Wednesday, 8 April 2015
FBI to WordPress users: patch now before ISIL defaces you
The United States Federal Bureau of Investigation (FBI) has issued a warning to WordPress users: hurry up and patch your content management system before web site is defaced by ISIL sympathisers.
The Bureau has issued a notice titled "ISIL defacements exploiting WordPress vulnerabilities" in which it warns that "Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS)."
"The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites," the notice says. "Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems."
The good news is that the Bureau thinks the perps are not ISIL members, but sympathisers. It nonetheless advises WordPress users to get their heads around security and patch plugins ASAP.
It's sound advice: Sucuri researcher Alexandre Montpas is warning of a persistent cross-site scripting vulnerability in the WordPress Super Cache plugin that allows up to a million sites to be hijacked.
Montpas reveals the bug affecting versions below 1.4.3 which have been downloaded more than a million times according to WordPress statistics.
Montpas says attackers could have malcode executed if administrators peered into the plugin's listing page.
"Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page," Montpas says.
"As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site’s administrator to have a look at that particular section, manually.
"When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, and injecting backdoors by using WordPress theme edition tools"
The since-patched bug resides in the displaying of data within WP-Super-Cache's cache file key that picks the cache file to be loaded.
It is the latest in a laundry list of WordPress plugin vulnerabilities to be disclosed recently.
The problem with un-patched plugins, as distinct from the WordPress platform itself,
WordPress hacking is a favourite pastime of lazy hackers and exploit kit -slingers who seek to achieve maximum carnage for minimum effort.