Slide 1 Slide 2 Slide 3 Slide 4 Slide 5
Showing posts with label wordpress. Show all posts
By Unknown | 0 comment


This plugin is hailed by some as being one of the power tools of the "big boys" of net marketing, and according to author it  installed on

some 5,000 sites worldwide.



Unfortunately, the author is openly hostile at the suggestion that there are problems with his code: attempts to alert him to the problems with the

plugin resulted in a flurry of insults, accusations, and nasty_grams to me and some others working on the project.  He accused me of telling "blatant lies"

and fabricating screenshots of the vulnerabilities (!!!).  So here we are in the disclosure list.  Developers would do well to error on the side of

humility here and remember that the only acceptable response to a bug report you disagree with is "cannot reproduce," and this my sincere hope that

author gets therapy, security audit, or both: his customers deserve more than the incompetence and aggression.



VULNERABILITIES

* Disclosure of database credentials

* XSS Vulnerabilities

* Arbitrary user deletion

* Arbitrary code execution



AFFECTED VERSIONS

v3.8.012 thru v3.9.001



PROOF OF CONCEPT

Dictionary based URL scanning of  site where the plugin is installed

revealed numerous $_GET parameters that triggered special functionality

that rarely seemed properly checked for permissions.  The specific

vulnerabilities include:



DATABASE CREDENTIALS DISCLOSED

?i4w_dbinfo=



Prior to version 3.9.001, setting this parameter on a site where the plugin is installed would trigger the full database credentials to be printed,

included the database name, user, password, and encoding.

After version 3.9.001, this exploit requires that the user request an admin URL (e.g. as a registered subscriber).



XSS VULNERABILITIES

?decrypt=

?encrypt=



If set, both of these parameters will simply print what follows verbatim onto the page and exit: nothing else is printed.  A phishing attack is quite simple here because the attackers do not have to camouflage anything:

the remote Javascript file can simply generate the *entire* page.  Just a reminder that some hosts filter the $_GET parameters (e.g. escaping quotes) and not all browsers interpret malformed tags correctly, but there parameters are vulnerable to XSS attacks.  On some setups with caching, this may result in a persistent XSS attack when subsequent page views serve up the compromised page.



DELETE ARBITRARY USERS

?i4w_clearuser=&Email=



If these 2 parameters are defined, named user will be *Deleted* from Wordpress database (one catch). The i4w_clearuse_ parameter  match the API key used by  plugin, but if  plugin has not yet had license activated, then  API key is null, so attack succeeds.

 Wordpress login names are printed in comments or can be guessed (e.g. the ubiquitous "admin").



ARBITRARY CODE EXECUTION

?i4w_trace=; #



The i4w_trace parameter passes unescaped values to the system shell when the page is being requested by an admin (the user must be authenticated as an administrator for this to work). Put any code you want in between the ";" and the "#".  This makes for a dangerous phishing attack if you can convince an admin to click on a prepared link.
Read more...
By Unknown | 0 comment

Every day on Internet thousands of websites hacked by hackers because of less security. Especially WordPress websites getting hacked every day because it has huge popularity throughout the world. So automatically hackers try to hack WordPress blogs and websites. Here problem comes from with WordPress default admin URL because most of the bloggers and website owners use the default URL which comes after installation of WordPress on database. WordPress already said about this and they recommended changing the default username “admin” to other username. But these precautions don’t stop your website getting hacked from hacker.
So what to do? Here we come up with another approach which increases your WordPress blog/website security 10 times better than before.

How to Install and Configure Lockdown WP Admin Plug-in?

Here is the basic information about how to install and setup Lockdown WP Admin plug-in on WordPress blogs/websites.
  • First Login to your WordPress admin dashboard by entering username and password.
  • To get perfect results with this plug-in your site must have permalinks.
  • Now just navigate to plugins from the sidebar menu and click on Add new option to install new plug-in. 



