Site backup plugin developer issues patch following reports of millions of exploit attempts

Adam Bannister 08 September 2022 at 13:57 UTC  
Updated: 08 September 2022 at 16:32 UTC

Site backup plugin developer issues patch following reports of millions of exploit attempts

UPDATED WordPress websites running BackupBuddy have been urged to update the plugin amid reports of active exploitation of a high severity arbitrary file download/read vulnerability.

BackupBuddy, which is used to backup WordPress sites, and has around 140,000 active installations.

WordPress security firm Wordfence has revealed that its firewall has blocked more than 4.9 million exploit attempts related to the flaw since abuse was first detected on August 26.

The issue – tracked as CVE-2022-31474 with a CVSS score of 7.5 – enables unauthenticated attackers to download sensitive files from vulnerable sites.

Read more of the latest WordPress security news

A majority of observed attacks apparently attempted to read /etc/passwd, /wp-config.php, .my.cnf, or .accesshash files, which could be leveraged to further compromise victims, said Wordfence.

The vulnerability affects versions between 8.5.8.0 and 8.7.4.1, and was patched in version 8.7.5. 

iThemes, the plugin developer, told The Daily Swig that the bug was patched on September 2, not on September 6 as Wordfence (and therefore this article too) initially stated, within hours of being “notified of suspicious activity related to a BackupBuddy installation”.

It continued: “We have made this security update available to all vulnerable BackupBuddy versions (8.5.8 – 8.7.4.1), regardless of licensing status, so no one continues to run a vulnerable version of the BackupBuddy plugin.

“We recommend that customers follow the steps outlined in the disclosure post to detect if their site was attacked. Our support team is standing by to help if anyone needs help or assistance from the iThemes Help Desk.”

**Local root cause**

The vulnerability arose from an insecure implementation of the mechanism used to download locally stored files, meaning unauthenticated attackers could download any file stored on the server.

“More specifically the plugin registers an hook for the function intended to download local back-up files and the function itself did not have any capability checks nor any nonce validation,” according to a Wordfence blog post published on September 6.

“This means that the function could be triggered via any administrative page, including those that can be called without authentication (), making it possible for unauthenticated users to call the function. The back-up path is not validated and therefore an arbitrary file could be supplied and subsequently downloaded.”

Sysadmins can find signs of exploitation by “checking for the ‘’ and/or the ‘’ parameter value when reviewing requests in your access logs,” said Wordfence.

“Presence of these parameters along with a full path to a file or the presence of to a file indicates the site may have been targeted for exploitation by this vulnerability. If the site is compromised, this can suggest that the BackupBuddy plugin was likely the source of compromise.”

iThemes concluded: “This incident, like many others experienced by other vendors in the past, underscores how security-aware WordPress users have become. WordPress as a whole has become a much more secure platform thanks to the commitment of vendors, users, and security researchers to make security easier for everyone, and iThemes is proud to be an integral part of that.”

This article was updated on September 8 with comment from iThemes

YOU MIGHT ALSO LIKE A rough guide to launching a career in cybersecurity

WordPress warning: 140k BackupBuddy installations on alert over file-read exploitation

Entry-level training courses offer paths to glory

Entry-level training courses offer paths to glory

The global cybersecurity workforce gap is estimated at 2.7 million people, with the problem particularly acute when it comes to entry-level roles.

Cybersecurity nevertheless promises an interesting and potentially lucrative career. Even though the profession is open to people with any degree or none – providing they have the aptitude to learn – it can still be daunting to make the initial first steps and difficult to know where to begin.

The talent pool might potentially be expanded through more inclusive and broader hiring strategies. Against this, unrealistic hiring practices sometimes create barriers to entry for those looking to enter the profession, especially those seeking a career change.

The path into a career in information security is, however, eased by a growing number of entry level training schemes and courses. The Daily Swig has surveyed this landscape to chart some promising routes offered by various reputable training providers.

Catch up on the latest cybersecurity education news and analysis

For example, cybersecurity skills training organization (ISC)2 reports that more than 1,400 individuals have undertaken its entry-level infosec certification pilot exam since the program launched at the end of January 2022.

The qualification is designed to support industry entrants embarking on cybersecurity careers, ranging from recent university graduates, to career changers, to IT professionals looking to switch roles and focus on infosec. In all cases, the certificate offers a means to validate their foundational security skills.

