174 stories
·
1 follower

Researchers find serious flaws in WordPress plugins used on 400k sites

1 Share
The word

Enlarge (credit: Frank Lindecke / Flickr)

Serious vulnerabilities have recently come to light in three WordPress plugins that have been installed on a combined 400,000 websites, researchers said. InfiniteWP, WP Time Capsule, and WP Database Reset are all affected.

The highest-impact flaw is an authentication bypass vulnerability in the InfiniteWP Client, a plugin installed on more than 300,000 websites. It allows administrators to manage multiple websites from a single server. The flaw lets anyone log in to an administrative account with no credentials at all. From there, attackers can delete contents, add new accounts, and carry out a wide range of other malicious tasks.

People exploiting the vulnerability need only know the user name of a valid account and include a malicious payload in a POST request that's sent to a vulnerable site. According to Web application firewall provider Wordfence, the vulnerability stems from a feature that allows legitimate users to automatically log in as an administrator without providing a password.

Read 6 remaining paragraphs | Comments

Read the whole story
kclowers
2 days ago
reply
Seattle, WA, US
Share this story
Delete

Bad Map Projection: South America

1 Share
The projection does a good job preserving both distance and azimuth, at the cost of really exaggerating how many South Americas there are.
Read the whole story
kclowers
4 days ago
reply
Seattle, WA, US
Share this story
Delete

Backblazed

1 Share

I’m personally familiar with Backblaze as a fine backup solution I’ve helped my parents in law setup and use. I’ve found it reliable and easy to use. I would recommend it to others.

Over the Christmas holidays 2019 someone emailed me and mentioned that Backblaze have stated that they use libcurl but yet there’s no license or other information about this anywhere in the current version, nor on their web site. (I’m always looking for screenshotted curl credits or for data to use as input when trying to figure out how many curl installations there are or how many internet transfers per day that are done with curl…)

libcurl is MIT licensed (well, a slightly edited MIT license) so there’s really not a lot a company need to do to follow the license, nor does it leave me with a lot of “muscles” or remedies in case anyone would blatantly refuse to adhere. However, the impression I had was that this company was one that tried to do right and this omission could then simply be a mistake.

I sent an email. Brief and focused. Can’t hurt, right?

Immediate response

Brian Wilson, CTO of Backblaze, replied to my email within hours. He was very friendly and to the point. The omission was a mistake and Brian expressed his wish and intent to fix this. I couldn’t ask for a better or nicer response. The mentioned fixup was all that I could ask for.

Fixed it

Today Brian followed up and showed me the changes. Delivering on his promise. Just totally awesome.

Starting with the Windows build 7.0.0.409, the Backblaze about window looks like this (see image below) and builds for other platforms will follow along.

15,600 US dollars

At the same time, Backblaze also becomes the new largest single-shot donor to curl when they donated no less than 15,600 USD to the project, making the recent Indeed.com donation fall down to a second place in this my favorite new game of 2020.

Why this particular sum you may ask?

Backblaze was started in my living room on Jan 15, 2007 (13 years ago tomorrow) and that represents $100/month for every month Backblaze has depended on libcurl back to the beginning.

/ Brian Wilson, CTO of Backblaze

I think it is safe to say we have another happy user here. Brian also shared this most awesome statement. I’m happy and proud to have contributed my little part in enabling Backblaze to make such cool products.

Finally, I just want to say thank you for building and maintaining libcurl for all these years. It’s been an amazing asset to Backblaze, it really really has.

Thank you Backblaze!

Read the whole story
kclowers
6 days ago
reply
Seattle, WA, US
Share this story
Delete

Parenthetical Names

1 Share
I never got around to seeing that movie about the battle (of Midway).
Read the whole story
kclowers
12 days ago
reply
Seattle, WA, US
Share this story
Delete

GL.iNet Slate OpenWrt Travel Router Supports Tor, Wireguard VPN, and Cloudflare DNS over HTTPS/TLS

1 Share
A couple of months ago, we wrote about GL.iNet Mudi portable WiFi router with built-in 4G LTE connectivity and supporting features such as the Tor Project, up to 25 VPN providers, and Cloudflare DNS...
Read the whole story
kclowers
14 days ago
reply
Seattle, WA, US
Share this story
Delete

Alignment Chart Alignment Chart

1 Share
I would describe my personal alignment as "lawful heterozygous silty liquid."
Read the whole story
kclowers
15 days ago
reply
Seattle, WA, US
Share this story
Delete
Next Page of Stories