Showing posts with label cyber attack. Show all posts

SQL injection vulnerability in WooCommerce : Wordfence

Wordpress Woocommerce Vulnerability


Yesterday Matt Barry, researchers at Wordfence discovered a SQL injection vulnerability in WooCommerce version 2.3.5 and more established amid a code review of the plugin storehouse. WooCommerce is introduced on more than 1 million active WordPress websites.

Wordfence has quickly reached Woo about the issue and they've been unimaginably responsive, discharging a fix early today with their arrival of WooCommerce version 2.3.6.

We emphatically recommend you instantly upgrade on the off chance that you have not as of now.

The particular issue is a SQL injection weakness in the administrator board. Inside the Tax Settings page of WooCommerce, the key of the "tax_rate_country" POST parameter is passed unescaped into a SQL insert articulation. For instance, a payload of tax_rate_country[(SELECT SLEEP(10))] would result in the MySQL server to rest for 10 seconds.

Since this helplessness requires either a Shop Manager or Admin client account, it would need to be consolidated with a XSS attack so as to be misused.

What to do: Upgrade promptly to version 2.3.6 of WooCommerce which contains the fix.

Thanks to the WooThemes team for instantly tending to the issue and pushing the fix inside a couple of HOURS of accepting the report.

If you don't mind make sure to tweet, FB or email as expected to help spread the saying to your kindred WordPress site admins.

Lenovo website hacked, possibly by Lizard Squad

Lizard Squad hacked Lenevo Website
Lenovo's security headaches proceeded with Wednesday as the PC maker's website succumbed to a cyberattack, days after the PC maker apologized for preloading software on some of its PCs that abandons them powerless against malware attacks.

Rather than the commonplace prologue to the organization's items, the website showed a message Wednesday evening showing the site was down for maintenance. Users endeavoring to visit the site prior toward the evening were dealt with to a slideshow that prompted a Twitter record condemning Lenovo for its contribution with the adware Superfish.

Lenovo did not instantly react to an appeal for input however affirmed the security break in an announcement to the Wall Street Journal.

"Sadly, Lenovo has been the casualty of a cyber assault," the organization said. "One impact of this assault was to divert movement from the Lenovo website. We are likewise effectively exploring different parts of the assault. We are reacting and have effectively restored certain usefulness to our open confronting website."

Hacking gathering Lizard Squad asserted obligation regarding the hack on a Twitter account supposedly connected with the gathering. Reptile Squad, a detached aggregate purportedly made out of hackers based out of the United Kingdom and Eastern Europe, additionally was connected to a progression of blackouts that tormented the PlayStation Network and different diversions a year ago.

While it was first imagined that Lenovo's servers had been subverted, it now creates the impression that assailants took control of the site's space recorder and diverted its activity to a free record at CloudFlare, a San Francisco-based security organization. CloudFlare told Bloomberg that it debilitated the record utilized by the assailants.

The episode happened not as much as a week after the Chinese PC maker ended up in high temp water taking after disclosures that a number of its PCs incorporate a software system called Superfish Visual Discovery. Considered either adware or spyware, Superfish tracks your Web pursuits and scanning movement to place extra promotions on the sites you visit. The software additionally introduces its own root certificate that leaves influenced PCs more defenseless against malware attacks.

Lenovo has apologized for the issue and has started work to determine it. "We messed up severely," Peter Hortensius, Lenovo's chief technology officer, said a week ago.

Lenovo's security migraine changed into a legal one final week when a lawsuit documented in government court charged both Lenovo and Superfish with abusing wiretap laws and trespassing on individual property, Ars Technica reported Monday. In an alternate case, a legal firm has propelled a class activity examination over potential claims against Lenovo's activities.