  • Type Lockdown WP Admin in the search box and click on Search button to get search results. Click on Install Now Button to install it on your WordPress blog.

                         



  • Once the installation process complete, click on Activate Plug-in to activate Lockdown WP Admin plug-in.



  • Now Launch Lockdown WP Admin from the sidebar by clicking on Lockdown WP and select Lockdown WP.


  • First of all you need to select the box “Yes, please hide WP Admin from the user” and change the admin URL from WordPress login URL section with any name which is not easy to guess by anyone.

  • In HTTP Authentication leave the field same that means keep “Disable HTTP Auth” as the default option and click on “save options” to save all these settings.
  • If you use HTTP Authentication then you need to create secondary WordPress Admin .htaccess password. This secondary password will be useful even if someone guess your secret admin URL too. If you use WordPress Login Credentials then you need to enter primary username and password to gain access secondary username and password.
  • Alternatively you can also use “Private Usernames/Passwords “ to set secondary username and passwords from Lockdown WP>Private Users Section.
  • To check whether it’s working or not, just logout from the WordPress dashboard. Now enter old WordPress admin URL and you’ll see 404 not found error page. Now on wards you need to use WordPress secret admin URL to login into WordPress dashboard.






Remove WordPress Meta Widget to Stop Exposing Secret Login Url:
Actually professional bloggers doesn’t keep this meta widget on their blogs but if any case you forgot to remove this widget then follow the below steps and remove Meta Widget.

1. Click on Apperance and select Widgets from the menu.Now you will see all activated and deactivated widgets at one place.

2. In Primary Sidebar you’ll have all active widgets,click on Meta widget and delete from the list.
You can check the below screenshot which exposes the secret admin url before removing meta widget.
There is another method to remove meta widget from wp files but all files are restored again if you update your WordPress dashboard.

Now no one can hack your website by accessing WordPress default admin URL.If you have any doubts while installing this process please leave a comment below.
Read more...
By Unknown | 0 comment

Whether you pursue online writing casually or professionally, you cannot call yourself a blogger until you are familiar with a powerful CMS like WordPress. What makes a blogger unique from others is the fact that instead of utilizing it for just a casual piece of writing material and clicking the publish option, a blogger knows how to use a CMS in the right way – they way in which the site content pleases both bots and real visitors.
The following is a list of the most reliable plugins for WordPress in 2012 that every blogger should adopt in order to get effective results that quite simply define a job well done.

Top 20 WordPress Plugins:

1)Smart 404
Research is always the most time consuming aspect in any blog’s composition if desired information cannot be found, Smart 404 can make a ‘smart’ move in this aspect, with the help of the current URL, as it manages to find the desired results.

2)Akismet
Hate spam? Fret not as Akismet is a helpful tool as it protects your blogs from unwanted spam comments quite effectively!

Also Read:Best Commenting System for Blog.

3)All In One SEO Pack
With this powerful plugin, a wordpress site quickly becomes search engine’s favorite pal; which saves immense time of doing on-page SEO manually.

4)FeedBurner FeedSmith
Are you curious about your subscribers? FeedBurner FeedSmith can help you in that as it manages to inform you about your subscribers in your FeedBurner feed.

5)Google XML Sitemaps
As the name suggests, it makes XML sitmap for your site which you can submit to search engines to improvise the crawl rate. If you are searching for an efficient sitemap plugin then the powerful Google XML Sitemaps is definitely the thing you have been looking for.

6)Popularity Contest
By displaying the numerical value of your blog visitors and comments, the popularity Contest plugin enables you to know about how well is your blog being followed by visitors.

7)After the Deadline
It informs you about grammatical and spelling mistakes in your articles quite efficiently. As after the Panda update, typos can now damage a page’s reputation, therefore After the Deadline plugin is no less than savior as it makes sure your blog is mistake free.

8)Category Order
By the ordinary drag and drop feature, you will be able to categorize your blogs the way your heart desires quickly.