**Laying down foundations**

For employers seeking to fill entry-level roles, the qualification offers evidence that newcomers have the foundational knowledge, skills, and abilities necessary to thrive in the sector. According to (ISC)2, the qualification shows that candidates for junior roles are familiar with technical concepts whilst having an aptitude for on-the-job learning.

The (ISC)2 entry-level pilot exam evaluates candidates across five domains; security principles; business continuity, disaster recovery, and incident response concepts; access control concepts; network security; and security operations.

In preparation, candidates pay for a choice of either live instructor-led training sessions (available as a course package that includes access to online learning resources an exam voucher for $649) or more economical online, self-paced learning resources (available with an exam voucher for $199).

Within the cybersecurity education market, however, (ISC)2 is far from the only game in town.

Entry-level courses can demonstrate that candidates possess foundational skills and knowledge

**World of choice**

The SANS Institute offers a five-day, in-person Introduction to Cyber-Security course that covers a mix of technical and business issues. SANS Institute courses are well regarded but not inexpensive.

GIAC Information Security Fundamentals, for example, retails at $6,600.

Other paid-for SANS Institute introductory courses focusing on specific areas of cybersecurity – such as cloud computing, digital forensics, and incident response – are also available.

SANS also offers free-of-charge security workshops and other content, though this material is more geared towards the professional development needs of those who have already established a cybersecurity career.

**eLearning**

Coursera offers access to online courses from leading universities and companies.

The Coursera platform provides routes that run the gamut from short online classes and hands-on projects that teach job-relevant skills in less than two hours, to job-ready certificates and degree programs. Short courses cost up to $99 while professional certifications run between $2,000-$6,000 and degrees between $9,000-$45,000.

A yearly subscription to Coursera’s online courses costs $399.

Coursera offers a variety of entry-level cybersecurity courses, each affiliated to universities or technology companies.

For example, Introduction to Cyber Security Specialization from New York University includes four courses aimed at beginners. It can be completed in about four months with four hours of learning per week.

Attractive, lower cost options might also be found in modules and courses in cybersecurity from Udemy.

Courses can be classroom-based, online or a mix of the two

There’s also an Introduction to Cyber Security course from the UK’s Open University that is particularly suitable for those looking for a flexible course aimed at beginners. The course doesn’t lead to a formal qualification but is available online and is accredited by several reputable organizations in the UK cybersecurity sector.

“Over eight weeks, the course will take on average three hours a week to complete,” an Open University (OU) spokesperson told The Daily Swig.

“The course is accredited by APMG International, the Institute of Information Security Professionals, and the (UK) National Cyber Security Centre. The Certificate of Achievement for this course demonstrates awareness of cybersecurity issues across 12 of the IISP skills groups, and demonstrates that participants have completed a course that meets the awareness level requirements of NCSC Certified Training.”

Another option from the Open University involves a part-time degree course that offers a BSc in Cyber Security at the end of six years. There’s also a postgraduate micro-credential in Cyber Security Operations.

The best way to find Open University courses related to cybersecurity is by using the course search bar on the OU’s homepage.

**Book smart**

Quite a few well established and respected infosec professionals got their start in the field by simply picking up a book and getting stuck in.

There’s no better example of this than noted bug bounty hunter David Litchfield, who 25 years ago passed his Certified Novell Administrator (CNA) exam courtesy of a related CNA guidebook, thus certifying his ability to maintain networks running the then ubiquitous but since obsolete Novell NetWare networking software.

Fast forward to the 2020s and you’ll find PortSwigger’s\* Web Security Academy offering a free-of-charge service that explains key concept and vulnerabilities in web security. This learning exercise is reinforced through a series of labs graded ‘Apprentice’, ‘Practitioner’, or ‘Expert’.

Practice in the labs gives learners proficiency with Burp Suite, a web security testing tool that’s the industry standard for pen testers and bug bounty hunters alike.

Next, The Daily Swig’s own John Leyden plans to try his hand at modules from the (ISC)2 entry level qualification to see how he fares. Stay tuned for a follow-up feature this autumn.

Additional reporting by Simon Baker, IT director at PortSwigger

\*PortSwigger is the publisher of The Daily Swig

YOU MAY ALSO LIKE Vast majority of ethical hackers keen to spend more time bug bounty hunting – report

A rough guide to launching a career in cybersecurity

IDOR issue meant user account privileges and contact details could be altered

Adam Bannister 05 September 2022 at 16:01 UTC

IDOR issue meant user account privileges and contact details could be altered

An indirect object reference (IDOR) vulnerability in the Squiz Matrix web content management system (CMS) could have enabled attackers to seize admin rights on targeted installations.

