What every WordPress user must know about File Permissions

File permissions grid

File permissions play a vital role in security and functionality of a web site. Here is an excellent article by Shylaja Sreedharan that provides a good overview of file (and directory) permissions. Understanding this is fundamental to managing many web sites, including WordPress sites.

Read the full article here: https://blogvault.net/wordpress-file-permissions/

Apple Releases OS X Bash Update 1.0

Apple has released security update OS X Bash Update 1.0.

The  patch is available as three separate downloads for OS X Mavericks 10.9.5, OS X Mountain Lion, and OS X Lion. A  patch for OS X Yosemite Public Beta and Developer Preview releases are not yet available.

The download is very small, around 3.5MB.

More information at OS X Daily: http://osxdaily.com/2014/09/29/os-x-bash-update-1-0-shellshock-patch/

 

Vulnerabilities in WordPress older than 3.8.2, Twitget Plugin and Quick Page Post Redirect Plugin.

WordPress vulnerabilities as reported from WordFence on April 14, 2014.

WordPress Vulnerability: WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role. More info available on the National Cyber Awareness System: CVE-2014-0165

WordPress Vulnerability: The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. More info available on the National Cyber Awareness System: CVE-2014-0166

What to do about the above: Make sure you are running the newest version of WordPress, version 3.8.2.

Plugin Vulnerability: CSRF/XSS vulnerability in Twitget 3.3.1. If a logged-in administrator visits a specially crafted page, options can be updated (CSRF) without their consent, and some of those options are output unescaped into the form (XSS). Vulnerability ID: CVE-2014-2559 (not yet published)

What to do: Upgrade to Twitget 3.3.3 or later which contains a fix. Author is aware of the vulnerability and has fixed it.

Plugin Vulnerability: Quick Page/Post Redirect Plugin contains a CSRF and stored XSS vulnerability. Vulnerability ID is: CVE-2014-2598 (not yet published)

What to do: Upgrade to version 5.0.5 or later. Author is aware of vulnerability and has fixed it.

These reports courtesy of

Mark Maunder
Wordfence Creator & Feedjit Inc. CEO.

Three new WordPress plugin vulnerabilities and what to do about them

WordFence reports three new WordPress plugin vulnerabilities. These security related issues should be resolved as soon as possible.

The plugin Complete Gallery Manager 3.3.3 contains a remotely exploitable file upload vulnerability. Code Canyon, the vendor, recently released a fix. Immediately upgrade to 3.3.4 which contains a fix for this serious vulnerability.

A shell upload vulnerability has emerged in an older version of Lazy SEO version 1.1.9. Make sure you’re running the newest version of this plugin which is 1.4.1.

An SQL injection vulnerability has emerged in the NoSpamPTI plugin. This plugin is deprecated and is no longer maintained by the developer so we recommend you uninstall it and find an alternative.

Wordfence is a CyberSecurity solution for WordPress providing anti-virus and firewall protection for WordPress installed web sites.

Just Released: WordPress 3.5.2, for Maintenance and Security

The second maintenance release of WordPress 3.5, fixing 12 bugs is now available. This is a security release for all previous versions. Web site owners are encouraged to update their installations immediately.

The security fixes include:

  • Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
  • Disallow contributors from improperly publishing posts or reassigning the post’s authorship.
  • An update to the SWFUpload external library to fix cross-site scripting vulnerabilities.
  • Prevention of a denial of service attack, affecting sites using password-protected posts.
  • An update to an external TinyMCE library to fix a cross-site scripting vulnerability.
  • Multiple fixes for cross-site scripting.
  • Avoid disclosing a full file path when a upload fails.

More information and download at: http://wordpress.org/news/2013/06/wordpress-3-5-2/