Results for category "Security Advisories"

WordPress WP-Super-Cache plugin XSS vulnerability

Million of WordPress websites using the WP-Super-Cache are exposed to the risk of attack due to a critical vulnerability affecting the popular plugin. The WP-Super-Cache plugin, is normally used to improve the performance of the WordPress website because it generates static HTML files from dynamic WordPress blogs.

The critical persistent cross-site scripting vulnerability was reported by experts from Sucuri, researcher Marc-Alexandre Montpas explained that attackers can exploit the flaw to inject malicious code into WordPress-published pages that use the extension.

According to Montpas administrators of WordPress websites who use the plug in urge to upgrade to the plugin to the version 1.4.4, which fixes the bug.

Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually.

When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.” Sucuri researcher Marc-Alexandre Montpas wrote in blog post published on the company website.


“As you can see from the above, the $details[ ‘key’ ] is directly appended to the page’s content, without being sanitized first ($details[ ‘uri’ ] is sanitized somewhere else, before this snippet).”


“As the ‘key’ index of the $details variable contains the get_wp_cache_key() function’s return (which contains data coming straight from the user’s cookies), an attacker can insert malicious scripts on the page.”

The expert explained that in vulnerable versions, data was appended to the page contents without any validation mechanism, this means that an attacker can inject any kind of malicious commands.

If you own a WordPress site with this plugin enabled, you are urged to upgrade to the latest version immediately!

Remote vulnerability in bash – patches available for CVE-2014-6271, CVE-2014-7169

Bash or the Bourne again shell, is a UNIX like shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, bash has evolved from a simple terminal based command interpreter to many other fancy uses.

In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consists of a name which has a value assigned to it. The same is true of the bash shell. It is common for a lot of programs to run bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)

A remotely exploitable vulnerability was discovered and disclosed publicly today by Stephane Chazelas, and it is extremely unpleasant. The vulnerability has the CVE identifier CVE-2014-6271.

As you may know, bash supports exporting shell variables as well as shell functions to other bash instances. This is accomplished through the process environment to a child process.

The major attack vectors that have been identified in this case are:

  • HTTP requests and CGI scripts
  • OpenSSH using the SSH_ORIGINAL_COMMAND setting
  • Various daemons and SUID/privileged programs
  • Any other application using bash as the interpreter

Like “real” programming languages, Bash has functions, though in a somewhat limited implementation, and it is possible to put these bash functions into environment variables. This flaw is triggered when extra code is added to the end of these function definitions (inside the environment variable). Something like:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
this is a test

The patch used to fix this flaw, ensures that no code is allowed after the end of a bash function. So if you run the above example with the patched version of bash, you should get an output similar to:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

We will continue to monitor the situation very closely. We expect proof of concept (PoC) exploits to be authored and distributed over the next few days. There is also the potential for variants of the original vulnerability, which may require further patching if other attack vectors or methods are found.

If you have any servers connected to the internet with bash installed, it is strongly recommended that you update bash. Many Linux distributions have already released a patched bash package into their repositories.


Update: 9/25/2014 4:00PM EDT

We have become aware that the patch for CVE-2014-6271 is incomplete. An attacker can still provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. See also Resolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271) in Red Hat Enterprise Linux. RedHat and CentOS are working on patches in conjunction with the upstream developers as a critical priority.

Red Hat advises customers to upgrade to the version of Bash which contains the fix for CVE-2014-6271, and not wait for the patch which fixes CVE-2014-7169. CVE-2014-7169 is a less severe issue and patches for it are being worked on.

Update: 9/26/2014 10:00AM EDT

We have obtained patches for CVE-2014-7169 and we strongly advise everyone update their systems immediately!

Download patches

SimFS (VZ / OpenVZ) Security Vulnerability #PSBM-27641, #CVE-2014-3519

***UPDATE IMMEDIATELY – Vulnerability in simfs virtual filesystem***

A critical vulnerability in the legacy simfs Container filesystem was fixed. This affects OpenVZ and Parallels Virtuozzo Containers based on vzfs.

Note: ploop filesystems were not affected.


CVE-2013-4969: Puppet Vulnerability


Puppet uses temp files unsafely by looking for a name it can use in a
directory, and then later writing to that file, creating a
vulnerability in which an attacker could make the name a symlink to
another file and thereby cause the puppet agent to overwrite something
that it did not intend to.


CVE-2012-3480: glibc overflow vulnerability

This issue affects the versions of the glibc package, as shipped with RHEL 5 and 6 and Fedora 16, 17.

