BlogSecurity

WordPress Plugin DM Albums 1.9.2 vulnerabilities

DK — Wed, 01 Jul 2009 13:33:37 +0000

DM Albums™ is an inline photo album/gallery plugin that displays high quality images and thumbnails perfectly sized to your blog. Two vulnerabilities have been made public: 1. Stack released a “remote file disclosure vulnerability” (Low-Medium Risk Level) 2. Septemb0x released a “remote file include vulnerability” (Critical Risk Level) An attacker could use these vulnerabilities to potentially gain full access [...]

WordPress Plugin Related Sites 2.1 Blind SQL Injection Vulnerability

DK — Wed, 01 Jul 2009 13:26:07 +0000

A critical vulnerability has been discovered in the WordPress Plugin Related Sites plugin. An exploit is available in the wild and available on Milw0rm, making this attack easier to exploit. Although, the vulnerability says that version 2.1 is vulnerable. You should assume previous versions are vulnerable as well. BlogSec have confirmed that the current version (at the [...]

Critical phpMyAdmin Vulnerabilities Discovered

DK — Wed, 10 Jun 2009 20:49:48 +0000

A number of bloggers and web site owners use phpMyAdmin for easy database administration. Two critical vulnerabilities have been discovered that could be used to gain full access to the affected server. Exploits have already been made publicly available, see GNUCITIZEN for an example: http://172.16.211.10/phpMyAdmin-3.0.1.1//config/ config.inc.php?p=phpinfo(); Description Setup script used to generate configuration can be fooled using a crafted POST [...]

Blogs and tweets in a moving business trend part1

DK — Wed, 10 Jun 2009 13:13:39 +0000

Avoid popularity if you would have peace – Abraham Lincoln Mozilla started a blog back in 2008, after breaking the guiness world records for the most downloads in 24 hours. Can anyone guess what blogging platform they are using? Yes you probably guessed it if you read the title of this post. Mozilla stands out with a few [...]

Tiananmen Square continues to bleed hope for freedom of speech

DK — Fri, 05 Jun 2009 20:13:12 +0000

“internet interprets censorship as damage and routes around it.” - EFF co-founder John Gilmore 2005, Yahoo provides information that helped Chinese officials convict a journalist accused of leaking state secrets. Apparently, Shi Tao, a 37-year-old writer for the Dangdai Shang Bao, released a “state secret” which contained a message to Shi’s newspaper warning journalists of the [...]

WordPress Install Files Security Risk

DK — Fri, 08 May 2009 13:35:32 +0000

Jeff Starr over at Perishable Press has discovered a way to hack a WordPress blog in rare cases where the installation files have been left behind and the database is in accessible: The other day, my server crashed and Perishable Press was unable to connect to the MySQL database. Normally, when WordPress encounters a database error… The [...]

Twitter Web Worm Causes Havoc

DK — Tue, 14 Apr 2009 15:33:20 +0000

Update: Apparently a bunch of variant worms are doing the rounds that circumvent Twitter’s recent patch to fix the problem. I’d be cautious using Twitter over the next couple weeks, see protection guidelines below or at this link. Teen exploits Twitter A 17 year-old has claimed credit for releasing a Cross Site Scripting worm that infected hundreds [...]

Facebook Faces Big Brother Monitoring

DK — Wed, 25 Mar 2009 09:02:04 +0000

Millions of Britons who use social networking sites could be having their accounts “secretly” monitored in the near future. Kelly was responding to a speech made by Home Office security minister Vernon Coaker on 18 March at a meeting of the House of Commons Fourth Delegated Legislation Committee. Coaker said the EU Data Retention Directive, which [...]

WordPress MU < 2.7 Cross Site Scripting Vulnerability

DK — Thu, 19 Mar 2009 08:32:08 +0000

Cross Site Scripting Vulnerability Juan Galiana Lara has released details regarding a vulnerability that affects WordPress MU versions < 2.7. Version 2.7 is NOT affected according to the advisory. So if you have upgraded to 2.7 you can ignore this advisory. Vulnerability Details WordPress MU prior to version 2.7 fails to sanitize the Host header correctly in choose_primary_blog function [...]

How to Firewall Your WordPress Blog

DK — Thu, 05 Mar 2009 10:22:56 +0000

You already know to use a decent password for your blog, but brute-force or dictionary attacks aren’t the only attacks used against bloggers. It’s much cheaper and faster to exploit software flaws, and that the hackers do. A programmer’s oversight may allow a hacker to gain access to your blog to insert spyware, [...]