WPScan Intro: How to Scan for WordPress Vulnerabilities

In this post, we look at how to use WPScan. The tool provides you a better understanding of your WordPress website and its vulnerabilities. Be sure to check out our post on installing WPScan to get started with the software.

Big Threats Come from Unexpected Places

Imagine for a second that you’re a survivor in a zombie apocalypse.

You’ve holed up in a grocery store, barricading windows and checking door locks.

Continue reading WPScan Intro: How to Scan for WordPress Vulnerabilities at Sucuri Blog.

Episode 116: Packagist Patch Shows How Supply Chain Threats Could Impact WordPress

A vulnerability discovered in Packagist, which is used by Composer to manage PHP package requests, could have allowed attackers to trick Composer into downloading backdoored source code, potentially affecting all WordPress sites. Packagist reports that it’s not aware of any exploits. A SQL injection vulnerability was patched in the CleanTalk AntiSpam plugin installed on over 100k sites. Vulnerabilities were discovered in Exim mail server, including 3 RCE vulnerabilities. We’re seeing some of the first trickle-down attacks from the Codecov supply chain attack, first from HashiCorp and then from Twilio. Apple releases iOS 14.5.1 to patch vulnerabilities in WebKit that are being exploited in the wild, a DDoS takes down Belgium, Peloton exposes customer information, and Signal taunts Facebook with a rejected advertising campaign.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
00:37 PHP Package Manager Flaw Left Millions of Web Apps Open to Abuse
03:22 SQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin
06:11 21Nails: Multiple Critical Vulnerabilities in Exim Mail Server
09:01 Twilio discloses impact from Codecov supply-chain attack
12:40 Apple Is Having a Really Bad Time With iPhone Security Bugs This Year
15:04 Massive DDOS Attack Took Down Large Sections of a Country’s Internet
17:04 Data leak makes Peloton’s Horrible, No-Good, Really Bad Day even worse
18:27 Signal Wanted to Use Facebook’s targeted ads against it on Instagram
23:05 Wordfence K-12 Site Security Audit and Site Cleaning Program
23:30 Defiant is hiring

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 116 Transcript

Ram Gall:
Welcome to Think Like a Hacker, the podcast about WordPress security and innovation. I am Ram Gall, threat analyst at Wordfence, and with me is director of marketing, Kathy Zant. Given the news stories today, I think the appropriate response is a nonstop drawn-out scream but we’ll get to that.

Kathy Zant:
Ahhh

Kathy Zant:
Is that right?

Ram Gall:
Ahhhhhhh

Ram Gall:
Yeah, kind of like that.

Kathy Zant:
Our transcriptionist is going to love that.

Ram Gall:
I am sure they will.

Kathy Zant:
Yeah, there’s a lot going on this week. When I first started looking at all of the stories that are happening out there, I was like, “Oh, wow, yeah, there’s … Oh my … Oh, oh my, there is a lot going on. This first story about this PHP package manager flaw left millions of web apps open to abuse. Now it wasn’t abused, this wasn’t something that was under attack in the wild, but the potential of what it could do was pretty significant. Ram, can you tell me a little bit more about what this was?

Ram Gall:
So. I feel like everyone pretty much collectively dodged a bullet here. So basically, everyone who does PHP development uses Composer. It’s a dependency manager for PHP. Basically what that means is that, you’re a developer, you want to include a library to do some cool stuff so you don’t have to write it yourself, but someone else on the same site might be using that same library. So this is a way to stop you from treading on each other’s toes.

Kathy Zant:
Okay. It uses something called Packagist, what’s this?

Ram Gall:
Yeah, so Packagist basically figures out the correct supply chain for package downloads, where to get what. Basically the Packagist infrastructure serves about 1.4 billion download requests a month.

Kathy Zant:
And it looks like SonarSource was the one that discovered a vulnerability that would allow attackers to execute arbitrary system commands on the Packagist server. How would this affect anyone using PHP and using Composer?

Ram Gall:
It is really fortunate that they caught it and patched it within 12 hours of disclosure, because an attacker actually using this kind of thing maliciously, they could have redirected package downloads to third-party servers, delivering dependencies using backdoors, or steal credentials. You remember that WordPress supply chain vulnerability that Matt Barry found and had Core patch?

Kathy Zant:
Yes. Yeah. That was quite a few years ago.

Ram Gall:
This would have been pretty much the same kind of issue, only instead of impacting just WordPress, it would have impacted most people with PHP, but also WordPress, because Core uses Composer. A lot of plugins that offer more than basic functionality use composer, this would have been like SolarWinds plus the Codecov thing, times a thousand, yeah.

Kathy Zant:
Wow, yeah. So some of the statistics in this article that was on The Daily Swig say that PHP run is running 80% of websites. And SonarSource estimated that about two thirds of these PHP projects use Composer. So this would affect all of WordPress, it would affect probably a number of other PHP-based content management systems. It could have had really dramatic effects for us in the web development world, that’s for sure. So we dodged a bullet, eh?

Ram Gall:
Yeah, we really dodged a bullet with that one. Speaking of which, I did find a pretty cool SQL injection vulnerability in the CleanTalk anti-spam plugin a little while back.

Kathy Zant:
You did. So, the CleanTalk anti-spam plugin is an over 100,000 WordPress sites. Tell me a little bit more about how you found this vulnerability and how it could have been exploited.

Ram Gall:
Okay. So basically CleanTalk records what IP addresses do, almost how we do, only they have more of a focus on spam comments and stuff like that. Anyways, whenever you visit a website, your browser sends a special string in the headers called the user agent. Basically it tells the website, “Hey, I’m running Firefox. Hey, I’m running Chrome. Hey, I’m running Chrome on mobile.” So, CleanTalk records that string. Problem is, it did so in a way that wasn’t super secure. So I found a way to inject SQL commands into that user agent string. Now, Chloe actually helped a lot with this. It took some doing to get an initial proof of concept to where I could just get basic commands run, but Chloe really filled that out and got the proof of concept, to a point where I could actually extract information from the database and stuff. It was amazing.

