Weekly Cyber and PHP Security News

For well over a decade our focus at ionCube has been on PHP security but recently with the release of ionCube24 we have been looking into different kinds of vulnerabilities. This post has a few of the interesting issues we have found this week.

A selection of this week’s more interesting vulnerability disclosures and cyber security news.

• ‘Geo-inference’ can reveal your location in all mainstream browsers (Reddit)

• Colombian hacker who spied on gov-rebel peace talks jailed for 10 years (The Register)

• Googles April Fools prank inadvertently broke their security Netcraft (Reddit)

• HSBC mortgage customer info was publicly accessible on the internet (SC Magazine)

• Just passed my OSCP! My Journey Through the Offensive Security Certified Professional (OSCP) (Reddit)

• Kaspersky Ransomware Decryptor (Reddit)

• Microsoft Zero-Day Bug Being Exploited In The Wild (Dark Reading)

• Mojang Updates Minecraft to Patch Server Crash Vulnerability (SecurityWeek)

• Teenagers Suspected of Hacking Belgian and French Websites (SecurityWeek)

• Test your Magento shop for the Shoplift bug (SUPEE-5344) (Reddit)

• This New Online Interactive Film Shows Who’s Watching You Online — And It’s Downright Scary (Forbes)

• Watch Out Google, DARPA Just Open Sourced All This Swish ‘Dark Web’ Search Tech (Forbes)

Drupal

• CVE-2015-3342 – Open redirect vulnerability in the Ubercart Currency Conversion module before 6.x-1.2 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination query parameter.

• CVE-2015-3343 – Cross-site request forgery (CSRF) vulnerability in the OPAC module before 7.x-2.3 for Drupal allows remote attackers to hijack the authentication of unspecified victims for requests that remove a mapping via unknown vectors.

• CVE-2015-3344 – Cross-site scripting (XSS) vulnerability in the Course module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a node title.

• CVE-2015-3345 – SQL injection vulnerability in the PHPlist Integration Module before 6.x-1.7 for Drupal allows remote administrators to execute arbitrary SQL commands via unspecified vectors, related to the _phpList database._

• CVE-2015-3346 – SQL injection vulnerability in the WikiWiki module before 6.x-1.2 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

• CVE-2015-3347 – Cross-site request forgery (CSRF) vulnerability in the Cloudwords for Multilingual Drupal module before 7.x-2.3 for Drupal allows remote attackers to hijack the authentication of unspecified victims via an unknown menu callback.

• CVE-2015-3348 – Cross-site scripting (XSS) vulnerability in the Cloudwords for Multilingual Drupal module before 7.x-2.3 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a node title.

• CVE-2015-3349 – Multiple cross-site request forgery (CSRF) vulnerabilities in the Htaccess module before 7.x-2.3 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) deploy or (2) delete an .htaccess file via unspecified vectors.

• CVE-2015-3350 – Cross-site request forgery (CSRF) vulnerability in the Todo Filter module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that toggle a task via unspecified vectors.

• CVE-2015-3351 – Multiple cross-site request forgery (CSRF) vulnerabilities in the Log Watcher module before 6.x-1.2 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable, (2) disable, or (3) delete a report via unspecified vectors.

• CVE-2015-3352 – Multiple cross-site request forgery (CSRF) vulnerabilities in the Jammer module before 6.x-1.8 and 7.x-1.x before 7.x-1.4 for Drupal allow remote attackers to hijack the authentication of administrators for requests that delete a setting for (1) hidden form elements or (2) status messages via unspecified vectors, related to _report administration._

• CVE-2015-3353 – Cross-site scripting (XSS) vulnerability in the Field Display Label module before 7.x-1.3 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the alternate field label in content types settings.

• CVE-2015-3354 – Cross-site request forgery (CSRF) vulnerability in the Wishlist module before 6.x-2.7 and 7.x-2.x before 7.x-2.7 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete wishlist purchase intentions via unspecified vectors.

