Kepada rakan-rakan blogger dan pemilik portal, sila ambil prhatian maklumat keselematan ini bagi mengelak blog (self hosting) dan portal anda menjadi mangsa serangan penggodam.
Pastikan anda sentiasa menukar kata laluan kepada akses hosting sekurang-kurangnya setiap 90 hari.
Sila kemaskini atau patch sistem keselamatan laman web anda dan ambil perhatian kepada plugin/widget yang berisiko seperti dibawah:
WordPress Google Maps Via Store Locator Plus Plugin Path Disclosure and SQL Injection
June 30th, 2012
Application: WordPress
Affected Version: version 3.0.1 and other versions.
Vendor’s URL: Google Maps Via Store Locator Plus Plugin
Bug Type: SQL Injection & Path Disclosure
Risk Level: Critical
Solution:
Restrict access to the wp-content/plugins/store-locator-le/core/load_wp_config.php file (e.g. via .htaccess). Edit the source code to ensure that input is properly sanitised.
June 30th, 2012
Application: WordPress
Affected Version: version 3.0.1 and other versions.
Vendor’s URL: Google Maps Via Store Locator Plus Plugin
Bug Type: SQL Injection & Path Disclosure
Risk Level: Critical
Solution:
Restrict access to the wp-content/plugins/store-locator-le/core/load_wp_config.php file (e.g. via .htaccess). Edit the source code to ensure that input is properly sanitised.
WordPress HTML5 AV Manager Plugin Arbitrary File Upload
June 30th, 2012
Application: WordPress
Affected Version: version 0.2.7 and other versions.
Vendor’s URL: HTML5 AV Manager Plugin
Bug Type: File Upload
Risk Level: Critical
Solution:
Restrict access to the wp-content/plugins/html5avmanager/lib/uploadify/custom.php file (e.g. via .htaccess).
WordPress Asset Manager Plugin Arbitrary File Upload
June 30th, 2012
Application: WordPress
Affected Version: version 0.2 and other versions.
Vendor’s URL: Asset Manager Plugin
Bug Type: File Upload
Risk Level: Critical
June 30th, 2012
Application: WordPress
Affected Version: version 0.2 and other versions.
Vendor’s URL: Asset Manager Plugin
Bug Type: File Upload
Risk Level: Critical
Solution:
Restrict access to the wp-content/plugins/asset-manager/upload.php file (e.g. via .htaccess).
Restrict access to the wp-content/plugins/asset-manager/upload.php file (e.g. via .htaccess).
WordPress FoxyPress Plugin Arbitrary File Upload
June 30th, 2012
Application: WordPress
Affected Version: version 0.4.2.1 and other versions.
Vendor’s URL: FoxyPress Plugin
Bug Type: File Upload
Risk Level: Critical
June 30th, 2012
Application: WordPress
Affected Version: version 0.4.2.1 and other versions.
Vendor’s URL: FoxyPress Plugin
Bug Type: File Upload
Risk Level: Critical
Solution:
Update to version 0.4.2.2.
Update to version 0.4.2.2.
WordPress Thinkun Remind Plugin “dirPath” Remote File Inclusion
June 30th, 2012
Application: WordPress
Affected Version: version 1.1.3 and other versions.
Vendor’s URL: Thinkun Remind Plugin
Bug Type: File Inclusion
Risk Level: CriticalSolution:
Edit the source code to ensure that input is properly verified.
Affected Version: version 1.1.3 and other versions.
Vendor’s URL: Thinkun Remind Plugin
Bug Type: File Inclusion
Risk Level: CriticalSolution:
Edit the source code to ensure that input is properly verified.
WordPress Simple Download Button Shortcode Plugin Arbitrary File Disclosure
June 30th, 2012
Application: WordPress
Affected Version: version 1.0 and other versions.
Vendor’s URL: Simple Download Button Shortcode Plugin
Bug Type: File Disclosure
Risk Level: CriticalSolution:
Edit the source code to ensure that input is properly verified.
Affected Version: version 1.0 and other versions.
Vendor’s URL: Simple Download Button Shortcode Plugin
Bug Type: File Disclosure
Risk Level: CriticalSolution:
Edit the source code to ensure that input is properly verified.