Kathy Zant:
Wow. So we put out a special firewall rule for this. Now we have, in Wordfence, the firewall does block SQL injection attacks, but this one had a specific way that could have caused an issue. So we had a special rule put in place in order to ensure anyone running this particular plugin, with this particular vulnerability was protected. We put that out, what, on March 4th?

Ram Gall:
Correct. Yeah, it turns out that their initial clumsy attempts to sanitize the input actually made it so we needed an extra rule for it.

Kathy Zant:
Gotcha, okay. Then all of the customers who are using Wordfence, the free version, they have had this protection since April 3rd, so for about a month. So this is a older vulnerability, but some time has passed to ensure that it couldn’t be widely exploited. So we did publish some details about how this works and we do that, why? So that we can educate other people who develop plugins for WordPress, so we can show them what types of vulnerabilities could be exploited. This is done so that we could elevate secure coding practices in the WordPress world, right?

Ram Gall:
Yeah and I mean, to be fair, this was not an easy vulnerability to exploit. There were a number of obstacles in place that made it more difficult to exploit, but that just goes to show that anything short of using prepared statements can often be bypassed when it comes to sending SQL queries.

Kathy Zant:
Interesting. So you can take a look at that post on our website. Now this next story is on Qualys website, on their blog, their research, and what did they find in the Exim mail server?

Ram Gall:
So a little bit of background, Exim is basically a mail server that runs on Linux computers. According to a recent survey, it’s installed on about 60% of all the servers on the internet.

Kathy Zant:
Oh wow. That’s a lot.

Ram Gall:
Yeah. Yeah, it is. It’s basically the default mail server on a lot of Linux machines. So Qualys found 21 vulnerabilities, including three remote code executions, and some privilege escalation attacks. So far they haven’t seen anything exploited in the wild, which is really good, but this is again, installed on 60% of the internet and that means that some of these servers are not going to be updated for a long time or ever. So I do think that we’re going to start seeing some knock-on effects from unmaintained servers being exploited for this vulnerability.

Kathy Zant:
Gotcha, okay. So let me ask you a question about a remote code execution and Exim. If this was possibly exploited, that would actually give the attacker control over just the mail server or the whole server?

Ram Gall:
So the mail server, when I say mail server, I basically mean just the thing that serves up mail running on the actual server. So in this case, by combining some of these vulnerabilities, someone could attack any server that happened to be running this mail server program and take it over. 60% of all the servers on the internet are running this mail server program.

Kathy Zant:
Okay. So, I bet you some malicious attackers are reading this blog post and figuring out how they’re going to do this, because this seems like it could have some major impact in the future. Something like what happened with the Exchange Servers, Microsoft Exchange Servers recently, where these became actively attacked and ruined a lot of weekends, I think for ops people.

Ram Gall:
Yeah, yeah. I think the main difference is that with the Exchange Servers, it wasn’t installed on nearly as many networks, but they were much higher value networks. They were largely corporate networks, whereas Exim is basically just installed on almost everything else. But on the other hand, that’s still millions maybe even … Yeah well, a Shodan survey showed that only like four million Exim servers were obviously exposed to the internet, but there’s got to be tens of millions more given that 60% number.

Kathy Zant:
Right, right. So if you are managing a server, just log in and see if anything needs to be updated. If Exim is there, definitely make sure that you’re updating because this is going to be attacked. These are going to be researched and we’re going to start seeing things probably in the not so distant future. Just kind of like what happened with Codecov, huh?

Ram Gall:
Yeah, yeah. So we were worried about this and apparently Twilio’s repository has got cloned and the attackers we’re able to at least breach customer emails. I guess the good news is that Twilio only used Codecov in a few of their systems, which meant that the attackers had limited access, but they were still able to use that access.

Kathy Zant:
Right, right. Just for some background, Codecov is a tool that people use to examine their code. It had an attack that started, what, in January? And they didn’t discover it until April. So someone was in those systems compromising over 29,000 customers’ code and their keys and credentials and whatnot. So we knew we would start seeing some trickle down effects from this. So we’ve got Twilio. Then you said there was actually another disclosure that happened with HashiCorp?

Ram Gall:
Yeah. HashiCorp, the company that makes Vagrant. I actually use it to manage virtual machines for test environments. But I guess their private key that they use to sign their software got compromised in the attack. So they had to cycle that out, which is really scary though, because if an attacker has that, they can sign a package and it’ll look legitimate. That was actually like the thing that made SolarWinds undetected for so long, is the attackers managed to sign the malicious SolarWinds programs, or the malicious Orion package, that’s why it didn’t get found for forever.

Kathy Zant:
Right, and a signed package, for the uninitiated that basically means that it’s been digitally signed. There are secure markers there that says, “Yes, this is actually the software,” but because of the supply chain attack effect of this, there’s someone behind that who’s actually doing that signing with the keys that make it look legitimate and it’s not. did I describe that?

Ram Gall:
You described that perfectly, and we actually did a Wordfence Live stream about this topic a few weeks ago if any of you listeners want to go check it out. But what this does show is that the attackers behind Codecov are definitely using the information to pivot into some of the impacted systems and taking it further, which is what we are afraid of. So, this is probably not the last we’re going to hear of this.

Kathy Zant:
Right, and when we first did that live stream, it was kind of like, “Well, are people really going to understand how big this really is?” Because, I mean, you’re developing WordPress sites and your Wordfence is there protecting your site and everything and, “What is this Codecov? What does this have to do with me?” Has everything to do with so many of us, even if you think it doesn’t because of the trickle down effects … and we’re seeing that happen now. So you might want to go back as Ram suggested and take a look at that episode and really understand what happened. Basically, what I take from that is that we need to start thinking about our security, not in terms of what we’re going to do if we get hacked, but when we get hacked, or when we have a security issue and plan for that security issue, like it actually is going to happen so that you have some kind of plans in place for continuity of your business. Plans in place to restore from a backup and being able to determine when the actual last good backup of what you want to restore is. Having all of those plans in place for your business, whether it’s just for your WordPress site or for all of your systems, really, we just need to start thinking about security in a different way.