Squiz Matrix is a browser-based website-building tool reportedly used by more than 280 organizations, including governments, businesses, and half of Australian and New Zealand universities, as well as several UK higher education institutions.

Discovered during a pen-test engagement by Trustwave SpiderLabs, the privilege escalation flaw meant a low privileged user could change the contact details of any user – including administrators.

Catch up with the latest cybersecurity vulnerability news

By changing an administrator’s email to an attacker-controlled address they could then initiate a password reset and take control of their account.

And, “as user account numbers are in a sequential order, an attacker could run through user account numbers and change the details of every user registered to the vulnerable Squiz Matrix instance”, according to a blog post disclosing the flaw.

Squiz Matrix patched the vulnerability for all customers as of June 14, 2022, well before Trustwave disclosed details of the problem on August 31.

**Proof of concept**

To exploit the bug, an attacker would authenticate to the application as a general level user, navigate to the ‘Edit Contact’ page, and submit the contact-editing form before capturing the request with a web interception proxy.

The resulting request would contain and parameters named ‘’ that both contain the targeted user’s .

After changing the parameter value to a valid , an attacker could then change user details in the body, such as changing the email parameter and upgrading to .

YOU MAY ALSO LIKE CSRF flaw in csurf NPM package aimed at protecting against the same flaws

Squiz Matrix CMS squashes admin account takeover bug

New web targets for the discerning hacker

New web targets for the discerning hacker

The otherwise typically low-key month of August also brings infosec’s most renowned conference: Black Hat USA, which this year brought a word of warning for bug bounty hunters.

Dylan Ayrey, CEO of Truffle Security, cited a number of cases in which poor research and shoddy data governance has led to the leak of users’ personally identifiable information. In some cases, the data is still available long after the corresponding ticket has been closed, he warned.

“These privacy leaks in bug bounties are really common, and for every example that we can share publicly there are 100 examples that can’t be shared publicly,” said Ayrey.

In another, alleged example of suboptimal bug bounty practices CrowdStrike came under fire recently over its vulnerability disclosure process.

Pascal Zenker, a partner of Swiss security analyst service Modzero AG, claimed the Texas-based cybersecurity firm’s bug bounty program, run through HackerOne, is “NDA-ridden”, while the disclosure process “turned unprofessional in the end”.

CrowdStrike, however, defended its actions and countered that Modzero had not responded to attempts to “continue the dialogue” until six weeks had elapsed.

Among the most notable new bug bounty programs this month is Google’s latest VRP, this time focused on its open source projects, such as Golang, Angular, and Fuchsia.

Announced on August 30, the Open Source Software Vulnerability Rewards Program (OSS VRP) is designed to stem the rising tide of attacks against the software supply chain.

There were several notable payouts on existing Google VRPs, most notably when Alesandro Ortiz netted $20,000 from the tech giant – giving $4,000 to a collaborator – for unearthing a bug in the Chromium project. This allowed attackers to bypass site isolation protection through iFrames and popup windows to steal private information, read and modify cookies, and gain access to microphone and camera feeds, among other exploits.

Meanwhile, researcher ‘NDevT’ discovered two XSS vulnerabilities in Google Cloud, DevSite, and Google Play that could lead to account hijacks. They won $3,000 and $5,000 in bug bounties for their pains.

And there was a $5,000 payout for a third Google issue, with Adi Cohen discovering an XSS in AMP for Email that involved tricking Gmail’s dynamic email feature into a rendering context that the browser would not use to render a given piece of code.

Finally, in non-Google payout news, there were $4,000 and $5,000 rewards respectively for serious GitHub Pages and Reddit issues, while a Yahoo hackathon paid out $218,121 for 218 bug submissions related to its text search engine tool Vespa.

**The latest bug bounty programs for September 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Abraxas VOTING**

**Program provider:  
**Bug Bounty Switzerland

**Program type:  
**Semi-public

**Max reward:  
**$10,000

**Outline:  
**VOTING will be used to manage ballots and aggregate tallied votes in Swiss elections.

**Notes:  
**The maximum reward is around 10,000 Swiss francs, which equates to roughly the same amount in US dollars.

Apply to hack on the program via Bug Bounty Switzerland

**Airlock**

**Program provider:  
**Bug Bounty Switzerland

**Program type:  
**Semi-public

**Max reward:  
**Undisclosed

**Outline:  
**Airlock’s Secure Access Hub, a web application firewall (WAF), protects more than 30,000 web applications worldwide.