• CVE-2015-3355 – Multiple cross-site request forgery (CSRF) vulnerabilities in the Batch Jobs module before 7.x-1.2 for Drupal allow remote attackers to hijack the authentication of certain users for requests that (1) delete a batch job record or (2) execute a task via unspecified vectors.

• CVE-2015-3356 – Multiple cross-site request forgery (CSRF) vulnerabilities in the Tadaa! module before 7.x-1.4 for Drupal allow remote attackers to hijack the authentication of arbitrary users for requests that (1) enable or (2) disable modules or (3) change variables via unspecified vectors.

• CVE-2015-3357 – Cross-site scripting (XSS) vulnerability in the Wishlist module before 6.x-2.7 and 7.x-2.x before 7.x-2.7 for Drupal allows remote authenticated users with the _access wishlists_ permission to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a log message.

• CVE-2015-3358 – Multiple open redirect vulnerabilities in the Tadaa! module before 7.x-1.4 for Drupal allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a destination parameter, related to callbacks that (1) enable and disable modules or (2) change variables.

• CVE-2015-3359 – Multiple cross-site scripting (XSS) vulnerabilities in the Room Reservations module before 7.x-1.1 for Drupal allow remote authenticated users with the _Administer the room reservations system_ permission to inject arbitrary web script or HTML via the (1) node title of a _Room Reservations Category_ or (2) body of a _Room Reservations Room_ node.

• CVE-2015-3360 – Cross-site scripting (XSS) vulnerability in the Term Merge module before 7.x-1.2 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

• CVE-2015-3361 – Cross-site scripting (XSS) vulnerability in the Linkit module before 7.x-2.7 and 7.x-3.x before 7.x-3.3 for Drupal, when the node search plugin is enabled, allows remote authenticated users to inject arbitrary web script or HTML via a node title.

• CVE-2015-3362 – Cross-site scripting (XSS) vulnerability in the Video module before 7.x-2.11 for Drupal, when using the video WYSIWYG plugin, allows remote authenticated users to inject arbitrary web script or HTML via a node title.

• CVE-2015-3363 – Cross-site request forgery (CSRF) vulnerability in the Contact Form Fields module before 6.x-2.3 for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete fields via unspecified vectors.

• CVE-2015-3364 – Cross-site scripting (XSS) vulnerability in the Content Analysis module before 6.x-1.7 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a log message.

• CVE-2015-3365 – Cross-site scripting (XSS) vulnerability in the nodeauthor module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a Profile2 field in a provided block.

• CVE-2015-3366 – Cross-site request forgery (CSRF) vulnerability in the Alfresco module before 6.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete an alfresco node via unspecified vectors.

• CVE-2015-3367 – Multiple cross-site request forgery (CSRF) vulnerabilities in the Patterns module before 7.x-2.2 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) restore, (2) publish, or (3) unpublish a pattern via unspecified vectors.

• CVE-2015-3368 – Cross-site scripting (XSS) vulnerability in the administration user interface in the Classified Ads module before 6.x-3.1 and 7.x-3.x before 7.x-3.1 for Drupal allows remote authenticated users with the _administer taxonomy_ permission to inject arbitrary web script or HTML via a category name.

• CVE-2015-3369 – Cross-site scripting (XSS) vulnerability in the Taxonews module before 6.x-1.2 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the _administer taxonomy_ permission to inject arbitrary web script or HTML via a term name in a block.

• CVE-2015-3370 – Cross-site request forgery (CSRF) vulnerability in the Node Invite module before 6.x-2.5 for Drupal allows remote attackers to hijack the authentication of users with the _node_invite_can_manage_invite_ permission for requests that re-enable node invitations via unspecified vectors.

• CVE-2015-3371 – Open redirect vulnerability in the Node Invite module before 6.x-2.5 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the destination parameter.

• CVE-2015-3372 – Cross-site scripting (XSS) vulnerability in the Node Invite module before 6.x-2.5 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a node title.

