During the weekend our CTO Jonas Lejon has been doing some research into the most recent Apache vulnerability named Optionsbleed. The Optionsbleed vulnerability is a bug in the Apache webserver and makes it possible for an attacker to read remote webserver memory such as session cookies, password etc. The Apache is a very common webserver according to w3techs: Apache is used by 48.9% of all the websites whose web server we know In our lab we set up a Apache webserver, installed WordPress and added the following line to .htaccess: <Limit GET POST PUT REQUEST WPSCANS MPUT OKASDOAKSDOKASDIJ 12U1UH2OIEJ12OPEJOI IDJAIOSDJIOjd> Allow from all </Limit> The above lines would probably trigger the vulnerability since the Limit-line contains some spelling errors. With the following[…]

  The popular WooCommerce WordPress plugin, used by 28 percent of all online stores, was just patched against a reflected cross-site scripting vulnerability (XSS). The vulnerability was found by the company SiteLock. The plugin vulnerability was disclosed to Automattic, the owner of, via its HackerOne security bounty program. The fix for the vulnerability was released on July 28th and if you use WPScans.com you can scan for this vulnerability or use our premium version and get an E-mail warning. The vulnerability can be tested with: curl -X POST -d “vendor_description=<script>alert(“xss”)</script>” “https://steelpress.org/index.php/product-vendor-registration-form/?confirm_email=1&email=1&firstname=1&lastname=1&location=1&register=Register&username=1&vendor_description=1&vendor_name=

OSSEC is an open source host-based intrusion detection system (HIDS) that can be used to monitor file system changes on an operating system. In this article, you’ll learn how to use it to monitor directory and file system changes on WordPress installations. OSSEC in a manager-agent HIDS, where the manager and agent can be installed on the same server, or on different servers. In this article, we’ll use the former approach, with all the components on the same server that WordPress is installed on. And the WordPress installation used for this article was running on an Ubuntu 16.04 server. The same configurations may be used on most other Linux distributions. Prerequisites To complete this article, you’ll need to have the[…]