**Notes:  
**“This program is built in the style of a CTF competition,” said the company.

Apply to hack on the program via Bug Bounty Switzerland

**Cornershop by Uber**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**Uber’s on-demand grocery delivery service is offering $2,500 for critical vulnerabilities and $1,000 for high severity flaws.

**Notes:  
**Seven assets in scope: the .cornershopapp.com website, iOS and Android apps, source code, two domains containing internal assets, and QA environment.

Check out the Cornershop bug bounty page for more details

**Ethereum – Enhanced**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**$1m

**Outline:  
**Bug bounty rewards for the Ethereum blockchain have quadrupled for a two-week period – ending September 8 – when related to the network’s transition to proof-of-stake.

**Notes:  
**The application of a fourfold multiplier to payouts means ethical hackers could earn up to $1 million for the submission of valid critical vulnerabilities.

Check out our earlier coverage for more details

**Google OSS VRP**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**$31,337

**Outline:  
**Google’s Open Source Software Vulnerability Rewards Program (OSS VRP) focuses on the public repositories of Google-owned GitHub organizations such as GoogleAPIs and GoogleCloudPlatform, as well as their third-party dependencies.

**Notes:  
**Ranging from $100 to $31,337, rewards will typically be higher for particularly sensitive projects – such as Bazel, Angular, Golang, Protocol buffers, and Fuchsia – and vulnerabilities that can lead to supply chain compromise.

Check out the Google OSS VRP bug bounty page for more details

**Pogo**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,000

**Outline:  
**Pogo is a mobile app that offers users a way to leverage their personal data online in order to access earn credits and discounts for shopping, finances, and more.

**Notes:  
**In scope are the platform’s production Android and iOS apps and API endpoint used by the mobile apps.

Check out the Pogo bug bounty page for more details

**Proton**

**Program provider:  
**Bug Bounty Switzerland

**Program type:  
**Semi-public

**Max reward:  
**$30,000

**Outline:  
**If you are accepted onto the program, privacy-preserving email service Proton “will give you early and exclusive access to not published versions of the applications and their source code”.

**Notes:  
**Swiss platform also promises attractive bounties, “a constructive dialogue, fair rules and a legal safe harbor”.

Apply to hack on the program via Bug Bounty Switzerland

**Secure Open Source Rewards**

**Program provider:  
**Independent

**Program type:  
**Public

**Max reward:  
**$10,000

**Outline:  
**Developers and security researchers have been invited to suggest ways to “harden critical open source projects” by the Linux Foundation, with Google’s open source security team providing initial sponsorship.

**Notes:  
**Rewards range from $505 for minor improvements up to $10,000 or more for “complicated, high-impact, and lasting improvements that almost certainly prevent major vulnerabilities”.

Check out our earlier coverage for more details

**Starbucks – Enhanced**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$6,000

**Outline:  
**Bug reports that include a unique Nuclei Template to validate the finding will now earn researchers a $250 bonus.

**Notes:  
**Launched in 2016, the Starbucks program has 36 assets in scope, approaching 1,500 resolved reports, and average payouts of $250-$500 at the time of writing.

Check out the Starbucks bug bounty page for more details

**Trendyol**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**Trendyol Group, Turkey’s largest ecommerce platform, has launched an ongoing bug bounty program after what it said was a successful, time-limited HackerOne Challenge.

**Notes:  
**Critical bugs will command rewards ranging between $2,000-$3,000, while high severity issues will net bug hunters between $750-$1,250.

Check out the Trendyol bug bounty page for more details

**Other bug bounty and VDP news this month**

*   Switzerland’s National Cyber Security Centre has announced the launch, later this year, of a new bug bounty program for the Swiss federal government following a 2021 pilot
*   Staying in Switzerland, federal postal service Swiss Post offered rewards up to 30,000 francs ($30,530) during a four-week bug bounty program that concludes today (September 2)
*   New or improved bug bounty or penetration testing tools showcased at Black Hat USA 2022 included pen test management platform AttackForge, open source recon framework ReNgine, and pen testing tools AWSGoat and AzureGoat

Curated by Adam Bannister. Introduction by Emma Woollacott.