• CVE-2015-3373 – The Amazon AWS module before 7.x-1.3 for Drupal uses the base URL and AWS access key to generate the access token, which makes it easier for remote attackers to guess the token value and create backups via a crafted URL.

• CVE-2015-3374 – Multiple cross-site request forgery (CSRF) vulnerabilities in the Corner module for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable or (2) disable corners via unspecified vectors.

• CVE-2015-3375 – Cross-site request forgery (CSRF) vulnerability in the Shibboleth Authentication module before 6.x-4.1 and 7.x-4.x before 7.x-4.1 for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete user role matching rules via unspecified vectors.

• CVE-2015-3376 – Cross-site scripting (XSS) vulnerability in the Quizzler module before 7-x.1.16 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a node title.

• CVE-2015-3378 – Open redirect vulnerability in the Views module before 6.x-2.18, 6.x-3.x before 6.x-3.2, and 7.x-3.x before 7.x-3.10 for Drupal, when the Views UI submodule is enabled, allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via vectors related to the break lock page for edited views.

• CVE-2015-3379 – The Views module before 6.x-2.18, 6.x-3.x before 6.x-3.2, and 7.x-3.x before 7.x-3.10 for Drupal does not properly restrict access to the default views configurations, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

• CVE-2015-3380 – Multiple cross-site request forgery (CSRF) vulnerabilities in the Feature Set module for Drupal allow remote attackers to hijack the authentication of administrator for requests that (1) enable or (2) disable a module via unspecified vectors.

• CVE-2015-3381 – Cross-site scripting (XSS) vulnerability in the Node basket module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

• CVE-2015-3382 – Multiple cross-site request forgery (CSRF) vulnerabilities in the Node basket module for Drupal allow remote attackers to hijack the authentication of arbitrary users for requests that (1) add or (2) remove nodes from a basket via unspecified vectors.

• CVE-2015-3383 – Open redirect vulnerability in the Node basket module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

• CVE-2015-3384 – Cross-site scripting (XSS) vulnerability in the Bank Account Listing Page in the Commerce Balanced Payments module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

• CVE-2015-3385 – Cross-site scripting (XSS) vulnerability in the Taxonomy Path module before 7.x-1.2 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the _Link to path_ field formatter.

• CVE-2015-3386 – Cross-site scripting (XSS) vulnerability in the Node Access Product module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a node title.

• CVE-2015-3387 – Multiple cross-site scripting (XSS) vulnerabilities in the Taxonomy Tools module before 7.x-1.4 for Drupal allow remote authenticated users to inject arbitrary web script or HTML via a (1) node or (2) taxonomy term title.

• CVE-2015-3388 – Cross-site request forgery (CSRF) vulnerability in the Commerce Balanced Payments module for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete the user’s configured bank accounts via unspecified vectors.

• CVE-2015-3389 – Cross-site scripting (XSS) vulnerability in the Download counts report page in the Public Download Count module (pubdlcnt) 7.x-1.x-dev and earlier for Drupal allows remote authnticated users to inject arbitrary web script or HTML via unspecified vectors.

• CVE-2015-3390 – Cross-site scripting (XSS) vulnerability in the Facebook Album Fetcher module for Drupal allows remote authenticated users with the _access administration pages_ permission to inject arbitrary web script or HTML via unspecified vectors.

• CVE-2015-3391 – The Path Breadcrumbs module before 7.x-3.2 for Drupal allows remote attackers to bypass intended access restrictions and obtaining sensitive node titles by reading a 403 Not Found page.

• CVE-2015-3392 – Cross-site scripting (XSS) vulnerability in the Ajax Timeline module before 7.x-1.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a node title.

• CVE-2015-3393 – Open redirect vulnerability in the Commerce WeDeal module before 7.x-1.3 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter.

• CVE-2015-3404 – The Certify module before 6.x-2.3 for Drupal does not properly perform node access checks, which allows remote authenticated users to bypass intended access restrictions and obtain sensitive PDF certificate information via vectors related to _showing (and creating) the PDF certificates._

General

Grim reading really. Will we lose?

