Author Archive
Fredrik Fahlstad Plugins Vulnerable
The H-T Team made some new exploits public which affect following Plugins by Fredik Fahlstad fGallery 2.4.1 and WP-Cal 0.3, both are vulnerable against Remote SQL Injection. It is likely that earlier versions are affected.
Within the WP-Cal Plugin, the File editevent.php is vulnerable for this attack, because of improper sanitisation of the id parameter. Within [...]
WP-Forum 1.7.4 SQL Injection
For Fredrik Fahlstads WP-Forum Plugin was a critical vulnerability made public. Details are available on Secunia and milw0rm.
This hole may allow an unauthenticated attacker full access to your blog and potentally your web server/host.
Input passed to the “user” parameter in the WordPress installation’s index.php script (when “forumaction” is set to “showprofile” and “page_id” to a [...]
WP-Filemanager <=1.2 — Arbitrary File Upload
The H-T Team have reported a vulnerability in WP-Filemanager.
***No proof of concept available***
The vulnerability is suppose to affect version 1.2. It may also affect earlier versions (in fact, this is likely). It is possible for an Attacker to upload Arbitrary PHP-Code, which can afterwards be executed with Webserver rights.
Currently there’s no vendor fix available. BlogSecurity [...]
WPIDS – WordPress Intruder Detection System
WPIDS is the WP port of PHPIDS, an Intrusion Detection system for PHP. With PHPIDS it’s possible to check all delivered user-generated content for malicious code, like SQL Injection/XSS/CSRF, and so on. In short, its a defense plugin for WordPress that BlogSec members have been working on for a few months now. I would say [...]
Whitepaper becomes Weißbuch
We received some great feedback after releasing our Secure WP Whitepaper, and it just got better for our German readers!
Sven Kubiak has translated our popular "Securing WordPress Whitepaper" into German. BlogSec does have a strong German userbase, and we hope our German readers enjoy it!
The Whitepaper was translated by Sven Kubiak, with some editing by [...]
