Blog - SECURELI

March 13, 2020

OctoberCMS Web Application Open Source Dependency Vulnerability

OctoberCMS is a CMS similar to WordPress, but with much less “fluff”. Our team identified the latest version of OctoberCMS relying on Bootstrap 3.3.7, jQuery 1.11.1, and jQuery 3.3.1. All of these dependencies are vulnerable. /october/themes/demo/assets/vendor/bootstrap.js ↳ bootstrap 3.3.7 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and data-title properties of …

Continue reading “OctoberCMS Web Application Open Source Dependency Vulnerability”

March 6, 2020

WordPress Version Number Disclosure

WordPress is a platform super popular for hackers, as it powers ~70% of the websites online. The most common way they are hacked are due to outdated core versions of WordPress, insecure plugins, and insecure themes. We decided to create a script that would allow us to quickly identify if a website was vulnerable to …

Continue reading “WordPress Version Number Disclosure”

February 29, 2020

Hacker101 jQuery Dependency Vulnerability

“Hacker101 is a free class for web security. Whether you’re a programmer with an interest in bug bounties or a seasoned security professional, Hacker101 has something to teach you.” https://github.com/tidave85/hacker101 suffers from the following open source dependency vulnerabilities. /hacker101/assets/javascript/bootstrap/bootstrap.bundle.min.js ↳ bootstrap 4.1.0 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and …

Continue reading “Hacker101 jQuery Dependency Vulnerability”

February 29, 2020

Kotlin v1.3.60 Programming Language Vulnerability

https://github.com/Saamyy/kotlin suffers from the following open source dependency vulnerabilities, relying on an outdated version of jQuery. /kotlin/libraries/examples/browser-example/src/js/jquery.js ↳ jquery 1.6.2 has known vulnerabilities: severity: medium; CVE: CVE-2011-4969, summary: XSS with location.hash; https://nvd.nist.gov/vuln/detail/CVE-2011-4969 http://research.insecurelabs.org/jquery/test/ https://bugs.jquery.com/ticket/9521 severity: medium; CVE: CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party …

Continue reading “Kotlin v1.3.60 Programming Language Vulnerability”

January 29, 2020

Self Replicating, Polymorphic Website Malware

The hardest challenges are the ones that constantly change. Malicious website software has recently seen an influx in self-replicating, polymorphous code that infects a website (and thus, web server) with remote code execution access to launch additional attacks and compromise the data on the breached website and server. In a recent incident, we cleaned a …

Continue reading “Self Replicating, Polymorphic Website Malware”

November 11, 2019

3 Ways to Prepare for WordPress Website Malware in 2020

Maybe your client’s site got hacked, it’s time for a security checkup, or you’re tired of telemarketers terrorizing your phone lines with the vulnerabilities sales pitch. Despite the hype, the threat is real. WordPress makes up 90% of hacked CMS sites, reports ZDNet the CBS-owned technology news site. It’s doubly dangerous when your client’s business …

Continue reading “3 Ways to Prepare for WordPress Website Malware in 2020”

November 8, 2019November 11, 2019

Your DIY Guide to Hacked WordPress Repair

Your Guide to Hacked WordPress Repair If you run a website, you have to be prepared for the reality that it could be hacked at some point. Dealing with a hacked website can be stressful, and when it’s a WordPress site specifically, it can be even more frustrating because repairs won’t be the same as …

Continue reading “Your DIY Guide to Hacked WordPress Repair”

November 7, 2019November 7, 2019

Hacked Website Repair: What You Should Know

Hacked Website Repair: What You Should Know If your website is hacked, you may find yourself in a situation where you aren’t sure what to do or who to call. The good news is that there is no need to panic. Help is available and there are even some things that you can do yourself …

Continue reading “Hacked Website Repair: What You Should Know”

September 15, 2019September 16, 2019

Password Leak – Version 76.0.3809.132 (Official Build) (64-bit)

When a plain-text password form field is found by Google Chrome, it will reveal all passwords on that primary domain. For example, take a look at the following code and screenshot: <input class=”form-control secure_password required password fs-hide” data-install-name=”secureli” id=”ftp_user_pass_new” required=”required” aria-required=”true” autocomplete=”new-password” type=”text” name=”ftp_user[pass]”> By checking the “Show Password” button, as shown below… …the auto-complete …

Continue reading “Password Leak – Version 76.0.3809.132 (Official Build) (64-bit)”

August 24, 2019

PhpSpreadsheet version 1.9.0

— samples/bootstrap/js/bootstrap.min.js – bootstrap 3.3.7 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and data-title properties of tooltip/popover, CVE: CVE-2019-8331; https://github.com/twbs/bootstrap/issues/28236 severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: …

Continue reading “PhpSpreadsheet version 1.9.0”