For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.
The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We added these tests to the Detectify scanner tool on 20 September.
Information disclosure with Jolokia
Jolokia is a software that is used internally to setup an API that can be used to query information about the system.
Until recently the default configuration of this was to allow anyone to use it, as it was not supposed to be publicly accessible. It was possible to set a username and password, but it required a more complex setup. In a lot of instances, people went with the default. This combined with it being exposed on the internet means that malicious actors can query information about the system. This is not information that should be publicly available.
The original research can be found here.
Stored XSS in Loginizer
Two versions of the WordPress plugin Loginizer have a stored XSS-vulnerability, which means that it is possible for an unauthenticated attacker to try to login on a URL that contains a XSS-payload. This attempt will then be logged, and the XSS-payload will execute when a logged in administrator reviews the log.
More information can be found here.
Stored XSS in iThemes Security WordPress Plugin
Similar to the vulnerability above, iThemes Security logged all non-existing URLs that someone had tried to access. By visiting a non-existing URL containing the XSS-payload, this would show up in the logs when later reviewed by a logged in administrator.
XSS in Atmosphere Framework
Atmosphere is a popular framework for asynchronous applications written in Java. This framework is made for building applications utilizing WebSocket, Server Sent Events, traditional Ajax Techniques among others.
The issue was in the JSONP-endpoint. It had a callback parameter that would reflect its value to the page. The response did not specify content type, which made it possible to have it treated as HTML and therefore cause XSS.
The full advisory can be found here.
RCE in WordPress Duplicator
A remote code execution vulnerability in a WordPress plugin called Duplicator was recently published online. This would allow an attacker to execute code on the server. Read the original research here.
After looking into this Crowdsource submission we also realised it is a big problem if directory listing is activated when running this plugin, as that would expose database backups. A test for this on this plugin, as well as related, was then also added at the same time.
Questions or comments on our latest security updates? Let us know in the section below.
Begin a scan for the latest vulnerabilities today. Start a free trial with Detectify here!
Already have an account? Login to check your assets.
Detectify is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!