Expanding your CMS at your own risk!

Car TuningCMS or “Content Management Systems” became vey common for a few years. Popular CMS are WordPress, Drupal or Joomla. You can rent some space at a hosting provider for a few bucks or even find free hosting platforms. You can deploy them in a few minutes on your own server. Then, you just have to focus on the content: No need to learn CSS/HTML!

For me, modern CMS have a common point with cars: Their owners like to customize them. The “car tuning” is very popular and is the modification of the performance or appearance of a vehicle. Millions of people like to modify their cars, there is a huge business driven by the car tuning.

We can make a rough comparison between cars and CMS. Your CMS can also be tuned. Most CMS offer a way to extend the features or the look’n’feel via plugins (or add-ons or extensions – whatever you name them). Some examples of commons plugins:

  • Link with social networks
  • Forms & polls managements
  • Agenda
  • Reservation systems
  • Statistics and reporting

I won’t discuss about the look-n-feel of a websites. Some plugins can completely revamp a website, taste and colours are not always the same. But let’s focus on security. Car engine performances can be modified by adding or reprogramming chips. It’s easy and cheap to gain some horsepower but this could have a huge security impact. Want an example? Brakes or suspensions are designed to stop and maintain on the road a car with a set of known specifications (weight, power) but if you change one parameter, this could have a big impact on you and your security passengers. A Ferrari and a Renault Megane don’t have the same brakes. It’s exactly the same with CMS plugins: they can alter your CMS security.

If most CMS source code is regularly audited and well maintained. It’s not the same for their plugins. By definition, a plugin is a piece of code that adds a specific feature to an existing application. Keep in mind: by using plugins, you change the way the original software will behave. And not all plugins are developed by skilled developers or with security in mind. Today, most vulnerabilities reported in CMS environment are due to … plugins! Here are some tips to increase your CMS security.

  1. Only install plugins that your really need.
  2. Some plugins can be configured. Always review the default settings and adapt them to your environment and security requirements
  3. If you decide to not use a plugin, disable and un-install it completely.
  4. Do NOT rely on a plugin popularity. It’s not because it is used by many webmasters that it is safe! By contrast, it will maybe be a nice target to compromize more sites.
  5. Like any pice of software, update them
  6. Take a deep breath and jump into the code to have a quick code review (any backdoor installed?)

Also, keep in mind that installed plugins can be listed by scanners and crawlers. WordPress has an hardening guide with good recommendations.

phpMoAdmin 0-day Nmap Script

mongoDBAn 0-day vulnerability has been posted on Full-Disclosure this morning. It affects the MongoDB GUI phpMoAdmin. The GUI is similar to the well-known phpMyAdmin and allows the DB administrator to perform maintenance tasks on the MongoDB databases with the help of a nice web interface. The vulnerability is critical because it allows to perform remote code execution without being authenticated. All details are available in this Full-Disclosure post.

Read More →

The Evil CVE: CVE-666-666 – “Report Not Read”

That Escalated QuicklyI had an interesting discussion with a friend this morning. He explained that, when he is conducting a pentest, he does not hesitate to add sometimes in his report a specific finding regarding the lack of attention given to the previous reports. If some companies are motivated by good intentions and ask for regular pentests against their infrastructure or a specific application, what if they even don’t seem to read the report and take it into account to improve their security level? What if the same security issues are discovered during the next tests? This does not motivate the pentester and costs a lot of money for nothing.

The idea of the “evil” CVE popped up in our mind during our chat. What about a specific CVE number to report the issue of non-reading previous reports? As defined by Wikipedia, the “Common Vulnerabilities and Exposures” (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. And a vulnerability can be defined as a weakness in a product or infrastructure that could allow an attacker to compromise the integrity, availability of confidentiality of that product or infrastructure.

Based on this definition, the fact to not read and take appropriate the corrective actions listed in the previous pentest report is a new vulnerability! A good pentest report should contain vulnerabilities and mitigations to remove (or reduce) the associated risks. It is stupid to not read the report and apply the mitigations. Even more if some of them are quickly (and sometimes cheaply) implemented. Think about the evil CVE-666-666 while writing your future reports! Note that the goal is not to blame the customer (who also pays you!) but to educate him.


OWASP Belgium Chapter Meeting February 2015 Wrap-Up

Jim on stageTonight the first Belgium OWASP chapter meeting of the year 2015 was organized in Leuven. Next to the SecAppDev event also organised in Belgium last week, many nice speakers were present in Belgium. It was a good opportunity to ask them to present a talk at a chapter meeting. As usual, Seba opened the event and reviewed the latest OWASP Belgium news before giving the word to the speakers.

Read More →

My Little Pwnie Box

BeagleboneAs a pentester, I’m always trying to find new gadgetstools to improve my toolbox. A few weeks ago, I received my copy of Dr Philip Polstra’s book: “Hacking and Penetration Testing with Low Power Devices” (ISBN: 978-0-12-800751-8). I had a very interesting chat with Phil during the last BruCON edition and I was impressed by his “lunch box“. That’s why I decided to buy his book.

