More than one million websites based on WordPress content management platform at risk because of a critical vulnerability discovered in one of the most popular plugin platform, the Slimstat.
Vulnerability found in most versions of the WordPress plugin called Wettable Powder Slimstat (WP-Slimstat) . The websites of course operating in WordPress environment worldwide amounted to nearly 70 million, but 1.3 million of them use the WP-Slimstat, an additive that displays web analytics in real time.
What versions problem occurs?
All previous last-3.9.6 versions of WP-Slimstat contain a "secret key", which easily can guess, and that is used to sign data sent and received to and from the computer of the end user.
After the "secret key discovery", the attacker could carry out an attack SQL injection to a site - using this plugin - to steal sensitive information from the databases of the victim's computer, including encrypted passwords and keys encryption (WordPress Secret Keys) that remotely used to manage websites.
technical explanation
The "secret key" to the WP-Slimstat is the MD5 hash value of the timestamp of the plugin installation. Using sites like the Internet Archive, a hacker could easily determine the year that the site - target came into being.
Subsequently, and given that the possible values for testing do not exceed 30 million, the attacker within 10 minutes (with a possible CPU) could identify the "secret key" and thus to extract sensitive data from the database.
What to do;
If your website have used the WordPress platform and while you install the WP-Slimstat plugin, then you will need to immediately upgrade to a newer version of the plugin, to fix the vulnerability and avoid unpleasant sensitive data loss.
Aucun commentaire:
Enregistrer un commentaire