Whatsapp/ Telegram: +65 9776 5889 Live Chat Submit Ticket   Login

WooCommerce Plug-in Cross-Site Scripting Vulnerability

WooCommerce is an open source e-commerce plugin for WordPress. It is designed for small to large-sized online merchants using WordPress. According to WooCommerce, the plugin now powers over 30% of all online stores running WordPress with over one million downloads.

FortiGuard Labs discovered another Cross-Site Scripting (XSS) vulnerability in WooCommerce. FortiGuard disclosed a different XSS vulnerability in WooCommerce earlier this year, leading Fortinet’s Chris Dawson to ask if it was time to worry about WordPress. As he pointed out,

More often than not, though, plugins don’t get updated simply because WordPress lends itself to a “set it and forget it” mentality. Get everything working, install the extra bits you need, and go on about running your business, not worrying about your website. This ease of use and overall reliability is fantastic for WordPress users, but the false sense of security it creates is a recipe for disaster.

This new vulnerability is caused due to insufficiently sanitizing user-supplied inputs in the product sale price. It could allow remote attackers to launch an XSS attack to gather a user’s sensitive information for further attack, redirect a victim’s browser to malicious website, etc.

When submitting a product information update request, vulnerable versions of WooCommerce don’t sanitize the value of product sale price on the server side so that the injected code is also included in the product web page. It can be exploited to attack innocent users visiting the tampered product web page. Any user with edit or higher permission could exploit this vulnerability.

In our proof of concept, we were able to craft a request that, when sent to WordPress WooCommerce, generated a new page and sent it back to the browser. The new web page contains the injected code that can be automatically executed in the browser.

WooCommerce version 2.4.8 and before should upgrade to the latest version of WooCommerce. Networks and users who have deployed Fortinet IPS are automatically protected from this vulnerability by IPS Signature: WordPress.WooCommerce.Plugin.Product.Price.XSS.

Thanks to Fortinet’s FortiGuard Labs for discovering this vulnerability.

SSH With Two-Factor Authentication, Google Authenticator

To protect your SSH server with an two-factor authentication, you can use the Google Authenticator PAM module. Each time you are connecting to your server via SSH with Google Authenticator PAM installed  you have to enter the code from your smartphone with Google Authenticator installed.

On Red Hat, CentOS and Fedora systems install the ‘pam-devel‘ package.

# yum install pam-devel make gcc-c++

Install Wget if you have not installed one yet

TOTP (timebased one-time-password) security tokens are time sensitive. Hence, make sure that your system has ntpd running, and is configured to start the service at boot

# service ntpd start
# chkconfig  ntpd on

Download and extract Google authenticator module under Home directory (assume you are already logged in home directory of root).

# cd /tmp
 # wget http://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
 # bunzip2 libpam-google-authenticator-1.0-source.tar.bz2
 # tar xf libpam-google-authenticator-1.0-source.tar
 # cd libpam-google-authenticator-1.0
 # make
 # make install
 cp pam_google_authenticator.so /lib64/security
 cp google-authenticator /usr/local/bin

Before configuring SSH, first set up Google Authenticator. Run “google-authenticator” as the user you wish to log in with via SSH. You will be prompted with a few questions.

Do you want me to update your "~/.google_authenticator" file (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DABCD12E3FGHIJKLMN
Your new secret key is: ABCD12E3FGHIJKLMN
Your verification code is 98765432
Your emergency scratch codes are:
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

This requires all users to use Google Authenticator for SSH authentication. To only require those users with Google Authenticator configured for their account (the ~/.google_authenticator file exists), then instead enter “auth required pam_google_authenticator.so nullok“.

The order in which you place items in this file matters. Given this configuration, you will first be prompted for your Google Authenticator verification code, then for your system account password when you SSH into the system.

Modify /etc/ssh/sshd_config. Verify these settings:

PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
# service sshd restart

When you SSH into the system as a user configured for Google Authenticator, you will have to enter the verification code that is displayed in you Google Authenticator app, and then by your system password at the next prompt:

login as: root
Verification code: 01234567
Password: *******

Popular WordPress Plugin ‘SEO by Yoast’ Vulnerable To Hackers

Yoast, a popular SEO plugin for wordpress version and below have been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities.The authenticated Blind SQL Injection vulnerability can be found within the ‘admin/class-bulk-editor-list-table.php’ file. The orderby and order GET parameters are not sufficiently sanitized before being used within a SQL query.
Customers are advised to take immediate action and upgrade their Yoast to the lastest 1.7.4 and 1.5.3 for Premium version.

How to find out if your computer is infected with the Superfish adware and remove it

LastPass has created a Web tool that makes it easy to check to see if your computer is infected. You can check by simply clicking on this link. To manually check for the Superfish adware and uninstall it, head to the Windows Control Panel, select Programs and click Uninstall a Program. Search the list for VisualDiscovery. If it is there, click the program and select Uninstall.
You’re not finished yet, though, there is one more step. You must also uninstall the Superfish certificates. Start by clicking the Windows Start button and typing certmgr.msc in the search box.
Launch the certmgr.msc program, click on Trusted Root Certification Authorities, followed by Certificates. Search through the certificates for anything mentioning Superfish Inc. Once you have found the certificates, right-click them and select Delete. To make sure you have fully removed the program, restart your browser and revisit the LastPass web tool.