Security

Root your box with W3TC and Nginx

Several guides for integrating everybody's favorite caching plugin for Wordpress with Nginx tell you to include something like this in your nginx configuration: location / { include /var/www/wordpress/nginx.conf; } At the time of writing, this suggestion is currently in the guide ranked #2 for the search terms "w3tc nginx". If you don't know already, generally this conf is writable by W3TC (and PHP by extension). It does this to make it so W3TC can regenerate your Nginx configuration for you. Now let's assume an attacker has hacked your Wordpress…

Keep reading

[CVE-2016-5483] Galera Remote Command Execution via crafted database name

mysqldump is a common utility used to create logical backups of MySQL databases and one of the SST methods used by Galera to bring out-of-sync nodes back into the cluster. Using an evil database name, an attacker can gain remote command execution on all nodes in the cluster or backdoor MySQL backups in a similar attack to my previous post. Of course, this method requires the CREATE DATABASE privilege instead of CREATE TABLE. Example Attack First, the attacker creates a malicious database using the query below: CREATE DATABASE `test \! id…

Keep reading

[CVE-2016-5483] Backdooring mysqldump backups

mysqldump is a common utility used to create logical backups of MySQL databases. By default, it generates a .sql file containing the queries to create/drop tables and insert your data. By crafting malicious table name, an attacker can execute arbitrary SQL queries and shell commands if the dump file is imported. If we are still giving cute names to vulnerabilities, my vote is for "Bad Dump". For another related exploit scenario, see RCE in Galera via Crafted Database Name Attack Scenario The attacker has gained access your application and…

Keep reading

Insecure Defaults - Exploiting LOAD DATA LOCAL INFILE

Although it is documented that the default binary distributions of MySQL/MariaDB/Percona all seem to be compiled with allow local infile enabled, the warning is misleading: The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server's choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the…

Keep reading

Node.JS Request Smuggling

The Node HTTP Client checks for invalid characters such as new lines that can be used to perform HTTP Smuggling attacks, however, the rules for the path option are quite relaxed. By combining the fact that we can inject new lines and tabs in the path, we can force multiple arbitrary HTTP requests to made. This only works if the target HTTP server has a relaxed HTTP parser that allows tabs instead of spaces (for example, Apache). This was tested in node version v0.12-v6.20 (stable) and should work…

Keep reading