you rotate through two or more sets of tapes. The idea is that you can increase tape longevity by reducing tape usage and at the same time reduce the number of tapes you need to ensure that you have historic data on hand when necessary.

One of the most common tape rotation schedules is the 10-tape rotation. With this rotation schedule, you use 10 tapes divided into two sets of 5 (one for each weekday). As shown in the table below, the first set of tapes is used one week and the second set of tapes is used the next week. On Fridays, full backups are scheduled. On Mondays through Thursdays, incremental backups are scheduled. If you add a third set of tapes, you can rotate one of the tape sets to an off-site storage location on a weekly basis.

Using Incremental Backups:

Day of Week Tape Set 1 Tape Set 2
Friday Full backup on Tape 5 Full backup on Tape 5
Monday Incremental backup on Tape 1 Incremental backup on Tape 1
Tuesday Incremental backup on Tape 2 Incremental backup on Tape 2
Wednesday Incremental backup on Tape 3 Incremental backup on Tape 3
Thursday Incremental backup on Tape 4 Incremental backup on Tape 4

Tip The 10-tape rotation schedule is designed for the 9 to 5 workers of the world. If you’re in a 24 x 7 environment, you’ll definitely want extra tapes for Saturday and Sunday. In this case, use a 14-tape rotation with two sets of 7 tapes. On Sundays, schedule full backups. On Mondays through Saturdays, schedule incremental backups.

 

CSS Box Model

CSS Box Model Overview

The CSS Box Model

All HTML elements can be considered as boxes. In CSS, the term “box model” is used when talking about design and layout.

The CSS box model is essentially a box that wraps around HTML elements, and it consists of: margins, borders, padding, and the actual content.

The box model allows us to add a border around elements, and to define space between elements.

The image below illustrates the box model:

CSS-box-model

Explanation of the different parts:

  • Content – The content of the box, where text and images appear
  • Padding – Clears an area around the content. The padding is transparent
  • Border – A border that goes around the padding and content
  • Margin – Clears an area outside the border. The margin is transparent
div {
     width: 300px;
     padding: 25px;
     border: 25px solid navy;
     margin: 25px;
}

Width and Height of an Element

In order to set the width and height of an element correctly in all browsers, you need to know how the box model works.

Note Important: When you set the width and height properties of an element with CSS, you just set the width and height of the content area. To calculate the full size of an element, you must also add the padding, borders and margins.

Let’s make a div element with a total width of 350px:

div {
     width:320px;
     padding: 10px;
     border: 5px solid gray;
     margin: 0;
}

Let’s do the math:
320px (width)
+ 20px (left + right padding)
+ 10px (left + right border)
+ 0px (left + right margin)
= 350px

The total width of an element should be calculated like this:

Total element width = width + left padding + right padding + left border + right border + left margin + right margin

The total height of an element should be calculated like this:

Total element height = height + top padding + bottom padding + top border + bottom border + top margin + bottom margin


Browsers Compatibility Issue

Internet Explorer 8 and earlier versions, include padding and border in the width property.

To fix this problem, add a DOCTYPE html> to the HTML page.


cropped-logo3.png