Our WordPress Plugin Security Checker Identified a Fairly Serious Vulnerability in a Plugin by MailChimp

https://www.pluginvulnerabilities.com/2017/11/22/our-wordpress-plugin-security-checker-identified-a-fairly-serious-vulnerability-in-a-plugin-by-mailchimp/

Recently we introduced a tool to do limited automated security checks of WordPress plugins in the Plugin Directory (and more recently expanded it to check plugins not in the directory). As part of improving that we have been logging any issues identified by the tool in plugins in the Plugin Directory (we don’t log the results for other plugins) and

Powered by WPeMatico

Authenticated Local File Inclusion (LFI) Vulnerability in Vmax Project Manager

https://www.pluginvulnerabilities.com/2017/11/22/authenticated-local-file-inclusion-lfi-vulnerability-in-vmax-project-manager/

We recently noticed an authenticated arbitrary file upload vulnerability in the plugin Vmax Project Manager. While writing up the details of that we were tracing back the code that would be involved in that and at first we couldn’t figure out how part of it would work. Then we figured that out and noticed that there is also an authenticated local

Powered by WPeMatico

Authenticated Arbitrary File Upload Vulnerability in Vmax Project Manager

https://www.pluginvulnerabilities.com/2017/11/22/authenticated-arbitrary-file-upload-vulnerability-in-vmax-project-manager/

A month ago we wrote about how the security review of newly submitted plugins to the WordPress Plugin Directory needs improvement. One of the newly introduced plugins that lead to that was the plugin Vmax Project Manager. We came across the plugin through our proactive monitoring of changes made to plugins to try to catch serious vulnerabilities, due to the possibility of

Powered by WPeMatico

Arbitrary File Upload Vulnerability in Wallable

https://www.pluginvulnerabilities.com/2017/11/22/arbitrary-file-upload-vulnerability-in-wallable/

A month ago we wrote about how the security review of newly submitted plugins to the WordPress Plugin Directory needs improvement. One of the newly introduced plugins that lead to that post was the plugin Wallable. We came across the plugin through our proactive monitoring of changes made to plugins to try to catch serious vulnerabilities. The possible vulnerability that had been

Powered by WPeMatico

The 14-Step Apache Security Best Practices Checklist (PDF eBook included)

https://wpbuffs.com/apache-security-best-practices/

Apache currently remains the leading web server software in the world with a 45.8% market share. That ends up being about 80 million websites whose web servers are powered by Apache. Pretty impressive, right?

Apache is an open source web server software that has been around since 1995, so that alone speaks volumes to its reliability and longevity. Then there are the high-profile websites that run on Apache servers: Apple, Adobe, and Paypal are just a few of the major brands that entrust their websites to Apache.

Of course, that doesn’t make Apache 100% secure as no software will ever be 100% safe from hackers, especially when it’s such a well-known and trusted platform (much like WordPress). But if you’re looking for an apache security PDF eBook, module, guide, tutorial, framework or web server security checklist, you’ve come to the right place.

If you want to harden your Apache security or are having any apache security issues or trying to patch a vulnerability or two, the following checklist will provide you with 14 security best practices to add to your website’s security plan.


Content Upgrade

Free Apache Security Checklist

[4 Pages] The 21-Step Checklist to
Ensure a 99.9% Secure WordPress Website


The Ultimate Apache Security Best Practices Checklist

For those of you who want to truly fortify your WordPress website, securing Apache as you would any of the other software that hooks into and powers your website is essential. Failing to do so can even affect your site’s speed. So, here’s how you will do it:

1. Update Apache

You know how WordPress and any plugins and themes you’ve installed need to be updated regularly? So too does your web server.

If you’re nervous that your site isn’t running on the most current version of Apache, you can check it with an httpd -v command line. If the version outputted doesn’t match the current one from Apache, you can update it with the following:

# yum update httpd
# apt-get install [add Apache version here]c

2. Turn on Logs

If you’re working with a managed WordPress hosting provider, they’ll take care of monitoring your server and WordPress for vulnerabilities and other warning signs. That said, you should keep an eye on your server traffic as well.

With Apache, you can gain access to this activity log by updating your mod_log_config module. Basically, it will tell you what users do whenever they touch your server.

3. Get an SSL Certificate

Because your web server handles all browser/server requests to your website, it’s important to secure it with an SSL certificate. The good news is that you can now get an SSL certificate for free. This is more important now than ever, so if you don’t have the technical ability to install this yourself, any quality hosting provider will be able to do it for you.

4. Add a Firewall

In addition to the added protection of the SSL’s encryption, your web server should be fortified with a firewall. For Apache, this means turning on ModSecurity.

To install it on your server, you can execute the following:

# yum install mod_security
# /etc/init.d/httpd restart

Once the firewall is live, it will prevent a number of malicious activities from reaching your server, like SQL injection, session hijacking, and cross-site scripting.