**PREVIOUS EDITION** Bug Bounty Radar // The latest bug bounty programs for August 2022

Bug Bounty Radar // The latest bug bounty programs for September 2022

Serious security prompt developers to discontinue open source package

Charlie Osborne 02 September 2022 at 15:11 UTC  
Updated: 02 September 2022 at 15:18 UTC

Serious security prompt developers to discontinue open source package

Pen testers hunting for low-severity bugs found a far more severe cross-site request forgery (CSRF) flaw in the open source csurf software.

Researchers from UK-based cybersecurity firm Fortbridge were called in when a customer asked them to review a penetration testing report. An issue flagged was a CSRF cookie missing a secure flag.

Curious about the finding, the team began digging. According to an August 28 blog post put together by Fortbridge cloud application security consultant Adrian Tiron, the issue was ultimately traced back to a node.js application relying on csurf.

Catch up on the latest infosecurity research news and analysis

Csurf is a project designed to allow developers to create middleware for CSRF token creation and validation via sessions or cookies. The NPM package is still downloaded approximately 400,000 times per week even though its last formal update was three years ago.

Tiron writes that while the popular package was intended to defend against CSRF, a CSRF bug has lain dormant within the code since the last version release, impacting any application using the open source package.

After exploring the csurf code, the pen testers found several problems. These included secrets stored in clear text within \_csrf cookies; the use of the broken SHA-1 cryptographic algorithm; a lack of signature checks for cookies by default, and the validation of header tokens against the secret or GET/POST parameters with different names.

Furthermore, Tiron explained that there was some “weird behavior” in the code. For example, the app would accept empty XSRF tokens and it was possible to create a token from a salt and the secret, allowing attackers to calculate their own CSRF tokens.

**Cookie toss**

By adding a second cookie with the same name and forcing an app to use a malicious alternative by setting specific Path attributes, in what is known as a cookie toss, the team could pass the CSRF token header as GET, exploiting the software in the process.

“OSS just like commercial software can have vulnerabilities,” Tiron told The Daily Swig. “Companies relying on OSS should realize that people behind it are often volunteers and quite often there’s no budget for security tooling or pen testing.”

Fortbridge submitted its findings to the package developer on June 2. The issue was acknowledged a day later, and after further investigation, the maintainer has reportedly decided to mark the package as deprecated.

“Popular open source libraries are a good target for attackers because they impact a large number of applications that are incorporating it,” Tiron told us. “Even if it’s open source and many eyes are supposedly looking at it, the truth is that sometimes the security skills are lacking or there’s no incentive to look for bugs because there’s no bug bounty involved.”

Tiron concluded: “What we see is that companies are very reactive in this area (they rely just on patching) and we recommend that they should be more proactive and do their own security check.”

YOU MAY ALSO LIKE Graph-based JavaScript bug scanner discovers more than 100 zero-day vulnerabilities in Node.js libraries

CSRF flaw in csurf NPM package aimed at protecting against the same flaws

One-two bug punch leads to ‘worst possible impact’, said researcher

One-two bug punch leads to ‘worst possible impact’, said researcher

WatchGuard has patched several vulnerabilities in two main firewall brands that have been rated between medium and critical severity.

In combination, two of the flaws allowed Ambionics security engineer Charles Fol to obtain pre-authentication remote root on every WatchGuard Firebox or XTM appliance.

Both the Firebox and XTM ranges were implicated earlier this year in a number of hacking attacks, with Russian state-sponsored threat actor Sandworm abusing a privilege escalation flaw in order to build a botnet called Cyclops Blink that was taken down in April. Over a four-month period, WatchGuard released three firmware updates, patching a number of critical vulnerabilities.

DON’T MISS API security: Broken access controls, injection attacks plague enterprise security landscape

And, by coincidence, said Fol, this is when he started looking for exploitable bugs in firewalls for a red team engagement. He found five in the WatchGuard products, of which two were patched during his research, which is documented in a write-up published earlier this week.

The three remaining flaws were blind Xpath injection, allowing him to retrieve the configuration of a device, including master credentials; integer overflow, which allowed an attacker to execute malicious code on remote appliances; and a third vulnerability that meant it was possible to escalate privileges from a low-privilege user into root.

