Tag Archive for: Bug’

Drupal issues emergency fix for critical bug with known exploits

/in


Drupal issues emergency fix for critical bug with known exploits

Drupal has released emergency security updates to address a critical vulnerability with known exploits that could allow for arbitrary PHP code execution on some CMS versions.

“According to the regular security release window schedule, November 25th would not typically be a core security window,” Drupal said.

“However, this release is necessary because there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable.”

Right now, over 944,000 websites are using vulnerable Drupal versions out of a total of 1,120,941 according to official stats. “These statistics are incomplete; only Drupal websites using the Update Status module are included in the data,” Drupal says.

Drupal is also used by 2.5% of all websites with content management systems, making it the fourth most popular CMS on the Internet, after WordPress (63.8%), Shopify (5.1%), and Joomla (3.6%).

Security updates for all affected versions

According to Drupal’s security advisory, the vulnerability is caused by two bugs in the PEAR Archive_Tar library used by the content management system (CMS) tracked as CVE-2020-28948 and CVE-2020-28949.

The critical Drupal code execution vulnerability can be exploited if the CMS is configured to allow and process .tar, .tar.gz, .bz2, or .tlz file uploads.

Multiple Drupal security updates were issued to fix the bug and to allow admins to quickly patch their servers to protect them from potential attacks.

Drupal recommends installing the following updates on affected servers:

“Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage,” Drupal’s security team said.

Mitigation measures also available

Mitigation measures are also available for admins who cannot immediately update the Drupal installation on their servers.

To do that, site admins are advised to block untrusted users from uploading .tar, .tar.gz, .bz2, or .tlz files to temporarily mitigate the issue.

Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert today urging admins and users to upgrade to the patched Drupal versions.

Last week, Drupal patched another critical remote code…

Source…

Bug Allowed Hackers to Get Anyone’s Email Address on Xbox Live

/in


xbox

Image: JUNG YEON-JE/AFP via Getty Images

A serious flaw in Xbox Live allowed hackers to easily find out the email address used to register any Xbox gamertag. 

Last week, an anonymous hacker reached out to Motherboard claiming to be able to discover the email behind anybody’s Xbox gamertag. By default email addresses linked to gamertags are private. Motherboard was able to verify the existence of the vulnerability by providing the hacker with two gamertags, including one created just a few minutes earlier for testing purposes. The hacker sent back the email address used to register the two accounts within seconds. 

A second anonymous hacker said that the bug was in the Xbox Live enforcement portal, where gamers can contact the company’s team that polices the Xbox online community. 

After Motherboard contacted Microsoft last week, the company patched the bug. Initially, the Microsoft Security Response Center, or MSRC, a part of the company that protects customers from being harmed by security vulnerabilities in Microsoft’s products and software, didn’t consider the bug to be a serious security risk.

“We received multiple reports regarding this and have informed the appropriate team about the issue and will let them address this as needed,” the MSRC said in an email on Monday, responding to Motherboard’s bug report. “An email may be considered sensitive information, however, since it provides nothing else to identify the issuer, is not something that meets MSRC bar for service. As such, MSRC is not tracking the issue and will leave it to the product group to determine a mitigation as needed.”

On Tuesday, a Microsoft spokesperson confirmed that the company “released an update to help protect customers.”

Do you, or did you used to, work at Microsoft? Do you know anything else about the company? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, on Wickr at lorenzofb, OTR chat at [email protected], or email [email protected].

The hacker who alerted Motherboard of the bug asked us to publish this story only after a fix. 

“If you publish the article before it’s patched it will get…

Source…

Drupal fixes bug that allow hackers to access vulnerable websites

/in


Drupal, a leading content management service (CMS) platform, has fixed a critical bug that could allow hackers to gain access over vulnerable websites.
Drupal developer
Drupal is currently the fourth most used content management service (CMS) platform on Internet after WordPress, Shopify and Joomla.

Drupal’s engineering team this week released security updates to patch the critical vulnerability, reports ZDNet.

Tracked as CVE-2020-13671, the vulnerability is easy to exploit and relies on double extension trick.

Attackers can add a second extension to a malicious file, upload it on a Drupal site through open upload fields, and have the malicious executed.

The Drupal team said the vulnerability the CMS does not sanitize certain file names, allowing some malicious files to slip through.

This can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations.

Last month, the cyber security researchers unearthed a massive botnet network called KashmirBlack, being run from Indonesia, that has attacked websites running popular content management systems (CMSs) like WordPress, Drupal and Joomla, among others.

The sophisticated botnet is believed to have infected hundreds of thousands of websites by attacking their underlying CMS platforms, according to US-based cyber security form Imperva.

The botnet’s primary purpose appears to infect websites, and then use their servers for cryptocurrency mining.

Based in Indonesia, the hackers have a command-and-control (C&C) infrastructure to operate KashmirBlack.

Source…

Meet the hackers who earn millions for saving the web. How bug bounties are changing everything about security

/in


These hackers are finding security bugs–and getting paid for it. That’s changing the dynamics of cybersecurity.

The first time Katie Paxton-Fear found a bug, she thought it was just luck. 

One of her friends had signed her up for an event in London, where hackers aim to find the vulnerabilities in a particular piece of software.

Without any experience of cybersecurity beyond being a programmer and developer, she found one bug, then another. “To be fair, I thought it was a fluke,” she says. But since then she’s found 30 more security bugs.

“It’s kind of like playing Sherlock Holmes,” says Paxton-Fear.

“You feel like a detective, going in rooting around and saying, ‘That looks interesting’, and having a stream of clues,” she says. “And, when you get all the pieces neatly together, and it works and there’s a bug there–it’s the most thrilling experience ever.”

But unlike a hacker looking for vulnerabilities to cause damage or steal data, Paxton-Fear is a bug bounty hunter. The bugs she finds are reported to the companies that write the code.

SEE: Security Awareness and Training policy (TechRepublic Premium)

That allows these organisations to fix the problems before malicious hackers find the same weaknesses. And the bug hunters get paid for each one they find.

As such she’s part of a growing industry that allows security researchers to hack into organisations’ software–with their permission–and then report the weaknesses they discover in return for a financial reward.

It’s a different way of approaching computer security, but one that is proving increasingly popular. One key feature is these security researchers will approach a target from the same perspective as a potential attacker. 

In that sense, bug bounty hunters are both the detective Holmes and also at least in part his nemesis, Moriarty, although Paxton-Fear says she sees herself more as Sherlock because by finding…

Source…