Ram Gall:
Yeah. I mean, we really do. I mean, this year is the year of all the security issues impacting everyone. Even Apple’s having a bad time, they just released a new emergency patch to fix two vulnerabilities that were being exploited in the wild for iOS. I think it was in WebKit, or specifically the version of WebKit that gets used in Safari. But again, these were being actively exploited. I mean, there are a number of vulnerabilities and mobile operating systems that might be known of by governments and private vulnerability brokers. But at this point, once they’re being actively exploited in the wild, that means that someone else has gotten a hold of them and started actually attacking them without being worried about burning them. So in a way, that’s really bad, but in a way that’s also really good because it means they’re getting patched because those vulnerabilities were there the whole time. It’s just that now we know, and now they’re fixed.

Kathy Zant:
Yes, yeah. So I mean, security, it’s become one of those things that it’s not just for security professionals. Security is not just for Ram and Chloe to go find vulnerabilities. Security is for everyone. That’s one of the reasons why we do Wordfence Live, why we do the podcast, why we do put such an emphasis on education and information as a part of security, because in order for these types of things to be addressed, you have to be armed. You with an iPhone in your hand, you need to know that iOS 14.5.1 is out and you should apply that as soon as possible. That’s not something to wait on because these are being actively exploited and security is part of your job, whether you like it or not these days, huh?

Ram Gall:
Yeah. I mean, I understand that doing vulnerability research and reading through lines of code is not going to be everyone’s cup of tea ever, and that’s okay. But I don’t think it’s unreasonable to yet be able to say, “Oh hey, there’s an update. I should make sure that my auto updates are turned on,” and hope that there’s no supply chain attacks in the auto updates. Anyways, yeah, there’s no real winning, but there’s still better and worse.

Kathy Zant:
It’s part of your job, whether or not you are fabulously rich and famous and you don’t really have job. You still, if you have a device in your hand that you’re using to connect to the internet in any way, shape or form, security is part of your job. It’s not something you can just like kick down the road. It’s something you have to stay on top of.

Ram Gall:
Yeah, speaking of staying on top of it, it looks like Belgium had a bit of a problem with staying on top of keeping their internet up.

Kathy Zant:
Oh no, not Belgium. I like Belgium. They make good waffles.

Ram Gall:
And fries.

Kathy Zant:
And fries. Yeah, I’m all about the food, although it is lunch hour here. So what exactly happened? It looks like a distributed denial of service attack took down 200 organizations across Belgium, all of their websites?

Ram Gall:
Yeah. So I guess it targeted Belnet, which is their government-funded ISP, which basically provides internet access to their educational institutions, research centers, scientific institutes, government services. The good news is that it looks like the attackers were purely going for disruption. I guess they didn’t use it as a distraction for doing a data breach, or stealing any information, or changing anything, or infiltrating network. They just took down the network.

Kathy Zant:
So they could say that they took down the network. Are we back to that again?

Ram Gall:
It’s unclear who was behind it, but it’s not uncommon for attackers providing these kind of services to do a proof of concept to show, “Hey, you want to hire us? We’re the people who were able to take down all of Belgium’s ISP.”

Kathy Zant:
Right, that is a service that exists. I don’t know if it’s on the dark web, or where people buy DDOS but-

Ram Gall:
Yeah, dark web.

Kathy Zant:
Is that where people buy it?

Ram Gall:
Yeah, DDOS as a service and you use it to distract people while you’re going in to infiltrate or steal other information.

Kathy Zant:
Because you know all of the security personnel are being hollered at by someone to get the network back up and so then all of their attention goes there. So it’s one of those look here, not there type of situations?

Ram Gall:
Yeah but I do want to say that even even if the motive seems to be reputation, that reputation is still going to be in the service of making money these days.

Kathy Zant:
Sure, it all comes down to the money, it does.

Ram Gall:
It’s a marketing exercise for whoever did this.

Kathy Zant:
Speaking of exercise marketing, Hey, let’s talk about Peloton. I love that transition.

Ram Gall:
Oh, I see what you did there. So apparently Peloton’s API, basically their web interface exposed all kinds of user data, like user age, gender, how fit they were, how much they weighed, and apparently another piece of data that they’re not telling us about because it still hasn’t been fixed. But yeah, researchers apparently disclosed this to Peloton three months ago and they still haven’t fixed all of it. So yeah, great.

Kathy Zant:
Oh boy, they’ve had recalls with treadmills and all sorts of things. This is a company that has had a lot of issues and it looks like the fact that they’re taking three months to fix flaws that are exposing actual personally identifiable information of their customers is frightening. Maybe I’ll just go for walks or exercise instead of-

Ram Gall:
Yeah and maybe skip the Fitbit. You never know who’s … Oh yeah, you remember at that thing a few years ago where they discovered secret military bases based on the GPS activity of Fitbits?

Kathy Zant:
Yes, yes.

Ram Gall:
So fitness trackers are just generally a privacy nightmare. Speaking of privacy nightmares.

Kathy Zant:
Facebook. Let’s talk about Facebook. Facebook is the ultimate. They’re like the king of privacy nightmares. So it looks like Signal, which is basically a messaging app that is known in the security community as being the most secure way to communicate. Although, it’s still a system that’s-

Ram Gall:
Apart from the fact that they tell everyone you know, when you sign on for the first time, it’s like, “Hey, guess what? Ram, just got on Signal.” It’s like, “Thanks Signal. I’m glad I’m not a dissident.”

