Weekly Cyber and PHP Security News

In this week’s post we have continued to look at web vulnerabilities and PHP Security, paying close attention to those which ionCube24 could have protected against. Look out for upcoming posts where we look back at all the vulnerabilities we have read about and let you know the most common areas they are found.

Be sure to follow @ioncube and @ioncube24 on Twitter for blog updates and other announcements about everything ionCube.

 

Drupal

• Pre-auth XXE in Drupal Services module, neat tricks to bypass restrictions inside (Reddit)

General

Another interesting experiment – if you don’t like needles you might want to miss this one!

• Hacker Implants NFC Chip In His Hand To Bypass Security Scans And Exploit Android Phones (Forbes)

An example for the lengths attackers can go

• Anatomy of a Hack: Paypal (IT Toolbox Blogs)
• Anatomy of a Hack: Starbucks (IT Toolbox Blogs)
• Attacker, posing as Tesla employee, gained access to car co.’s Twitter (SC Magazine)
• Bartalex Malware Used to Deliver Dyre Banking Trojan to Enterprises (SecurityWeek)
• eBay year-long patch stall a little XSSive, researcher says (The Register)
• Hackers steal nearly $5M from Ryanair’s accounts (SC Magazine)
• How Tesla’s Site, App And Twitter Feeds Were Attacked Via ATT (Forbes)
• Observations on the Tesla Motors Twitter Hack and Website Defacement: More Than Just a Domain Hijack (Reddit)
• Tesla Motors Website Got Zapped (Forbes)
• Websense Employees Targeted With Fake Raytheon Acquisition Emails

Sounds scary!

• Researchers Plan to Demonstrate a Wireless Car Hack This Summer (WIRED)

An interesting method of detection

• US hospitals to treat medical device malware with AC power probes (The Register)

IC24

• Bugtraq: Avsarsoft Matbaa Script – Multiple Vulnerabilities – Avsarsoft Matbaa Script – Multiple Vulnerabilities

• CVE-2015-0911 – Directory traversal vulnerability in TAGAWA Takao TransmitMail 1.0.11 through 1.5.8 allows remote attackers to read arbitrary files via vectors related to attachment handling.

• CVE-2015-0968 – Unrestricted file upload vulnerability in admin/uploadImage.html in SearchBlox before 8.2 allows remote attackers to execute arbitrary code by uploading a file with an executable extension and the image/jpeg content type, a different vulnerability than CVE-2013-3590.

Infrastructure

And once again back to router issues…

• Command injection vuln in huge number of SOHO routers based on RealTek chipset SDK (Reddit) 

A possibly useful tool

• Lynis Security auditing tool for Unix/Linux systems (Reddit) 

Routers – at least its not the same faces

• XSS and CSRF vulnerabilities in ASUS RT-G32

This once wonderful product appears to be on a slide downwards

• [Additional vectors] Multiple vulnerabilities in Untangle NGFW 9-11

Magento

Analyzing the Magento Vulnerability

• A detailed explanation

• CVE-2015-1397 – SQL injection vulnerability in the getCsvFile function

• CVE-2015-1398 – Multiple directory traversal vulnerabilities in Magento Community Edition

• CVE-2015-1399 – PHP remote file inclusion vulnerability in the fetchView function

• CVE-2015-3457 – Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote attackers to bypass authentication via the forwarded parameter.

• CVE-2015-3458 – The fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition

Didn’t take them long

• Magento Flaw Exploited in the Wild Within 24 Hours After Disclosure (SecurityWeek) –

PHP Security

• CVE-2011-4403 (zen_cart) – Multiple cross-site request forgery

• CVE-2012-2930 (tinywebgallery) – Multiple cross-site request forgery

• CVE-2012-2932 (tinywebgallery) – Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery

Many points raised here

• When automation does not help,

User Space

Still weak? Crazy…

• Barclays, Halifax and Tesco still being gnawed by POODLE (The Register) –

What! Totally careless security!

• Confidential information exposed over 300 times in ICANN security snafu (The Register) –

Google issue here

• CVE-2015-1248 – The FileSystem API in Google Chrome before 40.0.2214.91 allows remote attackers to bypass the SafeBrowsing for Executable Files protection mechanism by creating a .exe file in a temporary filesystem and then referencing this file with a filesystem:http: URL.

Simple password security fault….. How?

• Gambling with your data: Betfair fixes HUGE account reset email vuln (The Register)

Interesting idea

• Generate memorable and secure passwords in your browser (Reddit)

The 90’s were great…. Back we go to a time of macro viruses! Yay!

• Macroviruses are BACK and are the future of malware, says Microsoft (The Register)

• Malicious docs submitted to CareerBuilder job listings distribute malware (SC Magazine)

• Social Engineering: Attackers’ Reliable Weapon

Do you feel safe now?

• WhatsApp’s end-to-end encryption analysed: It’s pretty good, yet still useless. (Reddit) –

A good reason to ensure wifi and bluetooth are switched off when you don’t need them

• You Are Being Physically Tracked When You Shop, The FTC Reveals — Here’s What You Need To Know (Forbes)

Web Server

One for the Linux users

• Malware Discovered Targeting Web Servers Running Linux, FreeBSD (SecurityWeek)

WordPress

No fix for this, in fact the plugin is going to be discontinued!

• Bugtraq: Multiple Vulnerabilities in TheCartPress WordPress plugin – Multiple Vulnerabilities in TheCartPress WordPress plugin
• Multiple Vulnerabilities in TheCartPress WordPress plugin
• Several vulnerabilities identified in TheCartPress WordPress plugin (SC Magazine) –

A huge vulnerability revealed. Patch, upgrade and keep on top of it!

• Comments considered harmful: WordPress web hijack bug revealed (The Register)
• Flaws in WordPress eCommerce Plugin Expose Over 5,000 Websites (SecurityWeek)
• Just-released WordPress 0day makes it easy to hijack millions of websites (ArsTechnica)
• Millions of WordPress sites at risk of hijack after zero-day released (ZDNet)
• Stored XSS bug in WordPress, researchers advise to disable comments (SC Magazine)
• WordPress Under Attack As Double Zero-Day Trouble Lands (Forbes)

No fix for this, in fact the plugin is going to be discontinued!

• Re: WordPress 4.2 stored XSS