WordPress 5.2.4 Security Release

WordPress 5.2.4 is a short-cycle security release that has been released from wordpress.org this morning.

This WordPress security update fixes 6 security issues.

According to the update article on wordpress.org WordPress versions 5.2.3 and earlier are affected by these bugs, which are fixed in version 5.2.4.

Updated versions of WordPress 5.1 and earlier are also available for any users who have not yet updated to 5.2.

Fixes to the following security issues are available in the new version 5.2.4 release:

  • Issue where stored XSS (cross-site scripting) could be added via the Customizer.
  • A method of viewing unauthenticated posts.
  • A method to create a stored XSS to inject Javascript into style tags.
  • A method to poison the cache of JSON GET requests via the Vary: Origin header.
  • A server-side request forgery in the way that URLs are validated.
  • Issues related to referrer validation in the admin.

For more information, you can browse the full list of changes on Trac or check out the Version 5.2.4 documentation page.

WordPress 4.9.7 is a Security and Maintenance Release

WordPress 4.9.7 is a security and maintenance release for all versions since WordPress 3.7.

According to several security organizations monitoring WordPress security version 4.9.6 and earlier are affected by a media issue that could potentially allow a user with certain capabilities to attempt to delete files outside the uploads directory.

You should update your sites immediately, since version 4.9.7 contains fixes for this particular vulnerability.

Seventeen other bugs were fixed in WordPress 4.9.7

Of particular note are the following:

  • Taxonomy: Improve cache handling for term queries.
  • Posts, Post Types: Clear post password cookie when logging out.
  • Widgets: Allow basic HTML tags in sidebar descriptions on Widgets admin screen.
  • Community Events Dashboard: Always show the nearest WordCamp if one is coming up, even if there are multiple Meetups happening first.
  • Privacy: Make sure default privacy policy content does not cause a fatal error when flushing rewrite rules outside of the admin context.

Sites that support automatic background updates are already beginning to update automatically.

Cloudflare Memory Leak Exposed Private Data

Last Friday Google’s Project Zero contacted Cloudflare to report a security problem with their edge servers.

Cloudflare, the content distribution network used by many popular sites, has published detailed information about a security vulnerability that leaked user information, some of which was private, including passwords, private messages, etc.

The vulnerability was discovered by security researcher Tavis Ormandy, a member of Google’s Project Zero team.

Cloudflare Memory Leak

The issue stems from a memory leak in an HTML parser named cf-html that was created to replace an older parser based on Ragel.

“It turned out that the underlying bug that caused the memory leak had been present in our Ragel-based parser for many years but no memory was leaked because of the way the internal NGINX buffers were used,” John Graham-Cumming, Chief Technology Officer at Cloudflare said.

“Introducing cf-html subtly changed the buffering which enabled the leakage even though there were no problems in cf-html itself.”

The earliest date information was leaked was September 22nd, 2016 when Automatic HTTP Rewrites were enabled.

This was the first of three features introduced that used the parser. The other two are email obfuscation and Server-side Excludes.

The greatest period of impact was between February 13th and February 17th.

As a result the leaked information ended up in publicly available cached webpages.

Consequently Cloudflare worked with major search engine providers to have the cached pages scrubbed before publicly announcing details of the bug.

“With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory,” Graham-Cumming said.

“Those 770 unique URIs covered 161 unique domains. The leaked memory has been purged with the help of the search engines. We also undertook other search expeditions looking for potentially leaked information on sites like Pastebin and did not find anything.”

1Password is Not Affected

Earlier reports indicated that 1Password was among the sites affected.

Jeffrey Goldberg, a 1Password employee, assured users that the Cloudflare data leak does not affect 1Password.

“At the moment, we want to assure and remind everyone that we designed 1Password with the expectation that SSL/TLS can fail,” Goldberg said. “Indeed it is for incidents like this that we deliberately made this design.”

“No secrets are transmitted between 1Password clients and 1Password.com when you sign in and use the service. Our sign-in uses SRP, which means that server and client prove their identity to each other without transmitting any secrets. This means that users of 1Password do not need to change their Master Passwords.”

Change Your Passwords

Nick Sweeting has used a number of web scrapers to compile a list of sites that use Cloudflare. The list is available on GitHub and currently contains 4,287,625 domains that are possibly affected. Popular domains in the list include:

  • authy.com
  • coinbase.com
  • digitalocean.com
  • patreon.com
  • bitpay.com
  • news.ycombinator.com
  • producthunt.com
  • medium.com
  • 4chan.org
  • yelp.com
  • okcupid.com

The bug also affects mobile apps as HTTP header data for apps such as Discord, FitBit, and Uber have been discovered in search engine caches.

NowSecure published a list that includes 200 iOS apps that use Cloudflare services.

First of all users are strongly encouraged to change their passwords regardless if a site uses Cloudflare or not.

Furthermore those who use Cloudflare should generate new API keys and consider forcing a password change to users.

Two factor authentication should be enabled where possible so that the password is not the only credential needed to access an account.

Mobile users should log out of mobile applications and log back in to create a new active token.

To force all users on a WordPress site to logout and re-login, WPStudio recommends changing the salt keys in wp-config.php.

Although major search engines are actively scrubbing cached pages, the leaks have been occurring for at least four months.

There’s no telling who may have already scraped those pages and archived the data.

There’s also the possibility that someone discovered the vulnerability before Ormandy and has been parsing cached pages for months.

Consequently, this is why it’s important that at a minimum, you change your passwords.