Kathy Zant:
The worst is when they tell … It’s like you sign on and it’s like, they tell everyone that you might be in their contacts list from years ago. It’s like, I don’t want some parent of my children that I haven’t talked to in five years to necessarily know I’m on Signal. They don’t need to know. But yeah, that’s always a little uncomfortable, but they decided to make things a little uncomfortable for Facebook. So, Facebook-

Ram Gall:
Yeah, they bought some Instagram ads, right?

Kathy Zant:
They did, they bought some Instagram ads. If you look at these Instagram ads, this article came from Engadget that we were looking at, these Instagram ads were hilarious because they basically exposed how much information Facebook and Instagram, which is part of Facebook, has about individual users. So one of the ads are, “You got this ad because you’re a newlywed, Pilates instructor and you are cartoon crazy. This ad used your location to see you’re in La Jolla. You’re into parenting blogs and you think about LGBTQ adoption.” It’s like, “How do you know this?” Well, they know it because that’s what Facebook and Instagram know about you as you use their platforms. Now, Facebook-

Ram Gall:
Remember, if it’s free, you are the product.

Kathy Zant:
Exactly.

Ram Gall:
Wait, Signal is also free. What does that mean?

Kathy Zant:
(Singing), we may have uncovered something.

Ram Gall:
(Singing).

Kathy Zant:
Anything that’s free. Yeah, definitely, you are the product. Your information in this case is the product and Signal is … These ads were disallowed by Facebook. Now, they would have been disallowed, I think on Instagram anyway, me being in marketing, I know that verbose text ads just don’t work on Instagram. We as a company, don’t do Instagram ads, but I have in the past and they want something visually appealing and big text ads are rejected by Instagram anyway, but everything got very spicy and dramatic with Signal and Facebook because-

Ram Gall:
Well, Moxie Marlinspike does like stirring the pot. That’s the guy behind Signal. Do you hear about that thing the other day, where he decided to announce that he was putting malware binaries in case law enforcement try to decrypt your phone and crack Signal? One of the, okay, this was not actually a planned thing, there’s a company that makes hardware that law enforcement uses to crack open locked iPhones and locked Android devices. He found a couple of exploits in this hardware and …

Kathy Zant:
Nice.

Ram Gall:
Yeah, it was a whole thing.

Kathy Zant:
I love these kind of stories because it, it, it shows just the dynamic nature of the internet and how information desires to be free and how there needs to be this free flow. It exposes privacy concerns. It exposes control and surveillance kind of concerns and just brings it all out in the open because the thing is, as our privacy is diminished in this open world, so is the privacy of surveillance states. So is the privacy of the CIA, the FBI, all these three letter organizations that are doing spy types of things and are looking-

Ram Gall:
Information wants to be free and that is a wonderful and a terrible thing because it also means that all of your private information wants to be free too.

Kathy Zant:
Yes, but it means all of the people who want to do bad things, their information is free too and everything kind of comes to light. If you look around, you can see that, there’s a leveling of the playing field of information and it opens up interesting opportunities and I’ll leave it at that. I’m off my soap box.

Ram Gall:
Indeed. Well, we did spend a little bit of time on soap boxes because it’s Facebook and Instagram. That’s the best of soapboxes.

Kathy Zant:
Yeah, that’s why we couldn’t pass up the story. But I think that’s it. We do want to mention that we are still offering free site cleaning and site auditing services for K-12 schools worldwide. If you know of a school that could use that service, please let them know. We will have a link in the show notes so you can send that to them. Anybody is having issues with WordPress security, we are there to support them. For the K-12 public schools especially, we do this for free. We would also like to mention that we’re hiring. Earlier this week, Mark did a great Wordfence Live episode, where he talked about the truly remote philosophy that he and Kerry, his wife and co-founder have, and how Wordfence and Defiant is such an amazing place to work. So we have a number of roles available, security operations, PHP developers, QA, quality assurance, as well as a senior researcher for website performance. So go take a look there, defiant.com/employment, and you can see all of our amazing benefits there as well. How’s that coffee maker working for you?

Ram Gall:
It is pretty amazing. I make two pots of coffee a day now, instead of just one, which is, well …

Kathy Zant:
Highly caffeinated Ram is a fun thing in my mind.

Ram Gall:
I’m a menace. I’m a menace now.

Kathy Zant:
You’re an entertaining menace to me, but you’re amazing at the work you do. And to keep you caffeinated and happy is amazing as well. So if you want to come work with Ram, me, Chloe, Scott, Tim, Adam, there’s about 40 of us now, including all of the contractors, we’re having a great time and we’re keeping the world safer in the WordPress space, and we’d love to work with you. I guess that’s it, you want to talk again next week?

Ram Gall:
Yeah, yeah. We’ll see you all next week and bye for now.

Kathy Zant:
Bye-bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 116: Packagist Patch Shows How Supply Chain Threats Could Impact WordPress appeared first on Wordfence.

SQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin

On March 4, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a Time-Based Blind SQL Injection vulnerability discovered in Spam protection, AntiSpam, FireWall by CleanTalk, a WordPress plugin installed on over 100,000 sites. This vulnerability could be used to extract sensitive information from a site’s database, including user emails and password hashes, all without logging into the site.

We initially reached out to the plugin’s developer on March 4, 2021 and sent over the full disclosure on March 5, 2021. A patched version of the plugin, 5.153.4, was released on March 10, 2021.

Wordfence Premium users received firewall rules protecting against this vulnerability on March 4, 2021. Sites still running the free version of Wordfence received the same protection on April 3, 2021.


Description: Unauthenticated Time-Based Blind SQL Injection
Affected Plugin: Spam protection, AntiSpam, FireWall by CleanTalk
Plugin Slug: cleantalk-spam-protect
Affected Versions: < 5.153.4
CVE ID: CVE-2021-24295
CVSS Score: 7.5 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Fully Patched Version: 5.153.4

The CleanTalk WordPress plugin has a number of uses, but one of its primary purposes is to protect sites against spam comments. Part of how it does this is by maintaining a blocklist and tracking the behavior of different IP addresses, including the user-agent string that browsers send to identify themselves.