9)Google Integration toolkit
This powerful plugin connects your blog with Google’s top notch facilities such as Webmaster tools, Adwords, Keyword Tools etc.

10)Article2pdf
The title says it all. With this plugin your visitors can have the option of saving your blog content in the form of a PDF file.

11)Redirection
Worried about 301 redirects or 404 errors? Redirection plugin will take care of all 301 related issues.

12)WP-DB Manager
WP-DB Manager is a very handy database plugin when it comes to deleting, repairing or even recover activities to be performed on a database.

13)Captcha
To make sure that the visitor is a human being and not some online spam bot attempting to comment on your blog, a simple mathematical question will be asked before logging or commenting in your blog.

14)Do Follow
Tired of the annoying ‘no-follow’ feature added in the comment section of a wordpress by default? Do-Follow plugin will remove it and will allow you to pass your link juice to your commenter’s.

Also Read:Difference between Dofollow and Nofollow Links.

15)WP Smush.it
When it comes to images, WP Smush.it helps to optimize, resize and even convert images from one format to another in the very best way possible today.

Must Read:Make Images SEO Friendly.

16)Permalink Finder
Say good bye to all those endless 404 pages on your re-structured or migrated blog as this plugin does all the work.

17)Liveblog
If a blog post demands updates in the realtime during live coverage of an even (e.g. an iPhone launch coverage etc), then Liveblog is the thing for you as it enables the blog post to be updated quickly without ever visiting the wp-admin area!

18)W3 Total Cache
Loading can be a real pain if it’s taking too much time. With W3 Total Cache, a decent amount of time is saved through efficient cache-ing and the second loading time of your blog is incredibly reduced.

19)Subscribe to Comments
In order to maintain, if not decrease, the viewership of your blog, the Subscribe to Comments plugin is an excellent tool to keep the reader in touch with your blog posts by putting into action an email notification system on your blog with this plugin.

20)WP-Polls

Adding a poll by the WP-Polls plugin is a perfect way to increase visitor interaction on your blog!
Read more...
By Unknown | 0 comment

There are multiple vulnerabilities in Js-Multi-Hotel plugin for WordPress.
Earlier I wrote about two other vulnerabilities

     

These are Abuse of Functionality, Denial of Service, Cross-Site Scripting
and Full path disclosure vulnerabilities in Js-Multi-Hotel plugin for
WordPress. There are much more vulnerabilities in this plugin (including
dangerous holes), so after two advisories I'll write new advisories.


Affected products:


Vulnerable are Js-Multi-Hotel 2.2.1 and previous versions.

Affected vendors:


Joomlaskin
http://www.joomlaskin.it

Details:


Abuse of Functionality (WASC-42):

http://site/wp-content/plugins/js-multihotel/includes/show_image.php?file=http://site&w=1&h=1

DoS (WASC-10):



http://site/wp-content/plugins/js-multihotel/includes/show_image.php?file=http://site/big_file&h=1&w=1


Besides conducting DoS attack manually, it's also possible to conduct automated DoS and DDoS attacks with using of DAVOSET (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html).


DDoS attacks via other sites execution tool:
http://websecurity.com.ua/davoset/


Cross-Site Scripting (WASC-08):

                        other : [ added by khalil shreateh ]

                        Full path disclosure (WASC-13):



http://site/wp-content/plugins/js-multihotel/includes/functions.php

http://site/wp-content/plugins/js-multihotel/includes/myCalendar.php

http://site/wp-content/plugins/js-multihotel/includes/refreshDate.php?d=

http://site/wp-content/plugins/js-multihotel/includes/show_image.php

http://site/wp-content/plugins/js-multihotel/includes/widget.php

http://site/wp-content/plugins/js-multihotel/includes/phpthumb/GdThumb.inc.php

http://site/wp-content/plugins/js-multihotel/includes/phpthumb/thumb_plugins/gd_reflection.inc.php
Read more...
Subscribe to: Posts (Atom)