• Feeling safe? Try attending Internet security conference (Yahoo Security) –

• Flash EK leveraged in potentially widespread malvertising attack (SC Magazine) –

Sounds like a movie script

• Lawyer: Cops dropped robbery case rather than detail FBI’s StingRay phone snoop gizmo (The Register) –

Infrastructure

Another Netgear router issue

• Bugtraq: Netgear WNR2000v4 Multiple Vulnerabilities – Netgear WNR2000v4 Multiple Vulnerabilities

Another TP-LINK issue

• CVE-2015-3035 – Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317

At last D-Link. Good one.

• D-Link: sorry we’re SOHOpeless (The Register) –

Don’t want to cause alarm or anything….

• Feds Warn Airlines to Look Out for Passengers Hacking Jets (WIRED) –
• Hacker In Trouble With Feds After Tweeting About ‘Playing’ With Plane Comms Mid-Flight (Forbes)
• Report on how hackers could take over planes – Report of the U.S. Government Accountability Office (GAO) (Reddit)
• Researcher denied airline flight after tweet about hacking (Yahoo Security)
• Researcher denied flight after tweet poking United security (Yahoo Security) –
• Researcher who joked about hacking a jet plane barred from United flight (ArsTechnica) –

Really?

• Fukushima nuke plant owner told to upgrade from Windows XP (The Register) –

IP Phones vulnerable to a persistent issue

• Infosec bod’s brag: Text editor pops Avaya phones FOREVER (The Register) –

Gosh! No way, are they mad?

• POS vendor uses same password – 166816 – non-stop since 1990 (The Register) –

Keep tabs on those IoT devices!

• Security of Internet of Things in Spotlight at RSA Conference –

Laravel

• Laravel – PHP Object Injection – 4.1, 4.2, 5.0, master

Magento

• Critical Flaw in Magento eCommerce Platform Exposes Online Shops

PHP Security

• Implementing Secure User Authentication in PHP Applications with Long-Term Persistence

User Space

Move away from those wi-fi hotspots. Nothing to see here…

• ‘No iOS Zone’ Wi-Fi zero-day bug forces iPhones, iPads to crash and burn (The Register) –

Fancy a coffee?

• Costa Coffee Club members wake up and smell the data breach (The Register) –

A small issue here…

• CVE-2015-1701 (windows_7) – Unspecified vulnerability in Microsoft Windows before 8 allows local users to gain privileges via unknown vectors, as exploited in the wild in April 2015.

Whatever you call it, its still a problem…

• Google guru: Android doesn’t have malware, it has Potentially Harmful Applications instead (The Register) –

Programmers…

• Poor guy having the surname of Null

SSID is vulnerable to buffer overflow apparently…. Opps.

• Wi-Fi software security bug could leave Android, Windows, Linux open to attack (ArsTechnica) –

Under our noses eh?

• Zero-Day Malvertising Attack Went Undetected For Two Months (Dark Reading) –

WordPress

• Bugtraq: Google Analytics by Yoast stored XSS #2 – Google Analytics by Yoast stored XSS #2

• Bugtraq: Stored Cross Site Scripting Vulnerability in Add Link to Facebook WordPress Plugin – Stored Cross Site Scripting Vulnerability in Add Link to Facebook WordPress Plugin

• CVE-2015-2825 – Unrestricted file upload vulnerability in sam-ajax-admin.php in the Simple Ads Manager plugin before 2.5.96 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the directory specified by the path parameter.

• Google Analytics by Yoast stored XSS #2

• Multiple WordPress plugins vulnerable to cross-site scripting (SC Magazine) –

• Stored Cross Site Scripting Vulnerability in Add Link to Facebook WordPress Plugin

• Swarm of WordPress plugins susceptible to potentially dangerous exploits (ArsTechnica) –

• WordPress 4.1.2 critical security release (Reddit) –