Unfortunately, the update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php which was used to insert records of these requests into the database failed to use a prepared SQL statement.

	public function update_log( $ip, $status ) {

		$id   = md5( $ip . $this->module_name );
		$time = time();
		
		$query = "INSERT INTO " . $this->db__table__logs . "
		SET
			id = '$id',
			ip = '$ip',
			status = '$status',
			all_entries = 1,
			blocked_entries = " . ( strpos( $status, 'DENY' ) !== false ? 1 : 0 ) . ",
			entries_timestamp = '" . $time . "',
			ua_name = '" . sanitize_text_field( Server::get('HTTP_USER_AGENT') ) . "'
		ON DUPLICATE KEY
		UPDATE
			status = '$status',
			all_entries = all_entries + 1,
			blocked_entries = blocked_entries" . ( strpos( $status, 'DENY' ) !== false ? ' + 1' : '' ) . ",
			entries_timestamp = '" . intval( $time ) . "',
			ua_name = '" . sanitize_text_field( Server::get('HTTP_USER_AGENT') ) . "'";
		
		$this->db->execute( $query );
	}

There were a number of features to the plugin code that made it more difficult to successfully perform a SQL injection attack.

By design, the update_log function should only have been executed a single time for each visitor IP address. However, it was possible to manipulate the cookies set by the plugin, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset.

Additionally, the vulnerable SQL query used INSERT rather than SELECT. Since data was not being inserted into a sensitive table, the INSERT query could not be used by an attacker to exploit the site by changing values in the database, and this also made it difficult to retrieve any sensitive data from the database.

Finally, the SQL statement used the sanitize_text_field function in an attempt to prevent SQL injection, and the User-Agent was included in the query within single quotes.

Despite these obstacles, we were able to craft a Proof of Concept capable of extracting data from anywhere in the database by sending requests containing SQL commands in the User-Agent request header. This exploit could be used by unauthenticated visitors to steal user email addresses, password hashes, and other sensitive information.

Prepared Statements are Crucial

We were able to successfully exploit the vulnerability in CleanTalk via the Time-Based Blind SQL Injection technique, which sends requests that “guess” at the content of a database table and instructs the database to delay the response or “sleep” if the guess is correct. For example, a request might ask the database if the first letter of the admin user’s email address starts with the letter “c”, and instruct it to delay the response by 5 seconds if this is true, and then try guessing the next letters in sequence. There are a number of other SQL injection techniques that can work around many forms of traditional input sanitization depending on the exact construction of the vulnerable query.

This is why it is essential to “prepare” any database queries before actually sending them to the database. Prepared statements isolate each query parameter and are by far the most effective defense against SQL Injection. Fortunately, WordPress offers an incredibly easy way to do this, by using the $wpdb->prepare() function. If you develop WordPress plugins, themes, or any other software that interacts with a database, regularly using  prepared statements will ensure your software will be far more secure.

Timeline

March 4, 2021 – Wordfence Threat Intelligence finishes researching a vulnerability in the CleanTalk plugin. We release firewall rules to Wordfence Premium customers and initiate contact with the plugin developers.
March 5, 2021 – We send over the full disclosure to the plugin developers.
March 10, 2021 – A patched version of the plugin is released.
April 3, 2021 – Sites still using the free version of Wordfence receive protection against this vulnerability.

Conclusion

In today’s post, we covered a SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk plugin which could be used to extract sensitive information from a site’s database and explained why using prepared statements is a critical best practice for plugin developers.

This vulnerability was patched in version 5.153.4, and we strongly recommend updating to the latest version of the plugin, 5.156 as of this writing, immediately.

Wordfence Premium users received firewall rules protecting against these vulnerabilities on March 4, 2021, while those still using the free version of Wordfence received the same protection on April 3, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this vulnerability allows a breach of any confidential data stored in a site’s database.

Special Thanks to Threat Analyst Chloe Chamberland for her instrumental role in developing the Proof of Concept exploit for this vulnerability.

The post SQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin appeared first on Wordfence.

Episode 115: Update Your Mac: Gatekeeper Bypass Vulnerability Exploited in the Wild

Apple patches a gatekeeper bypass vulnerability that has been exploited in the wild on MacOS. Though this vulnerability requires some social engineering to exploit, it is believed to have been actively exploited since January 9, 2021. Some Digital Ocean customers were affected by a data breach exposing personally identifiable information. A WordPress trac conversation considers blocking Federated Learning of Cohorts as a security release, and Creative Commons Search is coming to WordPress.org in a few weeks. Google Chrome has yet another remote code execution bug requiring an update to patch. Celebrated Security Researcher Dan Kaminski passes away.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:10 FLoC Blocking Discussion Continues on WordPress Trac
5:25 Creative Commons Search Relaunching on WordPress.org
7:28 Digital Ocean Data Breach Exposes Customer Billing Information
9:06 Apple Patches MacOS Gatekeeper Bypass Vulnerability Exploited in the Wild
10:22 Prominent Security Expert Dan Kaminski Passes Away at 42
11:09 Google Chrome Bug Allows Remote Code Execution
13:07 Wordfence K-12 Site Security Audit and Site Cleaning Program
14:36 Defiant is hiring

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 115 Transcript

Ram:
Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, Threat Analyst at Wordfence, with me is Director of Marketing Kathy Zant. So Kathy, what’s with this FLoC blocking discussion and WordPress.

Kathy:
FLoC blocking, yeah, that sounds interesting, doesn’t it?

Ram:
Yes, I love that you came up with that.

Kathy:
FLoC blocking. Well, actually I didn’t come up with it. This is from an article on WP Tavern, so I guess we can blame our friends over there for this. Federated Learning of Cohorts, this is something that Google’s adding into Chrome. What is it exactly, Ram?

