WP Incapsula Clients are Protected from the Latest Magento and WordPress Vulnerabilities

Archive

Incapsula Clients are Protected from the Latest Magento and WordPress Vulnerabilities

Incapsula Clients are Protected from the Latest Magento and WordPress Vulnerabilities

Incapsula WAF clients are protected from the recent Magento Shoplift vulnerability (SUPEE-5344) and the latest WordPress stored XSS zero-day vulnerability.

Magento Shoplift Vulnerability SUPEE-5344

The vulnerability is actually comprised of a chain of several vulnerabilities that ultimately allow an unauthenticated attacker to execute PHP code on the web server. This can result in a complete compromise of any Magento-based store, including credit card information as well as other financial and personal data.

Reportedly, Shoplift vulnerability affects over 100,000 e-commerce websites. We started seeing exploitation attempts just before the official disclosure, and these attempts increased after the vulnerability was disclosed. To date, we’ve blocked thousands of attack attempts targeting our Magento customers.

Shoplift attacks blocked by Incapsula WAF

Our analysis of the attack attempts shows that most of them carried SQL payloads that insert a new admin account to the vulnerable systems.

Although customers behind our WAF are protected prior to the official disclosure, this should not be taken lightly. We strongly suggest to all Magento users to patch their systems as soon as possible.

WordPress Stored XSS Zero-day Vulnerability

WordPress is prone to two new stored XSS vulnerabilities. The latter is a new unpatched zero-day affecting WordPress latest versions, 3.9.3-4.2.

The vulnerability was revealed yesterday by a Finnish security researcher and it allows an attacker to post malicious comments with an XSS payload. This, in certain situations, can lead to full takeover on a targeted website.

The vulnerability relies on a bug in the way that comments are saved in the database, exploiting the fact that comments that are longer than 64kb are truncated as they are stored in a MySQL TEXT column, which is limited to 64kb in size. This, eventually, allows an attacker to inject malicious HTML/JS as a comment in the WordPress database.

We’ve been monitoring suspicious traffic around WordPress and haven’t seen indications to ongoing attacks that leverage these vulnerabilities.

WordPress 4.2.1 was just released to address this vulnerability. We encourage all WordPress users to update their systems immediately.