WordPress RBX Gallery Plugin Arbitrary File Upload
June 30th, 2012
Application: WordPress
Affected Version: version 2.1 and other versions.
Vendor’s URL: RBX Gallery Plugin
Bug Type: File Upload
Risk Level: CriticalSolution:
Restrict access to the wp-content/plugins/rbxgallery/uploader.php file (e.g. via .htaccess).
Affected Version: version 2.1 and other versions.
Vendor’s URL: RBX Gallery Plugin
Bug Type: File Upload
Risk Level: CriticalSolution:
Restrict access to the wp-content/plugins/rbxgallery/uploader.php file (e.g. via .htaccess).
WordPress Top Quark Architecture Plugin Arbitrary File Upload
June 30th, 2012
Application: WordPress
Affected Version: version 2.1.0 and prior versions.
Vendor’s URL: Top Quark Architecture Plugin
Bug Type: File Upload
Risk Level: CriticalSolution:
Update to version 2.1.1.
Affected Version: version 2.1.0 and prior versions.
Vendor’s URL: Top Quark Architecture Plugin
Bug Type: File Upload
Risk Level: CriticalSolution:
Update to version 2.1.1.
WordPress Easy Contact Forms Export Plugin File Disclosure
June 30th, 2012
Application: WordPress
Affected Version: version 1.1.0 and other versions.
Vendor’s URL: Easy Contact Forms Export Plugin
Bug Type: File Disclosure
Risk Level: CriticalSolution:
Edit the source code to ensure that input is properly verified.
Affected Version: version 1.1.0 and other versions.
Vendor’s URL: Easy Contact Forms Export Plugin
Bug Type: File Disclosure
Risk Level: CriticalSolution:
Edit the source code to ensure that input is properly verified.
WordPress wpStoreCart Plugin Arbitrary File Upload
June 30th, 2012
Application: WordPress
Affected Version: version 2.5.29 and prior versions.
Vendor’s URL: wpStoreCart Plugin
Bug Type: File Upload
Risk Level: CriticalSolution:
Update to version 2.5.30.
Affected Version: version 2.5.29 and prior versions.
Vendor’s URL: wpStoreCart Plugin
Bug Type: File Upload
Risk Level: CriticalSolution:
Update to version 2.5.30.
WordPress Nmedia Member Conversation Plugin Arbitrary File Upload
June 30th, 2012
Application: WordPress
Affected Version: version 1.3 and other versions.
Vendor’s URL: Nmedia Member Conversation Plugin
Bug Type: File Upload
Risk Level: CriticalSolution:
Restrict access to the /wp-content/plugins/wordpress-member-private-conversation/doupload.php script (e.g. via .htaccess).
Affected Version: version 1.3 and other versions.
Vendor’s URL: Nmedia Member Conversation Plugin
Bug Type: File Upload
Risk Level: CriticalSolution:
Restrict access to the /wp-content/plugins/wordpress-member-private-conversation/doupload.php script (e.g. via .htaccess).
WordPress Font Uploader Plugin Arbitrary File Upload
June 30th, 2012
Application: WordPress
Affected Version: version 1.2.4 and other versions.
Vendor’s URL: Font Uploader Plugin
Bug Type: File Upload
Risk Level: CriticalSolution:
Edit the source code to ensure that input is properly verified.
Affected Version: version 1.2.4 and other versions.
Vendor’s URL: Font Uploader Plugin
Bug Type: File Upload
Risk Level: CriticalSolution:
Edit the source code to ensure that input is properly verified.
SugarCRM “unserialize()” PHP Code Execution
June 30th, 2012
Application: SugarCRM
Affected Version: versions prior to 6.4.0.
Vendor’s URL: SugarCRM
Bug Type: Code Execution
Risk Level:Solution:
Update to version 6.4.0 or later.
Affected Version: versions prior to 6.4.0.
Vendor’s URL: SugarCRM
Bug Type: Code Execution
Risk Level:Solution:
Update to version 6.4.0 or later.
WordPress SS Quiz Plugin Cross-Site Request Forgery and Security Bypass Vulnerabilities
June 30th, 2012
Application: WordPress
Affected Version: version 1.11 and prior versions.