Ram:
For the longest time Google, and other advertising providers, have sort of tracked site visitor behavior across the internet using third-party cookies. And this is Google’s attempt to completely get rid of those.

Ram:
The replacement is basically kind of a way of pigeonholing site visitors, otherwise known as literally everyone who uses the internet, into niche categories based on their interests without officially de-anonymizing them. A person who happens to be shopping for large appliances and also likes TV thrillers, and has shown interest in the Chicago Bulls.

Kathy:
Who lives in… Your zip code.

Ram:
Yes, yeah.

Kathy:
Wow, I wonder how many people would fit that?

Ram:
Yeah, and that’s the thing. If you get these cohorts into useful sizes of maybe a few thousand people each, it becomes pretty easy to figure out who’s who from other metadata.

Kathy:
Sure, exactly. I mean, once you start pigeonholing people into certain niche categories, eventually you’re going to run into a situation when there’re only just so many people who would fit this particular profile. So it’s not really anonymized the way they say it is. So the WordPress core team started a discussion, I want to say last week, where they wanted to basically block FloC, Federated Learning of Cohorts.

Ram:
They were on a clock, okay?

Kathy:
They were at a clock to block the FLoC. Exactly.

Ram:
Don’t mock.

Kathy:
There we go. And so they wanted to get this into WordPress core as a security release, which would basically put it into a dot release and basically patch everyone so-

Ram:
And auto-update people automatically, right.

Kathy:
Right, exactly. And so this discussion ensued, and we had a discussion ourselves of what we thought about this. And I thought that was pretty interesting because we’re obviously a security company and they’re talking about doing something with basically privacy and taking a stand against what Google was doing, but doing so under the umbrella of security. And Ram, you had an interesting observation about this. And I wanted to ask you a little bit more about why it’s really important to have a distinction between security and privacy.

Ram:
Okay, so here’s the thing. Insufficient security can be a privacy issue. If your security is not strong enough that your private information can get leaked. And threats to privacy can diminish your security. Once that leaked information is out there in the wild, an attacker could use OSInt techniques to make it way easier to socially engineer you. But I do think it’s important to recognize that they’re fundamentally different things, and it can be dangerous to conflate them because you could sacrifice one in the pursuit of the other really easily. And we kind of want as much of both as possible.

Kathy:
Yeah, and it’s really important. Security is one thing, and it has a different sort of level of importance. So if there’s a privacy issue, say for one of your customers who’s visiting a WordPress website, that’s a different thing altogether than your site’s hacked and there’s malware everywhere. But, you know, the malware could be stealing information about your customers, but it’s a completely different issue. So it might have a privacy component to it, but a hack site is way different than a site that might be sharing information about IP addresses with Google.

Ram:
Exactly. And I honestly think a lot of it comes down to generally the best way to deal with privacy issues is through legal and policy whereas security issues often require a more tactical response.

Kathy:
Yeah. So different tactics for privacy, different tactics for security, and reserving security releases for true security issues that could have a cascading effect that may affect privacy, but it’s a security issue, right?

Ram:
Exactly.

Kathy:
Okay, all right. So it looks like they are not doing this as a security release, but it is coming into WordPress eventually.

Ram:
That’s what it looks like, yes. It looks like there is still an ongoing discussion as to how it should be implemented, but it looks like it’s not coming as an emergency point release.

Kathy:
Yeah, okay, great. And I agree that’s the way that it should happen. I think it’s great that the WordPress community is coming together to kind of take a stand about this and that so many people in the community are aware of privacy issues. So I think that’s great. And I think it’s great that they’re also addressing this in the most appropriate way possible.

Ram:
Yeah. I hear that WordPress is doing some other cool stuff with relaunching Creative Commons search.

Kathy:
Isn’t this neat? Matt Mullenweg announced this earlier this week saying that he’s excited about giving a new home to Creative Commons search. Now this is basically the ability to find images that are licensed under Creative Commons, and this is happening within WordPress.org, right?

Ram:
Yeah. So I mean anytime you put an image on a blog or something, you want to make sure that you have a license to use that image. That can be really easy if you’re the one who took the picture, but it can be kind of hard to find the right image. And so that’s what’s so exciting about this is that it’s a way to add images to your site, your creative work, that other people have taken that they’re allowing you to use without paying them a licensing fee. And that’s-

Kathy:
Right, I’ve had a blog and I look for featured images or look for images that try to tell a story because I can’t always get out and take pictures of everything. And so I’ve been using services like Pexels and Unsplash, which is a really great, easy way to find high-quality images that I can use that have been licensed under Creative Commons. But it looks like in 2017, they changed that, and now they’ve been acquired by Getty Images. So it looks like that door may be closing. So it’s really exciting to see Creative Commons search now coming to WordPress.org so that we can start using fully Creative Commons licensed images within our blogs.

Ram:
Yeah. I think it’s really important, honestly, just because, a world where no sites have images is kind of an unpleasant idea.

Kathy:
Right, yeah, and videos, too. I mean-

Ram:
Because not everyone can afford to pay Getty the licensing fees for every single image on their site.

Kathy:
Yeah. They get kind of ridiculous sometimes and it’s like-

Ram:
And aggressive.

Kathy:
Yeah, exactly. Yeah. And do I really need this picture of these celebrities doing these things? Yeah. So this is good news for WordPress. Hey, did you get any emails from Digital Ocean lately?

Ram:
I did not. I do use Digital Ocean for a couple of personal sites, and you were mentioning that you did as well. So-

Kathy:
Yeah, I didn’t get any emails.

Ram:
I guess we should be relieved.

Kathy:
Yes, I am very relieved because it looks like Digital Ocean emailed a few customers telling them that they were a part of a data breach that exposed some of their personally identifiable information, their customer billing information. It looks like they exposed name, address, last four of the credit card, and expiration dates. And an unauthorized user was able to get these between April 9th and April 22nd. If you did not receive an email notifying you that you were affected by Digital Ocean, you’re probably okay, but-

Ram:
Check your inbox just in case it ended up in the spam folder.