Note: this was just reported and an official patch from RHEL is not yet available.

Vulnerability details

multiple integer overflows, leading to stack-based buffer overflows were found in various stdlib functions of GNU libc (strtod, strtof, strtold, strtod_l and related routines). If an application, using the affected stdlib functions, did not perform user-level sanitization of provided inputs, a local attacker could use this flaw to cause such an application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.

* Upstream bug report:

* Upstream patch (might not be the final one):

* References:

Sample reproducer from upstream bug


#define EXPONENT “e-2147483649″
#define SIZE 214748364

main (void)
char *p = malloc (1 + SIZE + sizeof (EXPONENT));
if (p == NULL)
perror (“malloc”);
p[0] = ‘1’;
memset (p + 1, ‘0’, SIZE);
memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT));
double d = strtod (p, NULL);
printf (“%a\n”, d);


mySQL vulnerabilities up to 5.1.61, 5.2.11, 5.3.5, 5.5.22

On Saturday afternoon Sergei Golubchik posted to the oss-sec mailing list about a recently patched security flaw (CVE-2012-2122) in the MySQL and MariaDB database servers. This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -127 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication.

Proof of Concept

In short, if you try to authenticate to a MySQL server affected by this flaw, there is a chance it will accept your password even if the wrong one was supplied. The following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password.

$ for i in `seq 1 1000`; do mysql -u root –password=bad -h 2>/dev/null; done

Vulnerability Outline

  • All MariaDB/MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
  • MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
  • MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.
  • This issue got assigned an id CVE-2012-2122.

Vulnerability Details

Here’s the issue. When a user connects to MariaDB/MySQL, a token (SHA
over a password and a random scramble string) is calculated and compared
with the expected value. Because of incorrect casting, it might’ve
happened that the token and the expected value were considered equal,
even if the memcmp() returned a non-zero value. In this case
MySQL/MariaDB would think that the password is correct, even while it is
not. Because the protocol uses random strings, the probability of
hitting this bug is about 1/256.

Which means, if one knows a user name to connect (and “root” almost
always exists), she can connect using *any* password by repeating
connection attempts. ~300 attempts takes only a fraction of second, so
basically account password protection is as good as nonexistent.
Any client will do, there’s no need for a special libmysqlclient library.

But practically it’s better than it looks – many MySQL/MariaDB builds
are not affected by this bug.

Whether a particular build of MySQL or MariaDB is vulnerable, depends on
how and where it was built. A prerequisite is a memcmp() that can return
an arbitrary integer (outside of -128..127 range). To my knowledge gcc
builtin memcmp is safe, BSD libc memcmp is safe. Linux glibc
sse-optimized memcmp is not safe, but gcc usually uses the inlined
builtin version.

Patch Details

The password.c source can be patched against this vulnerability by replacing line 534 with:

return test(memcmp(hash_stage2, hash_stage2_reassured, SHA1_HASH_SIZE));

Vendor Patches

Please check with your current OS vendor to see if patched binaries are available for updating.

Let us patch it

Click on “schedule a consultation” to have our experts ensure your database security.

OpenSSL Still vulnerable, fix CVE-2012-2110 not sufficient!

It was discovered that the fix for CVE-2012-2110 released on 19 Apr
2012 and referenced in this post on unhackable, was not sufficient to correct the issue for OpenSSL 0.9.8.

Please see for details of that vulnerability.

This issue only affects OpenSSL 0.9.8v. OpenSSL 1.0.1a and 1.0.0i already contain a patch sufficient to correct CVE-2012-2110.

Thanks to Red Hat for discovering and fixing this issue.

Affected users should upgrade to 0.9.8w.

OpenSSL Vulnerabilities – CVE-2012-2110, CVE-2006-7250, CVE-2012-1165


An application using OpenSSL could be made to crash or run programs if it
opened a specially crafted file.

Software Description:
– openssl: Secure Socket Layer (SSL) cryptographic library and tools


It was discovered that OpenSSL could be made to dereference a NULL pointer
when processing S/MIME messages. A remote attacker could use this to cause
a denial of service. These issues did not affect Ubuntu 8.04 LTS.
(CVE-2006-7250, CVE-2012-1165)

Tavis Ormandy discovered that OpenSSL did not properly perform bounds
checking when processing DER data via BIO or FILE functions. A remote
attacker could trigger this flaw in services that used SSL to cause a
denial of service or possibly execute arbitrary code with application
privileges. (CVE-2012-2110)

Ubuntu Security Advisory USN-1361-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-1361-1

13th February, 2012

linux vulnerabilities

A security issue affects these releases of Ubuntu and its

  • Ubuntu 10.10


Several security issues were fixed in the kernel.

