New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WP Super Cache Security Update Issued - Nasty XSS Vulnerability
From HostingSecList:
**WP Super Cache**
Security Update Issued
An update for WP Super Cache was recently released to address a nasty XSS security vulnerability and it is recommended that you update as soon as possible. (As a lot of you run hosting companies, please be sure to spread the word to your own clients!)
Official Link:
https://wordpress.org/plugins/wp-super-cache/changelog/
Comments
If you just want caching try ZenCache, I like it pretty much.
Thanks for the heads up! Was a pain in the ass going through all my installs to see which ones needed updating but that little pain in the ass is nothing compared to dealing with a hacked install.
Would this XSS only be available to people with access to the administration page?
I think it's more serious than that -- http://blog.sucuri.net/2015/04/security-advisory-persistent-xss-in-wp-super-cache.html
Thanks for the heads up. Probably already compromised if you don't upgrade Wordpress plugins, but this is one that I've recommended heavily to bandaid poor design planning.
Thanks for the update. Carelessness of popular plugin developers is just beyond amazing.
Yeah, they're not as rigorous as the devs of important stuff, like say OpenSSL.
Yeah I think we're beyond the days where something has a few published vulnerabilities and people can say "Well that's crap software, look it's had vulnerabilities!" It's a mindset that can only lead you to not using good software. Nothing made by humans will ever be without flaw to all other human observers. The key is how quickly and openly it is addressed.
@Jar I do not consider Wordpress good software, after all. I know its intrinsics too good to even remotely assume it's good.
However, it is already popular and will be popular, regardless of how terrible it is from security and efficiency viewpoints, so I just do what I can to handle the above bugs for Wordpress installations I maintain. It's just amazing how Wordpress plugins developers repeat the same programming errors again and again, providing security experts with much work.
JMNSHO.
From what I understand is Wordpress is actually pretty good considering and most hacked installs are caused by nulled themes, people not updating plugins, and certain premium themes.
The Federal Office for Information Security in Germany once published a study about CMS security. Iirc it said something along the lines of "wordpress is pretty secure, but plugins aren't".
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/CMS/Studie_CMS.pdf?__blob=publicationFile
<-- uses wordpress with only one self-written plugin and auto-updates enabled
Not based on the vulnerability count alone, sure. But the code quality is very telling - and it is almost universally bad in the WordPress ecosystem (including the core). That breeds vulnerabilities.
EDIT: And yes, unfortunately the code quality of OpenSSL is atrocious as well.
EDIT2: And having looked at the article about this vulnerability - yep, another utterly dumb and completely avoidable vulnerability caused by terrible code quality.