Kathy:
Oh, of course, yeah. Attempt to do a search for Digital Ocean in your inbox and make sure. If these types of breaches happen, if you ever are in a breach like this, I mean, just change your billing information, change passwords.

Ram:
Maybe get a new credit card.

Kathy:
Maybe get a new credit card and be very aware of any charges to those cards. And also, you were mentioning that these types of breaches are really helpful to malicious attackers to use this kind of information for really targeted social engineering attacks.

Ram:
Yeah. The number of companies that still use the last four of a credit card for identity verification over the phone, it’s getting smaller, but you know, I’ve still called a couple in the past year where that was all I needed to verify my identity, so-

Kathy:
Yeah, Yep. So definitely something to watch for. So did you have to update your Mac this week?

Ram:
I did. Did you?

Kathy:
It took forever, yes. How could I forget? It looks like we had to do so because of a Mac OS gatekeeper bypass vulnerability that was being exploited in the wild. What do you know about this, Ram?

Ram:
So apparently there’s a vulnerability that allows malware to bypass some of the built-in protections on executing on signed code on MacOS and apparently this has been used by the Shlayer adware.

Kathy:
Ew.

Ram:
Yeah, which basically would pop up advertisements on your computer or open up your browser and take you to sketchy websites. And I guess this has been exploited in the wild since January 9th of this year. So, it took them a while to catch it.

Kathy:
But it looks like social engineering was still required in order for them to exploit this vulnerability.

Ram:
Yeah, as far as we know, you would still have had to click on a link in a phishing email or something like that in order to actually fall victim to this. Still, it’s not a great thing, but I’m glad they patched it.

Kathy:
Yeah. I am glad too, even though that update took forever and a day it seemed like, but yeah. Good to have it patched and yes, even Macs can fall victim to hackers.

Kathy:
Looks like we have a sad story next. It looks like Dan Kaminski passed away. This is the guy who found out that DNS cache poisoning could be effective.

Ram:
Yeah, back in 2008. I mean he was kind of something of a legend in the InfoSec community. Just one of those names you kind of grew up hearing about or at least kept on hearing about. I never had the honor of meeting him, but by literally all accounts, he was just a generally great human being and the entire InfoSec community is mourning him. And, I mean, it’s pretty rare for the entire community to come together and agree on almost anything really, so-

Kathy:
He was what, only 42?

Ram:
Yeah.

Kathy:
That’s so young, yeah, very sad news in the InfoSec community. And it looks like we’re updating Chrome again this week, huh?

Ram:
Yeah. At this point, I mean, think of this podcast as your weekly update Chrome reminder.

Kathy:
Exactly.

Ram:
At least this one wasn’t a zero-day, but it was a critical RCE in Chrome. It wasn’t a sandbox escape. So an attacker could only execute code within Chrome, but there’s still a potential for a lot of damage. So, again, if you’ve got like 9,000 tabs open and you just want to preserve them, just restart Chrome and restore your history.

Kathy:
Very good advice. I mean, it sounds like a very small kind of bug. It’s not a zero-day, but it is… And if you think about how you use Chrome, how you use a browser, this is your window into your digital life. This is how you log into your bank account. This is how you’re logging into your social media, how you are logging into your email, which has the capability for all of the password reset confirmations for all of your digital accounts. So if you are using Chrome as regularly as most people are, it seems to be the behemoth browser at the moment, it’s really important to ensure that you’re keeping Chrome safe, that you’re checking your extensions regularly and making sure that those are the extensions you really want to use and be very judicious in using them and making sure that you update Chrome when an update is available. Which I updated right before this podcast, so-

Ram:
I am very glad to hear that. And I mean a big part of why we’re seeing so many of these is just because there’s a lot of eyeballs on it because it’s the biggest browser in the world. Literally, everyone uses it for everything. There’s a lot of good guys and there’s a lot of bad guys looking for vulnerabilities in it. And it’s sort of a toss-up who finds them first. But there’s still, there’ve been just a huge number of critical vulnerabilities in Chrome this year. So keep on updating, if you can get it to automatically update, please do.

Kathy:
Every week. All right. Well, that’s pretty much the security and WordPress news that we have this week. We did want to mention a couple of things. First of all, our K through 12 public school site cleaning initiative is still there. If you know of a school that could use some WordPress security assistance, whether it is an audit to make sure that their site is safe, or if they have, God forbid, an intrusion and needs some help cleaning up, we are here for them. Just head over to the show notes. There’s going to be a link there. And they basically just have to reach out and contact us, fill out a very small form and let us know.

Ram:
And this is any government-funded school, anywhere in the world, right?

Kathy:
Right. Anywhere in the world.

Ram:
Not just the US. Pre-university basically, right?

Kathy:
Yeah. Basically, anybody who’s dealing with children. Dealing with the children. Yes, we want to keep them safe.

Ram:
We want to think of the children.

Kathy:
Yes, always think of the children. They’ve had a tough time. I’ve watched, I have a 12-year-old and I’ve watched how her schools have had to deal with remote learning. As a parent of a child, it has not been a pleasant experience. I can’t imagine what it is for teachers. They are using WordPress in a number of installations and-

Ram:
We found vulnerabilities in a number of e-learning solutions. I know Chloe’s found like at least, I want to say two, at least. And I know I found one last year, so yeah. There’s just a lot-

Kathy:
Yeah, yep. So we are here to support your schools and to support your kids. So if you have any questions about that, you can reach out to us at feedback@wordfence.com or you can hit the link in the show notes.

Kathy:
We also want to mention that we are still hiring. We are expanding a number of our initiatives. So we are looking for someone to support us with security operations. So if you like AWS and you like securing lots of systems, we would love to talk to you. If you like PHP development, not necessarily WordPress PHP. This is some more complex and challenging systems. So if you would like to be challenged in the PHP world, we’d love to talk to you. You’re hiring for a friend in QA it looks like Ram, huh?

