WordPress 4.5.3 Fixes Bug That Allowed Password Change via Stolen Cookies
A recent WordPress update addresses a critical security flaw that allowed attackers to change a user’s password by leveraging stolen cookies. The WordPress security team’s Michael Adams discovered this issue internally.
Browser cookies are easy to steal, and there is a lot of publicly available exploit code that can be packed as a simple XSS and steal a user’s cookie file, for a specific site, or for all. The WordPress core team also fixed a redirect bypass in the theme customizer, reported by Yassine Aboukir, and an information disclosure issue via the page/post revision history feature, reported by Dan Moen and John Blackbourn.
Over 176,000 Unique Hacked Servers Sold on xDedic Marketplace
While that figure alone is impressive, it seems that it is only the tip of the iceberg. The real number of hacked servers that have been traded on xDedic since October 2014, when it first appeared, is around three times larger, the researchers have recently discovered…
According to a new blog post, a whopping 176,000 unique hacked servers were traded on xDedic between October 2014 and February 2016. The data set they received shows all entries until the end of the day February 29, 2016, and supposedly comes from a person who had access to detailed information on the servers traded on the marketplace…
The most expensive server on xDedic was $6,000, researchers reveal, while adding that only around 50 servers cost more than $50 and that all of them were in the United States.
These two news stories have a connection with each other. WordPress is the world’s most popular CMS. Along with Drupal and Joomla, it represents about 70% of CMS’s in use on web applications. And all of them are very popular targets – with good reason. As seen from the initial post, WordPress has a number of critical vulnerabilities that are exploitable by hackers. In most cases, they are found by white-hat’s, reported to the respective organisations and fixed in time. But, even when the fixed software is released, the patch may not be applied quickly due to various considerations. This leaves many sites vulnerable to attacks.
The second story is tangentially related to the first. Many of these servers that have been compromised would have likely been running a popular CMS – such as WordPress. Once they are compromised, access is sold in darknet marketplaces for usage by malicious actors. This is borne out by a Cisco’s latest Annual Security Report, where they report a 221% increase in the number of WordPress domains that have been compromised by hackers. Many of these servers are then used for serving malware.
Securing your web applications requires significant work. You need to keep on top of the latest software defects, both on the underlying OS and the web application software. When updates are released, they need to be tested and deployed quickly. If the updates break the site, then you need to revert them and keep a continual watch on the site to ensure no one breaks in till you can fix the problems and update.
Securing your web application need not be difficult. The Barracuda Web Application Firewall exists to secure your web applications easily and provide you with peace of mind. Once you deploy the Barracuda Web Application Firewall in front of your web application, it is trivially easy to setup a HTTPS front end and enable complete application security. The Barracuda Web Application Firewall provides complete security against all web attacks, including DDoS and web Scraping. We offer several deployment options, including physical and virtual appliances, and Azure, AWS, and vCloud Air. Try it in your environment for 30 days, risk-free.