-
WordPress 3.3.1 Security Release
WordPress 3.3.1 is now available[1]. This release fixes an important security flaw, it is a Cross-Site Scripting and several other quality related bugs.
We advise you to update your WordPress installation as soon as possible. We have sent e-mails to the users which are currently using WordPress.
List of file revised on that release are :
wp-includes/nav-menu-template.php
wp-includes/version.php
wp-includes/functions.php
wp-includes/user.php
wp-includes/functions.wp-styles.php
wp-includes/capabilities.php
wp-includes/script-loader.php
wp-includes/class-wp-admin-bar.php
readme.html
wp-admin/users.php
wp-admin/includes/dashboard.php
wp-admin/includes/update-core.php
wp-admin/includes/template.php
wp-admin/includes/ms.php
wp-admin/js/common.js
wp-admin/js/common.dev.js
wp-admin/load-scripts.php
wp-admin/press-this.php
wp-admin/about.php
Click here to see the complete changelog.
References -
ASP.NET Security Update is Released
Today, Microsoft released MS11-100, security patch which addresses the universal ASP.NET Denial of Service Vulnerability which we have outlined on the blog yesterday.
Deploy the security update as soon as possible to protect your websites from this hash collision attack.
You can deploy the update via Windows Update (Click the Start button, click All Programs, and then click Windows Update) or just download and install it from here .
References1. Microsoft releases MS11-100 for Security Advisory 2659883
-
ASP.NET Denial of Service Vulnerability
Today, Microsoft released a security advisory regarding the Denial of Service vulnerability in ASP.NET in Microsoft .NET Framework.
.NET Framework does not properly process values in ASP.NET forms, which allows remote attackers to cause a denial of service (daemon outage) via a small number of crafted HTTP POST requests to an ASP.NET Server. This vulnerability affects all versions of Microsoft .NET Framework and could allow for an unauthenticated denial of service attack on servers that serve ASP.NET pages.
An attacker can use this vulnerability to cause a denial of service attack and disrupt the availability of your website.
Currently, Microsoft didn’t release a patch for that. There are some workarounds that can be used to protect your website.
1. Apply the following configuration to the appropriate ASP.NET configuration file to restrict the maximum request size that ASP.NET framework will accept from a client :
<configuration> <system.web> <httpRuntime maxRequestLength="200”/> </system.web> </configuration>
2. If your web application doesn’t use ViewState, then change the MaxRequestLength to the 20, so the maximum request size will be 20 KB.We have sent e-mails regarding to the this vulnerability to our users with detailed workarounds, so they can immediately take required steps to protect their websites from that vulnerability. If you are a registered user of Web Security Monitor than you can find workaround configurations from your “Issues Panel”. If you are not, then it is a good time to register Web Security Monitor freely and it will help you on keeping your website secure.
References1. Microsoft Security Advisory (2659883)
2. More information about the ASP.NET vulnerability -
WordPress 3.3 “Sonny” is out!
New WordPress version, 3.3 is welcome.[1] So you should update your WordPress installation as soon as possible. We have sent e-mails to the users which are currently using WordPress.
It is a major update and also includes security fixes. [2]I/O Sanity Failures in _wp_specialchars()
I believe this bug affects all versions of WordPress from version 2.8 through 3.2.1.
Anonymous users can break comment feed validation by injecting the phrase |wp_entity| into the body of any comment in the feed.
Any other output from _wp_specialchars() would be similarly vulnerable, but the comment feed is the most obvious example.Click here to see the complete changelog.
References1. WordPress 3.3 “Sonny”
2. I/O Sanity Failures in _wp_specialchars() -
WebSecurityMonitor in Public Beta
We have been working hard on this about six months, and we feel that your website & business can benefit from it. We want to make your life easier with keeping en eye over your websites.
It is our website security & uptime monitoring service, named “WebSecurityMonitor”. It is up, alive and working. It is currently in beta stage, and registrations are open. Register and use freely.
We simply keep en eye over your website when you are in the sleep. You won’t worry about your online store or lead generation website. We’ll inform you when we detect a problem, when it is down or has a malware, defaced or blacklisted.
We have listed some of the features of our service. They are not completely finished, we are still working on some of them. The issues we are monitoring with the initial release are:- Malware
- Downtime
- Blacklist
- Outdated Software ( WordPress, Tomcat, Apache )
- Website Defacement
- Expiring SSL Certificates
- Incoming Domain Expiration
- DNS Server Uptime
- DNS Server Hijacking
- Unauthorized Content Changes
We are waiting for your feedbacks, that you can submit to the our Feedback Forum. For any questions, you can ask from our Contact Page.
Subscribe to our RSS feed so you can get informed about future beta process and follow our blog, which will also contain information about website security.
Website Security & Uptime Monitoring For Free
WebSecurityMonitor will keep en eye over your website for all kind of issues such as :
- Malware
- Downtime
- Blacklisting
- Outdated Software ( WordPress, .. )
- Website Defacement
- Expiring SSL Certificates
- Incoming Domain Expiration
- DNS Server Uptime
- DNS Server Hijacking
- Unauthorized Content Changes
Twitter
Blog RSS