There has never been a better time to look into the state of PHP Security as our PHP Encoder Version 9 product and ionCube24 Intrusion Protection are now both officially available. If you are a regular reader of our blog then both of these will be of interest to you but especially so with ionCube24 for those readers who are here for our PHP Security and web vulnerability news. So let’s crack on with this week’s entries…
General
- Majority of people unable to discern phishing emails from legitimate ones (SC Magazine)
- Oil Gas Firms Hit By Cyberattacks That Forgo Malware (Dark Reading)
- Verizon Security Flaw Left Millions Of Home Internet Users Vulnerable To Attack (Reddit)
- Adobe to Patch Critical Vulnerabilities in Reader, Acrobat
- CoroNet Launches To Put A Stop To Commjacking (Forbes)
- CVE-2015-2219 – Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses predictable security tokens
- CVE-2015-2233 – Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 does not properly validate CA chains during signature validation
- CVE-2015-2234 – Race condition in Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses world-writable permissions for the update files directory
- Enjoying the Spring? Microsoft has 13 ways to fix that (The Register)
- Firefox 38 fixes a number of vulnerabilities, several deemed critical (SC Magazine)
- Microsoft patches 30 bugs with 13 bulletins on Patch Tuesday (SC Magazine)
- Mozilla Patches 13 Vulnerabilities With Release of Firefox 38 (SecurityWeek)
- This month’s Patch Tuesday list includes three Critical security updates (ZDNet)
One to turn off and on again then
ionCube24
- CVE-2015-2842 – Unrestricted file upload vulnerability in go_audiostore.php in the audiostore (Voice Files) upload functionality in GoAutoDial
- CVE-2015-3013 – ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding
Infrastructure
- Docker 1.6.1 – Security Advisory [150507]
- Researchers uncover self-sustaining botnets of poorly secured routers (ArsTechnica)
Worse than HEARTBLEED they say, or not….
- Bigger than Heartbleed, ‘Venom’ security vulnerability threatens most datacenters (ZDNet)
- Decade-Old VENOM Bug Exposes Virtualized Environments to Attacks
- Major Vulnerability Discovered In Millions Of Business Computer Systems – Here’s What You Need To Do (Forbes)
- VENOM – A Major vulnerability in QEMU enables hypervisor breakouts for KVM and Xen – they power most of the worlds cloud infrastructure. (Reddit)
- VENOM Bug Poison to Virtual Environments, Not Bigger Than Heartbleed: Experts (SecurityWeek)
- VENOM Zero-Day May Affect Thousands Of Cloud, Virtualization Products (Dark Reading)
- XSA-133 – qemu-xen floppy driver privilege escalation (Reddit)
- Not Bigger Than Heartbleed But Venom Vulnerability Could Have Opened Door To Cloud Kingdoms (Forbes)
- VENOM virtual vuln proves less poisonous than first feared (The Register)
- Venom VM bug called perfect for NSA, or for stealing Bitcoin and passwords (ArsTechnica)
- Venom vulnerability bares its fangs: Protect your data center with these patches (TechRepublic)
- VENOM Vulnerability Poison to Virtual Environments, But Not Bigger Than Heartbleed, Some Say (SecurityWeek)
Not a hugely popular web server now broken but still the numbers could be quite high
The IoT exposes so many future problems
- SEC Consult SA-20150514-0 :: Multiple vulnerabilities in Loxone Smart Home (part 2)
- Smart grid security WORSE than we thought (The Register)
- ‘Home-brewed’ encryption scheme opens millions of smart meters to hacking, warn researchers (Reddit)
- Experts’ Opinions Mixed On VENOM Vulnerability (Dark Reading)
- Extremely serious virtual machine bug threatens cloud providers everywhere (ArsTechnica)
- For Venom security flaw, the fix is in: Patch your VM today (ZDNet)
Malware
Even the real ads may deliver a malware infection
- Ad network compromised to redirect users to Nuclear EK, install Carberp (SC Magazine)
- Analysts believe Rombertik was used to conceal other malware attacks (SC Magazine)
Botnet C&C in plain sight. What will they think of next?
- Chinese Threat Group Uses Microsofts TechNet Portal to Host CC IPs (SecurityWeek)
- Dyre malware does not want to play in traditional sandboxes (Reddit)
PHP Security
User Space
How much did you pay for that coffee?
- Hackers exploit Starbucks auto-reload feature to steal from customers (SC Magazine)
- Latest Starbucks card breach could stem from weak passwords (ZDNet)
Interesting password generator to play with
Web Server
- Bugtraq: Pimcore v3.0.5 CMS – Multiple Web Vulnerabilities – Pimcore v3.0.5 CMS – Multiple Web Vulnerabilities
- CVE-2015-2843 – Multiple SQL injection vulnerabilities in GoAutoDial GoAdmin CE before 3.3-1421902800
- CVE-2015-2844 – The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1420434000
- CVE-2015-2845 – The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1421902800
- Sqlbuddy Directory Traversal Read Arbitrary Files Vulnerability
- Vuln: phpBB ‘functions.php’ Open Redirection Vulnerability – phpBB ‘functions.php’ Open Redirection Vulnerability
WordPress
- CVE-2015-3300 – Multiple cross-site scripting (XSS) vulnerabilities in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin)
- CVE-2015-3301 – Directory traversal vulnerability in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin)
- Small WordPress sites leaking like sieves (The Register)
- WordPress Patches XSS Vulnerability Exploited in the Wild
- WordPress Roomcloud plugin v1.1(rev @1115307) XSS vulnerability
- WordPress Twenty Fifteen Theme – DOM XSS Vulnerability – CVE-2015-3429
- WordPress: is it safe to use for my websites? (ZDNet)
Hit again
- Jamie Oliver’s ministry of malware served slops AGAIN (The Register)
- Compromised Jamie Oliver website serves up malware for third time (SC Magazine)
Weekly Cyber and PHP Security News