Read More →

Restricting Access to Flash Files with Squid

Flash TombstoneIs “swf” the new “wtf“? What’s happening with the Flash player? The Adobe’s multimedia platform has been targeted by multiple 0-days since the beginning of 2015! Just have a look on cvedetails.com. Two days ago, security researchers at TrendMicro found another one. It is identified as CVE-2015-0313.

Bored by the multiple patches released by Adobe and the impact on the deployment, many security people are brainstorming about a potential removal of the popular browser plugin from their computers (and their users’ computers). Is it a good idea? If more and more websites are offering alternative interfaces via HTML5 (like Youtube), there are again lot of websites which won’t work without Flash support. In my case, a good example is Deezer which uses .swf files for its players!

To protect ourselves, why not build a whitelist of trusted Flash files? Here is a quick setup via Squid, the open source proxy. Squid has very powerful features and amongst some of them, it offers a powerful ACL (“Access Control List“) system. Basic ACL’s can be used to filter domain names, IP addresses or ports but they are very interesting ACL types like:

  • url_regex – which matches on full  URLs
  • urlpath_regex – which matches on URLs paths (without the protocol – http[s]:// – and hostname/IP)

Regular expressions can be used or flat files (1 element / line). Let’s define two new ACLs:

acl FlashBlacklist urlpath_regex -i \.swf
acl FlashWhitelist urlpath_regex "/etc/squid3/allowed-swf.txt"

The first one will match the string (non case sensitive) “.swf” in the URL path and the second one will match any regex from the file “/etc/squid3/allowed-swf.txt“. The file looks like this:


This example matches the Flash files used by the Deezer player. The next step is to apply the ACL:

http_access allow FlashWhitelist
http_access deny FlashBlacklist

Take care to insert them at the right place within your existing ACLs! Here is the result in the Squid log file:

# grep swf /var/log/squid3/access.log
1423084706.664 0 TCP_DENIED/403 3889 GET http://taggalaxy.de/taggalaxy_beta.swf - NONE/- text/html
1423084748.191 0 TCP_DENIED/403 3969 GET http://s0.2mdn.net/3070333/beco111_Day_Trip_Promo_Fr_300x250.swf - NONE/- text/html
1423084775.988 8 TCP_HIT/200 58684 GET http://cdn-files.deezer.com/swf/coreplayer3-v00341125.swf - NONE/- application/x-shockwave-flash

Note that Squid can also block traffic based on the MIME type of objects but the detected type is not always correct (see the 2nd line). Now, it’s up to you to catch the denied access with your preferred log management tool.

Working with whitelist is not the most efficient way to allow access to trusted files but it is the most secure. By default, any .swf file will be blocked. Last remark, this is just a quick countermeasure: it must not prevent you to patch your systems!

IoT : The Rise of the Machines

[This blogpost has also been published as a guest diary on isc.sans.org]

The Rise of the Machines

Our houses and offices are more and more infested by electronic devices embedding a real computer with an operating system and storage. They are connected to network resources for remote management, statistics or data polling. This is called the “Internet of Things” or “IoT“. My home network is hardened and any new (unknown) device connected to it receives an IP address from a specific range which has no connectivity with other hosts or the Internet but its packets are logged. The goal is to detect suspicious activity like data leaks or unexpected firmware updates. The last toy I bought yesterday is a Smart Plug from Supra-Electronics. This device allows you to control a power plug via your mobile device and calculate the energy consumption with nice stats. I had a very good opportunity to buy one for a very low price (25€). Let’s see what’s inside…

Read More →

Searching for Microsoft Office Files Containing Macro

MacroA quick blog post which popped up in my mind after a friend posted a question on Twitter this afternoon: “How to search for Office documents containing macros on a NAS?“. This is a good idea to search for such documents as VBA macros are known to be a good infection vector and come back regularly in the news like the Rocket Kitten campaign.

Read More →

Analysis of WordPress Login Attempts

Wordpress TargetWaiting for the new year party, this is a last quick post in 2014! It’s not the first time that I see a peak of rogue authentication requests against some of the WordPress websites. But for a while, there is a constant flood of IP addresses trying to bruteforce the WordPress login page. This kind of attack is very common and bots are constantly looking for weak passwords. Looking at the Apache (or any other webserver) log files is not relevant because they don’t log the payload of POST requests. I captured all the POST requests in a pcap file for a few weeks and today I decided to generate some stats!

Read More →

TweetSniff.py – a Python Tweets Grabber

Twitter MonitoringFor me, Twitter is not only a social network, it’s also a tool that I use daily to track and exchange news about information security with a large worldwide community of infosec profesionals. For a while, Twitter is my main source of information. When you are relying on a service like Twitter to collect information, you must have the right tools to handle the huge (and constantly increasing) amount of data. I’m using classic Twitter clients on my computers and mobile devices but it is not powerful enough. Standard options such notifications help to be alerted when a specific Tweet is posted but often we can’t be disturbed all the time (ex: while working at a customer premises or in a meeting). When you’re back to check your timeline, most Twitter clients can’t easily handle thousands of Tweets to be reviewed. In short, I need something else! When you have a lot of data to index, Elasticsearch comes immediately in mind (and the associated tools to build the ELK suite).

Read More →