**Complete access as root**

“By combining the two latter, a remote, unauthenticated attacker can get complete access to the firewall system as a super user, or root,” Fol told The Daily Swig.

“This is the worst possible impact. He or she can now read or change the configuration, intercept traffic, et cetera.

“The first one, in some cases, allows an attacker to obtain the master credentials of the authentication servers, and possibly use this to connect as an administrator on the firewall.”

Read more of the latest cybersecurity vulnerability news

Fol believes that fewer WatchGuard users now have their administration interface exposed on the internet, thanks to the many security alerts that were being generated at the time of his research, including those relating to Cyclops Blink.

However, he said, “the first vulnerability – Xpath – is reachable through the standard, client interface, and as such is much more likely to be exposed; a quick shodan search revealed around 350,000 instances.”

He advises users to remove their administration interface from the internet, and make sure they keep their systems up to date.

Fol said he reported the vulnerabilities at the end of March, and received a quick response. A month later, WatchGuard's security team confirmed that a patch would be available on June 21.

Overall, he said, the disclosure was a “great, respectful process”.

YOU MAY ALSO LIKE Log4Shell legacy? Patching times plummet for most critical vulnerabilities – report

WatchGuard firewall exploit threatens appliance takeover

Live event brings together bug bounty hunters from across the globe

Jessica Haworth 31 August 2022 at 15:30 UTC

Live event brings together bug bounty hunters from across the globe

A three-day hackathon held by Yahoo last week uncovered hundreds of security bugs in its text search engine tool Vespa.

The event, held in Antwerp, Belgium by bug bounty platform Intigriti, saw 40 hackers from across Europe, the Middle East, and Africa hunt for vulnerabilities in the open source tool.

There were 218 bug submissions, with payouts totalling $218,121, with the highest bounty paid out at $15,000.

Read more of the latest bug bounty news

Topping the leaderboard was hacker ‘putsi’, who successfully submitted 10 vulnerabilities and also earned the title of ‘most valuable hacker’ at the event.

Highest earning team ‘Swedish Injection!’, made up of hackers ‘stok’ and ‘p4fg’, successfully found 18 vulnerabilities.

Participants were chosen from across Yahoo’s ‘Elite Program’, drawn from a group of regular contributors to the company’s bug bounty program and previous hacking event, which took place in May 2022.

DON’T MISS Ethereum Foundation offers $1m bug bounty payouts with proof-of-stake migration multiplier

Inti De Ceukelaire, head of hackers at Intigriti, told The Daily Swig that the hackers “have made extremely valuable contributions to Yahoo’s cyber resilience”.

“Yet, live hacking is about more than just great results alone: it forms long-lasting relationships with the community and further increases hacker engagement beyond borders,” he said.

“40 hackers from 20 different countries, familiar and unfamiliar faces to Yahoo, have collaborated together with us and the Yahoo team in what we can only describe as our biggest and most successful event to date.”

YOU MAY ALSO LIKE Security researchers blast ‘ridiculous’ CrowdStrike bug disclosure practices

Three-day hackathon uncovers hundreds of bugs in Yahoo search engine tool Vespa

Exploit involved duping developers into exposing repositories with social engineering techniques

Exploit involved duping developers into exposing repositories with social engineering techniques

A security researcher has discovered a way to launch code execution attacks by exploiting the GitHub Pages build process.

Joren Vrancken netted a $4,000 reward for a command injection bug reported through GitHub’s HackerOne bug bounty program, as described in a recent blog post.

According to Vrancken, the security issue existed in GitHub Pages, a static hosting service able to pull data from repositories, run code through a build process, and then publish websites.

**Path to code execution**

To streamline the process, GitHub Pages supports the Jekyll static site generator.

Jekyll settings are stored in a YAML configuration file, and some aspects of the service are automated by GitHub, including themes, in which GitHub will issue a POST request and automatically create a new commit to issue changes to the source.

These processes require administrator privileges, and only two directories – the root of a branch and /docs – can be specified. However, user-input directories can also be specified in the theme chooser URL.

Catch up with the latest bug bounty news

You could select an arbitrary directory to use as a GitHub Pages source and then run the GitHub job workflow, which includes the launch of Jekyll, static file deployment, and uploading page artifacts. Eventually, this process can trigger a payload via a tar command, resulting in arbitrary code execution.

However, the attacker already has admin privileges, so this isn’t necessarily a huge problem.

