ZERO DAY VULNERABILITY

Two Facebook WordPress Plugins Infected Zero-Day Vulnerabilities

Two Facebook WordPress Plugins Infected Zero-Day Vulnerabilities

A security firm has pointed out some zero-day vulnerabilities in Facebook WordPress Plugins. The vulnerabilities precisely exist in plugins ‘Facebook for WooCommerce’ and ‘Messenger Customer Chat’. Both the plugins have hundreds of thousands of active installations, and thus, pose a threat to a large number of users. Since the researchers have dropped the respective PoC as well with their reports, the vulnerabilities need an urgent fix.

About ‘Plugin Vulnerabilities’ And The Facebook WordPress Plugins In Question

Researchers from the security firm ‘Plugin Vulnerabilities’ have discovered a few zero-day bugs in two Facebook WordPress plugins. Continuing their practice of disclosing WordPress plugin bugs publicly, the firm has shared details once again with the public. They have even explained in a separate blog post, that they disclose the vulnerabilities publicly for customers’ security. The requirement of having a Facebook account to report a bug to Facebook is another hindrance.

They also point out the possible negligence in reviewing WordPress plugins and question the scope of these bugs under their bug bounty program.

SINCE THEY ARE BOTH VULNERABILITIES IN THE TYPE OF CODE THAT IS OFTEN INVOLVED IN DISCLOSED WORDPRESS PLUGIN VULNERABILITIES, THOSE VULNERABILITIES SHOULD NOT HAVE BEEN MISSED IF SECURITY REVIEWS OF THE PLUGINS WERE DONE… SO, IT SEEMS HIGHLY UNLIKELY THAT FACEBOOK GOT THAT DONE WITH THE PLUGINS. INSTEAD… FACEBOOK HAS A BUG BOUNTY PROGRAM. IT ISN’T CLEAR IF THESE PLUGINS WOULD FALL UNDER THAT OR WHAT THEY WOULD EVEN PAY OUT ANY BOUNTY.

Well, we are not really delving into the debate of whether they are right or wrong in their practice. So, let us quickly review the vulnerabilities they discovered.

Specifically, the security firm found bugs in the ‘Facebook for WooCommerce’ plugin and ‘Messenger Customer Chat’ plugin. The former plugin currently has over 200,000 active installations. Whereas, the later has more than 20,000.

Proof of Concept

The following proof of concept will cause the message “Proof of Concept” to be added to the bottom of web pages, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=update_options" method="POST">
<input type="hidden" name="fbmcc_generatedCode" value="Proof of Concept">
<input type="submit" value="Submit" />
</form>
</body>
</html>

CSRF Zero-Day Vulnerabilities Discovered

As stated in their vulnerability report, ‘Facebook for WooCommerce’ is one of the popular plugins for WooCommerce. The plugin page shows that it remains untested for the last three releases of WordPress. Thus, it may be prone to compatibility issues with recent versions.

Out of curiosity, the researchers began analyzing the plugin and came up with a cross-site request forgery (CSRF) vulnerability. They found a lacking of a nonce to prevent CSRF with the AJAX function ajax_update_fb_option(). They have shared a proof of concept in their report.

Following this discovery, the researchers quickly analyzed another plugin and found a similar problem with ‘Messenger Customer Chat’ too. As stated in their reports, they found another CSRF vulnerability, for which they have shared the PoC as well.

Both the vulnerabilities, upon exploit, can allow a potential attacker to alter WordPress site options. While they may not be as dangerous as other web application vulnerabilities, their public disclosures demand an immediate fix to avoid potential threats to the users of the respective plugins.

Contact Us
CRAW SECURITY
1st Floor, Plot no. 4, Lane no. 2,Kehar Singh Estate,Westend Marg,Behind Saket Metro Station, New Delhi – 110030
Call Us : 011-40394315 | +91-9650202445 | +91-9650677445
Mails Us : training@craw.in
Visit Us : www.crawsecurity.com | www.craw.in

Tor Browser 8.5.2 Update With Fixed Critical Zero-day

Tor Browser 8.5.2 Update With Fixed Critical Zero-day

This latest critical zero-day vulnerability recently reported to Mozilla by a member of Google Project Zero -Samuel Grob.

Attackers actively targeted the discovered JavaScript type confusion vulnerability that leads to an exploitable crash. Users are requested to update the new version immediately to protect themselves from this zero-day vulnerability.

The bug doesn’t affect the Tor users who were running under safest security levels. Unfortunately, the release is not available for Android version as the development team unable to access the Android signing token.

Android users are recommended using Tor with safer or safest security levels. You can change the security level under Security Settings.

Changelog For Tor Browser 8.5.2

  • Pick up a fix for Mozilla’s bug 1544386
  • Update NoScript to 10.6.3
  • TOR Browser 8.5.1 released for Windows, Linux and Mac and Android earlier this month. It is the first bug fix release in the 8.5 series.

Download Tor Browser 8.5.2 from Here Tor Browser and distribution directory

The Android version is available from Google Play

Contact Us

CRAW SECURITY
1st Floor, Plot no. 4, Lane no. 2,Kehar Singh Estate,Westend Marg,Behind Saket Metro Station, New Delhi – 110030

Call Us : 011-40394315 | +91-9650202445 | +91-9650677445

Mails Us : training@craw.in
Visit Us : www.crawsecurity.com | www.craw.in

FIREFOX Zero-day BUG Let Hackers Take Full Control of Your System – Update Your FireFox Now

FIREFOX Zero-day BUG Let Hackers Take Full Control of Your System – Update Your FireFox Now

If you are using Firefox web browser, you need to update it as soon as possible.

Mozilla released a security update for Critical Zero-day vulnerability that is being fixed in a new version of Firefox ESR 60.7 and Firefox 67.0.3

Discovered and reported by Samuel Grob , a cybersecurity researcher at Google Project Zero, the vulnerability allow attackers to remotely execute arbitrary code on machines running unpatched old Firefox versions and take full control of the system.

There are various exploit attempts identified, and the attackers targeting the vulnerable old version of Firefox and exploit this critical zero-day vulnerability.

The flaw has been labeled as a type confusion vulnerability in Firefox that can result in an exploitable crash due to issues in Array.pop which can occur when manipulating JavaScript objects.

CVE-2019-11707

The vulnerability, identified as CVE-2019-11707 can affects any of those users who uses Firefox on desktop (Windows, macOS, and Linux) — whereas, Firefox for Android, iOS, and Amazon Fire TV are not affected by this vulnerability.

UPDATE YOUR FIREFOX VIA FOLLOWING LINKS:

All the FireFox user are urged to update the new version immediately to protect themselves from this zero-day exploit and keep your system safe and secure from hackers.

Contact Us

CRAW SECURITY
1st Floor, Plot no. 4, Lane no. 2,Kehar Singh Estate,Westend Marg,Behind Saket Metro Station, New Delhi – 110030

Call Us : 011-40394315 | +91-9650202445 | +91-9650677445

Mails Us : training@craw.in
Visit Us : www.crawsecurity.com | www.craw.in

现在我的胸部比没生孩子之前还要漂亮丰胸食物,就像怀孕时候那样饱满,对着老公再也没有自卑感了,一家三口好幸福丰胸方法,这都是用粉嫩公主酒酿蛋后的收获丰胸产品,真是太感谢这个粉嫩公主酒酿蛋了!添加WeChat获取免费一对一丰胸指导丰胸产品粉嫩公主