It has been an interesting week for web security issues and we have been reading about a number of issues with PHP. Take a look at a selection of articles found this week and be sure to check out the final section if you are a WordPress user.

General

 

• Airline Chief Casts Doubt on Plane Hacking Claim (SecurityWeek)
• Airplane hacking panic! Why its a surely a storm in a teacup (The Register)
• Alleged Plane Hack Should Not Deter You From Flying (Forbes)
• Alleged plane hacker said he pierced Boeing jets firewall in 2012 (ArsTechnica)
• Factorable but invalid 4096 RSA PGP keys (Reddit)
• FBI Claims Banned Researcher Admitted Hacking Plane Controls… But Is Someone Lying? (Forbes)
• FBI claims infosec bod made plane FLY SIDEWAYS (The Register)
• FBI Says Researcher Admitted Hacking Airplane in Mid-Flight (SecurityWeek)
• FBI: researcher admitted to hacking plane in-flight, causing it to climb (ArsTechnica)
• Feds Say That Banned Researcher Commandeered a Plane (WIRED)
• Getting Snappy with Ubuntu (IT Toolbox Blogs)
• Hacker told F.B.I. he made plane fly sideways after cracking entertainment system (Reddit)
• Hacking Airplanes: No One Benefits When Lives Are Risked To Prove A Point (Dark Reading)
• High-level, state-sponsored Naikon hackers exposed (The Register)
• Manchester car park lock hack leads to horn-blare hoo-ha (The Register)
• Microsoft Stops Chinese Group from Using TechNet Site for Attacks (May 14, 2015) (SANS Newsbites)
• PANIC! RSA keys are compromised! (The Register)
• Questions Over Plane Hacking Report (InfoRiskToday)
• RadioShack sale of customers’ personal data may be unlawful, warns FTC (ZDNet)
• Transportation Department is crafting a plan to test whether the airwaves used by connected cars can be safely shared with other wireless devices (Reddit)

Cousin of FREAK is here

• Logjam security flaw leaves top HTTPS websites, mail servers vulnerable (ZDNet)
• Massive ‘Logjam’ Flaw Discovered (InfoRiskToday)
• HTTPS-crippling attack threatens tens of thousands of Web and mail servers (ArsTechnica)
• Logjam – vulnerabilities in Diffie-Hellman key exchange affect browsers and servers using TLS, (Wed, May 20th)
• Logjam: How Diffie-Hellman Fails in Practice (Reddit)

Infrastructure

• CVE-2015-2704 – realmd allows remote attackers to inject arbitrary configurations in to sssd.conf and smb.conf via a newline character in an LDAP response.
• CVE-2015-3627 – Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image.
• CVE-2015-3629 – Libcontainer 1.6.0, as used in Docker Engine, allows local users to escape containerization (_mount namespace breakout_) and write to arbitrary file on the host system via a symlink attack in an image when respawning a container.
• CVE-2015-3630 – Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image.
• CVE-2015-3631 – Docker Engine before 1.6.1 allows local users to set arbitrary Linux Security Modules (LSM) and docker_t policies via an image that allows volumes to override files in /proc.

Interesting change from lan to the cloud

• Google Moves Its Corporate Applications to the Internet (Reddit)
• Hundreds of Cloud Services Potentially Vulnerable to Logjam Attacks: Skyhigh (SecurityWeek)
• Logjam attack exposes data passed over TLS connections (SC Magazine)
• Logjam explained: how the DHE Key Exchange works, and how a client can be tricked into a DHEEXPORT one (Reddit)

 

• Oracle Issues VENOM Security Updates (SecurityWeek)
• Oracle patches buffer overflow bug VENOM (SC Magazine)
• Oracle releases antidote for VENOM vulnerability (The Register)

• Privacy-focused Skype alternative Ring shows promise (TechRepublic)
• SEC Consult SA-20150519-0 :: Critical buffer overflow vulnerability in KCodes NetUSB (VU#177092, CVE-2015-3036)
• Shockingly Simple Flaw Leaves ‘Millions Of Home Routers Open To Attack’ (Forbes)
• Telstra Discloses Breach of Pacnet Corporate Network
• VENOM – Does it live up to the hype?, (Sat, May 16th)
• Venom Vulnerability Affects Virtualization Software (May 13 14, 2015) (SANS Newsbites) –
• VENOM vulnerability details (Reddit) –
• Vuln: ProFTPD CVE-2015-3306 Information Disclosure Vulnerabilities – ProFTPD CVE-2015-3306 Information Disclosure Vulnerabilities
• When amateurs do the job of a professional, the result is smart grids secured by dumb crypto (Reddit) –

Magento

• CVE-2012-3243 – Cross-site scripting (XSS) vulnerability in the SEOgento plugin for Magento allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

Malware

• 3 ‘Old’ Attack Trends That Dominated Q1 (Dark Reading) 
• Attackers Use Trojanized Version of PuTTY to Steal SSH Credentials
• Every 4 Seconds New Malware Is Born (Dark Reading) –
• Hacker launches ransomware rescue kit (The Register) –
• More malicious extensions cause Google to tighten Chrome policy on Windows, Mac (ZDNet) –
• Ransomware rescue kit released to combat criminal enterprise (ZDNet) –
• Study: Employees acknowledge risky security behavior, continue to engage in it (SC Magazine) –
• TeslaCrypt used to extort over $76K in recent months (SC Magazine) –
• Trojanized version of PuTTY client discovered online (ZDNet) –
• Website observed serving 83 executable files, more than 50 percent malware (SC Magazine) –

PHP Security

• CVE-2012-1664 – Multiple cross-site scripting (XSS) vulnerabilities in the admin panel in osCMax before 2.5.1

• CVE-2012-1665 – Multiple SQL injection vulnerabilities in the admin panel in osCMax before 2.5.1

• CVE-2012-6691 – Multiple cross-site request forgery (CSRF) vulnerabilities in the admin panel in osCMax before 2.5.1

• CVE-2015-3397 – Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7.

• CVE-2015-3397 – Cross-site scripting (XSS) vulnerability in Yii Framework before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to JSON, arrays, and Internet Explorer 6 or 7. (CVSS:0.0) (Last Update:2015-05-13)

• phpMyAdmin 4.4.6 Man-In-the-Middle API Github

• Vuln: Zend Framework Multiple Information Disclosure and Security Bypass Vulnerabilities – Zend Framework Multiple Information Disclosure and Security Bypass Vulnerabilities
• [SECURITY] [DSA 3265-1] zendframework security update – <p>Posted by David Pr?vot on May 20

WordPress

• Bugtraq: Stored XSS in WP Photo Album Plus WordPress Plugin – Stored XSS in WP Photo Album Plus WordPress Plugin
• CSRF & XSS vulnerabilities in Encrypted Contact Form WordPress Plugin v1.0.4
• CVE-2015-3325 – SQL injection vulnerability in forum.php in the WP Symposium plugin before 15.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the show parameter in the QUERY_STRING to the default URI.
• SQLi in FeedWordPress WordPress plugin
• Stored XSS in WP Photo Album Plus WordPress Plugin
• Vuln: WordPress Pro Quoter Plugin CVE-2014-4545 Multiple Cross Site Scripting Vulnerabilities – WordPress Pro Quoter Plugin CVE-2014-4545 Multiple Cross Site Scripting Vulnerabilities
• Vuln: WordPress TheCartPress Plugin Multiple Security Vulnerabilities – WordPress TheCartPress Plugin Multiple Security Vulnerabilities