Vrancken found the means to turn this workflow functionality into something more serious. If an attacker wants access to code hosted in a private repo, all they need is a URL and user interaction.

By crafting a malicious URL that downloads and executes a script from a third-party source, attackers could use phishing or other social engineering tactics to lure an admin user into clicking the link and following the Select Theme process – thereby triggering a malicious payload and exposing the repository.

Attackers need only supply a URL – they do not need a GitHub account nor any connection to the target repo.

**‘Hack The Box-esque’**

After notifying GitHub of his findings on July 27, Vrancken received a response on the same day, with confirmation arriving on August 2. By August 23, the GitHub security team had resolved the issue by removing the Theme Chooser functionality.

Vrancken was awarded a GitHub Pro subscription as well as a bug bounty of $4,000 for his efforts.

“This was definitely one of the more fun bug bounties I did, because it combines multiple GitHub-specific features with some more traditional Hack The Box-esque techniques,” the researcher commented. “I wholeheartedly recommend the GitHub bug bounty program.”

Jill Moné-Corallo, GitHub’s director of product security engineering response, told The Daily Swig: “Each submission to our bug bounty program is a chance to make GitHub, our products, and our customers more secure. Joren’s findings demonstrate their passion in security research and engaging researchers like them is the reason why we continue to see value in our bug bounty program.”

YOU MIGHT ALSO LIKE Graph-based JavaScript bug scanner discovers more than 100 zero-day vulnerabilities in Node.js libraries

Command injection vulnerability in GitHub Pages nets bug hunter $4k

Trustwave report also finds 2022 is set to surpass 2021 for volume of critical CVEs

Trustwave report also finds 2022 is set to surpass 2021 for volume of critical CVEs

The rush to patch systems affected by the landmark Log4Shell vulnerability has coincided with a wider improvement in patching rates for the most critical flaws, a report has found.

The remote code execution (RCE) flaw in Apache Log4j (CVE-2021-44228), the near-ubiquitous open source Java logging utility, sent organizations across the ecosystem scrambling to fix applications or patch systems after it emerged in December 2021.

Eight months on, the 2022 Trustwave SpiderLabs Telemetry Report has concluded that organizations “finally understand the necessity of having a solid security posture”.

RECOMMENDED Graph-based JavaScript bug scanner discovers more than 100 zero-days in Node.js libraries

Shodan searches performed by Trustwave SpiderLabs researchers revealed a sharp fall in the proportion of affected instances vulnerable to 2022’s highest profile vulnerabilities versus 2021’s equivalent flaws.

“Vulnerability disclosure-to-patch times have decreased,” Alex Rothacker, director of research and security scanning at Trustwave, told The Daily Swig.

**Celebrity factor**

He also noticed that security flaws’ “level of celebrity” was tied to both patching rates and patching speeds, with Log4j and Spring Framework instances outscoring what Rothacker said are lower profile issues in F5’s BIG-IP and Atlassian’s Confluence on these fronts.

For instance, only 0.36% of 405,993 instances of the most popular products running Log4j were vulnerable to the first Log4Shell patch (as opposed to the subsequent bypass) six months after exploits surfaced.

Equivalent numbers were 0.075% of 452,520 instances running unpatched versions of Spring Framework, another popular open source Java component, in regard to ‘Spring4Shell’ (CVE-2022-22965) three months after its disclosure.

Instances vulnerable to RCEs in F5’s BIG-IP (CVE-2022-1388) and Atlassian Confluence Server and Data Center (CVE-2022-26134) were 2.73% of 1,719 after disclosure and 4.44% of 7,074 hosts respectively – although disclosure was much more recent in these cases.

Catch up on the latest Log4j vulnerability news

By contrast, Trustwave’s 2021 report found that more than 50% of instances were vulnerable in relation to each of three similarly impactful vulnerabilities, weeks or months after patch release.

“Log4Shell seems to have been a call to action for many organizations,” said Rothacker. “The volume of questions and requests for remediation help that we received from customers for Log4Shell was unprecedented.”

**Critical mass**

This year is on course to comfortable eclipse 2021 in terms of both number of CVEs published and the proportion of which that are critical, the report found.

For instance, Rothacker said that August has already surpassed all previous months in 2022 and 2021, with 3,779 CVEs published as of August 26, while July and June also saw high numbers of 2,226 and 2,377 respectively.