Software description

  • linux
    – Linux kernel


Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user
who can mount a FUSE file system could cause a denial of service.

A flaw was found in KVM's Programmable Interval Timer (PIT). When a virtual
interrupt control is not available a local user could use this to cause a
denial of service by starting a timer. (CVE-2011-4622)

A flaw was discovered in the XFS filesystem. If a local user mounts a
specially crafted XFS image it could potential execute arbitrary code on
the system. (CVE-2012-0038)

Chen Haogang discovered an integer overflow that could result in memory
corruption. A local unprivileged user could use this to crash the system.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.10:










To update your system, please follow these instructions:

After a standard system update you need to reboot your computer to make
all the necessary changes.






Ubuntu Security Advisory: PHP / Upgrades available

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 11.10
– Ubuntu 11.04
– Ubuntu 10.10
– Ubuntu 10.04 LTS
– Ubuntu 8.04 LTS


USN 1358-1 introduced a regression in PHP.

Software Description:
– php5: HTML-embedded scripting language interpreter


USN 1358-1 fixed multiple vulnerabilities in PHP. The fix for
CVE-2012-0831 introduced a regression where the state of the
magic_quotes_gpc setting was not correctly reflected when calling
the ini_get() function.

Original advisory details:

It was discovered that PHP computed hash values for form parameters
without restricting the ability to trigger hash collisions predictably.
This could allow a remote attacker to cause a denial of service by
sending many crafted parameters. (CVE-2011-4885)

ATTENTION: this update changes previous PHP behavior by
limiting the number of external input variables to 1000.
This may be increased by adding a “max_input_vars”
directive to the php.ini configuration file. See
for more information.

Stefan Esser discovered that the fix to address the predictable hash
collision issue, CVE-2011-4885, did not properly handle the situation
where the limit was reached. This could allow a remote attacker to
cause a denial of service or execute arbitrary code via a request
containing a large number of variables. (CVE-2012-0830)

It was discovered that PHP did not always check the return value of
the zend_strndup function. This could allow a remote attacker to
cause a denial of service. (CVE-2011-4153)

It was discovered that PHP did not properly enforce libxslt security
settings. This could allow a remote attacker to create arbitrary
files via a crafted XSLT stylesheet that uses the libxslt output
extension. (CVE-2012-0057)

It was discovered that PHP did not properly enforce that PDORow
objects could not be serialized and not be saved in a session. A
remote attacker could use this to cause a denial of service via an
application crash. (CVE-2012-0788)

It was discovered that PHP allowed the magic_quotes_gpc setting to
be disabled remotely. This could allow a remote attacker to bypass
restrictions that could prevent an SQL injection. (CVE-2012-0831)

USN 1126-1 addressed an issue where the /etc/cron.d/php5 cron job
for PHP allowed local users to delete arbitrary files via a symlink
attack on a directory under /var/lib/php5/. Emese Revfy discovered
that the fix had not been applied to PHP for Ubuntu 10.04 LTS. This
update corrects the issue. We apologize for the error. (CVE-2011-0441)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
libapache2-mod-php5 5.3.6-13ubuntu3.6
php5 5.3.6-13ubuntu3.6
php5-cgi 5.3.6-13ubuntu3.6
php5-cli 5.3.6-13ubuntu3.6

Ubuntu 11.04:
libapache2-mod-php5 5.3.5-1ubuntu7.7
php5 5.3.5-1ubuntu7.7
php5-cgi 5.3.5-1ubuntu7.7
php5-cli 5.3.5-1ubuntu7.7

Ubuntu 10.10:
libapache2-mod-php5 5.3.3-1ubuntu9.10
php5 5.3.3-1ubuntu9.10
php5-cgi 5.3.3-1ubuntu9.10
php5-cli 5.3.3-1ubuntu9.10

Ubuntu 10.04 LTS:
libapache2-mod-php5 5.3.2-1ubuntu4.14
php5 5.3.2-1ubuntu4.14
php5-cgi 5.3.2-1ubuntu4.14
php5-cli 5.3.2-1ubuntu4.14

Ubuntu 8.04 LTS:
libapache2-mod-php5 5.2.4-2ubuntu5.23
php5 5.2.4-2ubuntu5.23
php5-cgi 5.2.4-2ubuntu5.23
php5-cli 5.2.4-2ubuntu5.23

In general, a standard system update will make all the necessary changes.