Ram:
Yes, yes we are. We are hiring for a QA role. So if you like testing stuff and breaking stuff.

Kathy:
Yeah!

Ram:
If you like breaking other people’s software in ways that aren’t just security-related, then we’ve got the role for you.

Kathy:
Excellent, yeah. And our QA team is amazing. Very, very challenging, but very rewarding as well. We also are still looking for someone who loves website performance. We have some interesting initiatives happening there.

Ram:
If you actually know what the Core Web Vitals are and how they matter, then this might be the role for you.

Kathy:
Yeah, definitely. So all these job listings will be in the show notes. So head over there, we have amazing benefits. So if you like working for a fun team, it’s Ram, it’s me, it’s Chloe.

Ram:
And there’s not really micromanagement here. Honestly, it’s very much you do the thing that you’re good at and we judge you on your results.

Kathy:
Yeah. And there’s plenty of opportunities for growth. So, I mean, there’s a video on our employment page that is sort of a clip from one of the Wordfence Lives when Chloe kind of talked about how she started here at Defiant, working with the customer service team and how she’s evolved into one of the leading evolved. Well, it’s not like she’s evolved, that’s a bad-

Ram:
It’s not like she’s a Pokemon.

Kathy:
She hasn’t reached her final form yet, right? But she keeps rising to different challenges and basically amazing all of us. So go watch that video because Chloe is pretty amazing and she’s so much fun to work with, too. I just had a conversation with Mark earlier today and he was asking how things are going? And I’m like, I have laughed more this week than I have in quite some time. It’s been a good week. It’s a fun team. If you like to laugh, if you like to work hard, if you like to see an opportunity and make things happen, we’d love to talk to you. So head on over and look and see what might fit for you.

Ram:
Apply for the role even if this is just something you’re really passionate about and have some experience with.

Kathy:
We’d still love to talk to you. That’s fun, too. So thanks for listening to Think Like a Hacker. We will be back again next week with all the security news and all of the WordPress news and all of the news and-

Ram:
The Chrome zero-day updates.

Kathy:
Yeah, exactly. We’ll tell you what’s going on with Chrome again. It’s been kind of crazy. Thanks for talking again, Ram. We’ll talk to you again next week.

Ram:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 115: Update Your Mac: Gatekeeper Bypass Vulnerability Exploited in the Wild appeared first on Wordfence.

How to Find & Fix Mixed Content Issues with SSL / HTTPS

Note: We’ve updated this post to reflect the evolving security standards around mixed content, SSLs, and server access as a whole.

With the web’s increased emphasis on security, all sites should operate on HTTPS. Installing an SSL allows you to make that transition with your website. But it can also have an unintended consequence for sites that have been operating on HTTP previously: Mixed content warnings.

Today, let’s look at these common errors, what causes them, and how you can fix them.

Continue reading How to Find & Fix Mixed Content Issues with SSL / HTTPS at Sucuri Blog.

Severe Unpatched Vulnerabilities Leads to Closure of Store Locator Plus Plugin

On March 5, 2021, the Wordfence Threat Intelligence team wrapped up an investigation that led to the discovery of a privilege escalation vulnerability along with several additional vulnerabilities in Store Locator Plus, a WordPress plugin installed on over 9,000 sites.

We initially reached out to the plugin’s developer on March 5, 2021. We received no response for a week before we attempted to make contact again. After receiving no response for 20 days, and after two contact attempts, we escalated the issue to the WordPress Plugins team on March 25, 2021, providing the full details of the vulnerability at the time of reporting.

The WordPress Plugins team responded to us the same day informing us that they would notify the plugin’s developer of our findings. The developer released a patch on April 5, 2021, but the patch was insufficient, leading to the closure of the plugin on April 12, 2021.

Wordfence Premium users received firewall rules protecting against these vulnerabilities on March 5, 2021, while those still using the free version of Wordfence received the same protection on April 4, 2021. Regardless, we strongly recommend deactivating and removing this plugin immediately and finding a replacement. We do not know at this point if the plugin will be patched.

Description: Authenticated Privilege Escalation
Affected Plugin: Store Locator Plus
Plugin Slug: store-locator-le
Affected Versions: <= 5.5.14
CVE ID: Pending.
CVSS Score: 9.9 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: Partially patched in version 5.5.15.

Store Locator Plus is a plugin designed to add a store locator to a WordPress site and makes it very simple to do so. Unfortunately, there was functionality in the plugin that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin. This could allow attackers to gain administrative access to a site and completely take it over.

This vulnerability was partially patched in version 5.5.15. However, our analysis indicates that it is not sufficient and, therefore, should be treated as an unpatched vulnerability.

Description: Unauthenticated Stored Cross-Site Scripting
Affected Plugin: Store Locator Plus
Plugin Slug: store-locator-le
Affected Versions: <= 5.5.15
CVE ID: Pending.
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: CURRENTLY UNPATCHED.

In addition to the privilege escalation vulnerability, we found several endpoints in the plugin that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages. These could be used by an attacker to inject backdoors or add new administrative user accounts, ultimately leading to complete site compromise.

How can I protect my site?

We strongly recommend deactivating and removing the Store Locator Plus plugin and finding a replacement, as this plugin may not be patched in the foreseeable future. If you must keep the plugin installed on your site until you find a replacement, and you are running the Wordfence Web Application Firewall, then you can rest assured that your site will be protected against any exploits targeting this vulnerability while searching for a replacement store locator solution.

We are intentionally providing minimal details about these vulnerabilities to provide users ample time to find an alternative solution. We may provide additional details later as we continue to monitor the situation.

The post Severe Unpatched Vulnerabilities Leads to Closure of Store Locator Plus Plugin appeared first on Wordfence.

Pin It on Pinterest