5. Install mod_evasive

Mod_evasive is the module that will protect your Apache server from brute force and DDoS attacks, so make sure this is enabled as well. It will blacklist concurrent and failed login attempts as well as monitor for malicious IPs.

6. Set HTTP Limits

Distributed denial of service (DDoS) attacks are pretty simple to block if you know what sort of actions to watch for. Since DDoS tend to happen by repeatedly hitting your server with large requests, your goal should be to set limits that prevent this from happening.

Here are some of the limits you’ll want to establish:

  • KeepAlive=on
  • KeepAliveTimeout
  • LimitRequestBody
  • LimitRequestFields
  • LimitRequestFieldSize
  • LimitRequestLine
  • LimitXMLRequestBody
  • MaxClients
  • MaxKeepAliveRequests
  • MaxRequestWorkers
  • RequestReadTimeout
  • TimeOut

7. Delete Unused Modules

By leaving unused, unmaintained, or expired modules on your Apache server, you’re leaving your site open to hackers through a point of entry that doesn’t even need to be there.

The first thing you should do is find out which modules are actually active. You can do this by using a LoadModule command. Once you’ve sifted through the list and identified which modules you don’t need, simply add the “#” symbol before each module you want to deactivate and then restart.

8. Change Default User and Group

Default settings and users left on any software, in general, is a bad security practice. The reason for this is simple: if you’re using the Apache default user or group name, you can bet hackers are aware of what those default names are as well.

Rather than leave the defaults in place, you should create a new non-privileged account to run your Apache processes through. Using # groupadd and # useradd commands, you can set the new entities. Just remember to update your httpd.conf with the new user and group names you’ve created.

9. Block Directory Access

Here is another example of default settings that need to be changed. In this case, it’s the access granted to your directory’s files which allows anyone to explore wherever they’d like.

To put a total block in place, use the following command:


Require all denied

If you want to enable access to certain users, you can do so with this:


Require all granted

If you want to enable access to certain folders within the directory, you can do so with this:


Require all granted

You may also want to peruse the Apache module repository for further tweaking of user access rights.

10. Don’t Publish the Directory

Did you know that if your server doesn’t have an index file that users will be able to see all the content you have stored in your root directory? That’s obviously not good, so you’ll need to disable this default setting with the following:


Options -Indexes

11. Hide Server Details

Because Apache is an open source software, details about the version used are readily available if these settings are not disabled server-side. Since hackers can use that sensitive information to figure out how to break into your server, you’ll want to block this information out.

There are two things you’ll want to disable:

  • ServerSignature – which is the version of Apache
  • ServerTokens – which includes the OS version, among other sensitive server details

This information can be found by other users simply by viewing an error page on your website, so it’s pretty important to block this from being shown. To do this, update the httpd.conf with the following:

ServerSignature Off
ServerTokens Prod

12. Hide the ETag

The ETag header in Apache, unfortunately, includes a number of sensitive details about your server. Obviously, anything that shares that sort of information with the outside world should be hidden. Additionally, if you’re running an e-commerce website, you’ll need to hide this in order to be PCI compliant.

To do this, add the following directive to your httpd.conf:

FileETag None

13. Disable .htaccess Override

The .htaccess is an important file for any WordPress website. This is why you need to lock it down and ensure that no one else can override your configuration settings.

To disable this, add the following to your httpd.conf at the root:


Options -Indexes
AllowOverride None

14. Disable SSI and CGI

Server Side Includes (SSI)-enabled files can open your site up to a number of security problems if left unchecked. Same goes for CGI scripts. In order to prevent either of these from empowering hackers to overload your server or inject malicious scripts into your code, remember to turn them off or restrict what they do through the Options directive.

Here are some Options values you can use:

  • Options All
  • Options IncludesNOEXEC
  • Options -Includes
  • Options -ExecCGI
  • Options -Includes -ExecCGI
  • Options MultiViews

Content Upgrade

Free Apache Security Checklist

[4 Pages] The 21-Step Checklist to
Ensure a 99.9% Secure WordPress Website


Taking Care of Your Apache Server

In an effort to harden your website’s security, pay special attention to your Apache server. Issues like server misconfiguration and leaving default settings in place can put your site at risk just as much as an un-updated core or unsafe PHP coding practices can.

Want to give your feedback or join the conversation? Add your comments 🐦 on Twitter.

The post The 14-Step Apache Security Best Practices Checklist (PDF eBook included) appeared first on WP Buffs.

Powered by WPeMatico

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Simple Events Calendar

https://www.pluginvulnerabilities.com/2017/11/21/cross-site-request-forgery-csrf-cross-site-scripting-vulnerability-in-simple-events-calendar/

While looking in to what turned out be a false report of a vulnerability in the plugin Simple Events Calendar, we noticed there is a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in the plugin.

When the plugin’s admin page is requested, the function that generates that page checks if a new event has been submitted with the request using the

Powered by WPeMatico