[Sunnet Alert] Advisory #214 - Wordpress, Multiple News

Security and IT News Alerts alertmailinglist at skiifwrald.com
Mon Mar 26 01:08:32 EST 2007 

Sûnnet Beskerming Alert List Advisory #214

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at beskerming.com to resolve the  
error.

Why not upgrade to get same day notification on security threats?   
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)


Contents
--------------------------------------------------------------------
1.	SECURITY
--------------------------------------------------------------------
1.1	Wordpress
	- Remote Hacker Automatic Data Theft
	- Time Since Discovery - 5 Days
=======================================

/*
	- Remote or Local - Can it be achieved through a network or does it  
require physical access?
	- Hacker - The bad guy
	- Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
	- Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1	First Real Major Issue For Vista
2.2	You're Not As Safe As You Think You Are
=====================================

1.	SECURITY

1.1	Wordpress - Remote Hacker Automatic Data Theft

	-- Products Affected --
	All versions of Wordpress

	-- Technical Description --
	It is possible to set the 'redirect_to' GET parameter to any site  
following login by a valid user.  This will pass the authentication  
details to the new site, allowing an attacker to impersonate the  
victim and gain access to their Wordpress account.  A successful  
attack can be launched by getting the victim to click on a malicious  
link that takes them to their Wordpress login page (but with  
malicious 'redirect_to' setting).

	-- Description --
	A flaw has been discovered with the popular blogging tool,  
Wordpress, that allows an attacker to redirect their victim to any  
site of the attacker's choosing from the victim's Wordpress login  
page.  The compromise will pass authentication details to the  
attacker's site, effectively allowing the attacker to impersonate  
their victim and gain complete control of their Wordpress sites.  In  
order to be successful, the attacker needs to convince the victim to  
click on a malicious link that will take them to their real login  
site (but with a malicious redirect after logging in).

	-- Recommended Action --
	Only log into Wordpress accounts from known good links, and apply  
the latest patches from Wordpress when they become available.

	-- Source --
	http://www.metaeye.org

	-- Threat Matrix --
			U	O
	Home User	5	5 (Moderate)
	Corporate	5	5 (Moderate)

=======================================
/*
Threat Matrix:
	U - User
	O - Operator
	Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.	NEWS

2.1	First Real Major Issue For Vista?

It appears that the first major issue for Microsoft's new Operating  
System, Vista, has been discovered with the Windows Mail application  
(the previous WMF issues were fixed by the time of public release for  
Vista).  Scanty reporting at this stage means that the full nature of  
the vulnerability has not been completely disclosed but it appears to  
be an issue with the way that Mail handles links in messages that  
have been received.  Apparently it is possible for Mail to  
automatically open local and networked applications if the link is  
appropriately formatted.  Original reporting suggested that the issue  
could not lead to arbitrary remote code execution, though it has now  
been shown that it is possible for an attacker to run code of their  
choice on a victim's system.

While this issue is significant, it does require victim interaction  
(i.e. the victim has to click on a malicious link for the  
vulnerability to work) and the nature of the interaction required  
would suggest that this is a misguided feature.  While it shouldn't  
be possible for someone to open another application by clicking a  
link from within an email (i.e. the application is the target and not  
just used to display the link), they should still be able to follow  
links to networked resources.

This may not be the only issue that Vista is facing at the moment.   
Claims are being made on some websites that a 'bootkit' has been  
created that specifically targets Vista, which allows the attacker to  
intercept and control the Vista boot process and the system as a  
result.  This tool, dubbed 'Vbootkit' is expected to be made public  
in a matter of weeks.


2.2	You're Not As Safe As You Think You Are

Increasingly, Internet users are becoming aware of the risks posed by  
JavaScript when visiting untrusted websites (and even on some trusted  
sites).  Even if they are not directly aware of it, their antivirus /  
antimalware / defensive software choices are more than likely  
beginning to protect against some of the more obvious attack /  
probing attempts launched by problematic sites.  For site developers,  
awareness of these risks is now an essential component of their  
skillset.  They need to be aware of the different ways that an  
attacker can subvert the various parts of their site in order to take  
control of the site, deliver malicious software to victims, or  
otherwise cause problems through XSS or similar vulnerabilities.

Because of its widespread and fairly consistent implementation across  
browsers and platforms, JavaScript has been the target of choice for  
researchers and attackers alike, but more researchers are becoming  
aware of the fact that there are plenty of other means to achieve the  
same end.  Recent weeks have seen discussion on the use of VBScript  
instead of JavaScript when targeting Internet Explorer users, and  
there have also been demonstrations of using XUL to target the  
Mozilla / Firefox family of browsers.

=======================================

Sincerely,

Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.

More information about the Alertmailinglist mailing list