Vendor’s URL: SS Quiz Plugin
Bug Type: Cross Site Scripting and Security Bypass
Risk Level: CriticalSolution:
Update to version 1.12.
Affected Version: version 1.11 and prior versions.
Vendor’s URL: SS Quiz Plugin
Bug Type: Cross Site Scripting and Security Bypass
Risk Level: CriticalSolution:
Update to version 1.12.
e107 Hupsi Fancybox Plugin Arbitrary File Upload Vulnerability
June 30th, 2012
Application: e107
Affected Version: version 1.4 and other versions.
Vendor’s URL: Hupsi Fancybox Plugin
Bug Type: File Upload
Risk Level: CriticalSolution:
Restrict access to the e107_plugins/hupsi_fancybox/uploader/uploadify.php script (e.g. via .htaccess).
Affected Version: version 1.4 and other versions.
Vendor’s URL: Hupsi Fancybox Plugin
Bug Type: File Upload
Risk Level: CriticalSolution:
Restrict access to the e107_plugins/hupsi_fancybox/uploader/uploadify.php script (e.g. via .htaccess).
e107 Radio Plan Plugin Arbitrary File Upload Vulnerability
June 30th, 2012
Application: e107
June 30th, 2012
Application: e107
Affected Version: version 2.06 and other versions.
Vendor’s URL: Radio Plan Plugin
Bug Type: File Upload
Risk Level: CriticalSolution:
Restrict access to the e107_plugins/radio_plan/admin/upload.php script (e.g. via .htaccess).
Vendor’s URL: Radio Plan Plugin
Bug Type: File Upload
Risk Level: CriticalSolution:
Restrict access to the e107_plugins/radio_plan/admin/upload.php script (e.g. via .htaccess).
e107 Hupsi Share Plugin Arbitrary File Upload
June 30th, 2012
Application: e107
Affected Version: version 1.1 and other versions.
Vendor’s URL: Hupsi Share Plugin
Bug Type: File Upload
Risk Level: CriticalSolution:
Restrict access to the e107_plugins/hupsi_share/inc/uploader/uploadify.php script (e.g. via .htaccess).
Affected Version: version 1.1 and other versions.
Vendor’s URL: Hupsi Share Plugin
Bug Type: File Upload
Risk Level: CriticalSolution:
Restrict access to the e107_plugins/hupsi_share/inc/uploader/uploadify.php script (e.g. via .htaccess).
Joomla! Easy Flash Uploader Module Arbitrary File Upload Vulnerability
June 30th, 2012
Application: Joomla!
Affected Version: version 2.0 and prior versions.
Vendor’s URL: Easy Flash Uploader Module
Bug Type: File Upload
Risk Level: CriticalSolution:
Update to version 2.1.
Affected Version: version 2.0 and prior versions.
Vendor’s URL: Easy Flash Uploader Module
Bug Type: File Upload
Risk Level: CriticalSolution:
Update to version 2.1.
Vanilla Forums FirstLastNames Plugin Profile Two Script Insertion Vulnerabilities
May 30th, 2012
Application: Vanilla Forums
Affected Version: version 1.3.2 and other versions.
Vendor’s URL: FirstLastNames Plugin
Bug Type: Cross Site Scripting
Risk Level: CriticalSolution:
Edit the source code to ensure that input is properly sanitised.
Affected Version: version 1.3.2 and other versions.
Vendor’s URL: FirstLastNames Plugin
Bug Type: Cross Site Scripting
Risk Level: CriticalSolution:
Edit the source code to ensure that input is properly sanitised.
Vanilla Forums LatestComment Plugin Discussion Title Script Insertion
May 30th, 2012
Application: Vanilla Forums
Affected Version: version 1.1 and other versions.
Vendor’s URL: LatestComment Plugin
Bug Type: Cross Site Scripting
Risk Level: CriticalSolution:
Edit the source code to ensure that input is properly sanitised.
Affected Version: version 1.1 and other versions.
Vendor’s URL: LatestComment Plugin
Bug Type: Cross Site Scripting
Risk Level: CriticalSolution:
Edit the source code to ensure that input is properly sanitised.
++++++