Critical vulnerabilities account for 18% of 2022 CVEs, up from 13% of CVEs in 2021.

The report also discovered that some affected instances were still vulnerable to CVEs dating back as far as 2016, with the most widespread bug being CVE-2017-15906, an issue in encrypted remote login tool OpenSSH.

Despite being distributed in most Linux distributions by default, the bug’s medium severity means “it is most likely that many organizations do not see it as a significant issue and are de-prioritizing fixing it” said Rothacker.

“Other listed vulnerabilities either are for less commonly deployed software e.g CVE-2018-15199, or do have other mitigations, or constraints e.g CVE-2018-1312, that make it less likely that they will be exploited,” he added.

The top three CWE classifications for 2022 are cross-site scripting (XSS), SQL injection, and out-of-bounds write bugs.

RELATED CWE Top 25: These are the most dangerous software weaknesses of 2022

Log4Shell legacy? Patching times plummet for most critical vulnerabilities – report

ODGen tool was presented at this year’s Usenix Security Symposium

ODGen tool was presented at this year’s Usenix Security Symposium

Researchers at Johns Hopkins University have developed a graph-based code analysis tool that can detect a wide range of vulnerabilities in JavaScript programs.

Called ODGen, the tool was presented at this year’s Usenix Security Symposium and addresses some of the challenges that limited the use of graph-based security tools in analyzing JavaScript programs.

The researchers proved the effectiveness of ODGen by applying it to thousands of Node.js libraries, where it discovered 180 zero-day vulnerabilities and received 70 CVEs.

**Graph-based methods**

Graph-based scanners parse source code files to build a graph structure that represents the different properties and execution branches of an application. This graph can then be used to model and find vulnerabilities in the source code.

Graph query-based approaches have proven to be very effective in detecting vulnerabilities in some programming languages. One technique in particular, Code Property Graph (CPG), has proven to be successful in securing C/C++ and PHP code.

**RECOMMENDED** Critical command injection vulnerability discovered in Bitbucket Server and Data Center

Inspired by the success of graph methods – particularly CPG – the researchers at Johns Hopkins University tried to apply them to JavaScript. While there are different tools for finding specific vulnerabilities in JavaScript code, graph-based tools promise to provide a general framework for detecting all kinds of vulnerabilities.

“JavaScript, particularly Node.js, is becoming a vital community with millions of packages these days,” Yinzhi Cao, co-author of the paper and assistant professor of computer science at Johns Hopkins University, told _The Daily Swig_.

“At the same time, many of these NPM packages are less maintained and vulnerabilities are prevalent in the NPM ecosystem. That is why we decided to perform the study to make the ecosystem a safer environment.”

However, their initial findings showed that CPG is not very effective in JavaScript due to the language’s dynamic structure, which makes it much more difficult to parse and analyze object relations and program branches prior to execution.

“CPG does not model detailed object relations including (i) prototype chains and (ii) object-level data flows. Therefore, it is hard to apply CPG to detect JavaScript-specific vulnerabilities, such as Prototype Pollution and Internal Property Tampering. And it is hard to model fine-grained object-level data flows in CPG,” Cao said.

**Object Dependence Graph**

In their paper, the researchers propose Object Dependence Graph (ODG) as a novel method to build graphs from JavaScript code. ODG uses some of the components of CPG, such as Abstract Syntax Trees (AST), and adds features that are specific to JavaScript, including fine-grained data dependency between objects. Accordingly, the researchers created ODGen, a tool for creating and querying ODGs.

“Our proposed ODGen abstractly interprets JavaScript code and generates a so-called Object Dependence Graph to capture such dynamic features including object relations so that a graph query-based approach can easily obtain such information and detect vulnerabilities,” Cao said.

Read more of the latest infosec research news

The researchers designed ODGen to detect vulnerabilities at application and package levels. They tested the tool on 330 documented vulnerabilities that spanned across 16 categories, including cross-site scripting (XSS), server- and client-side request forgery (SSRF/CSRF), SQL injection, prototype pollution, and command injection.

The tool was able to detect 13 types of vulnerabilities with very high accuracy, discovering 302 of the 330 bugs.

They expanded their test by crawling 300,000 NPM packages and applying ODGen with graph queries to detect queries. ODGen reported nearly 3,000 security bugs, of which the researchers verified 264 that belonged to libraries with more than 1,000 weekly downloads. They were able to confirm and report 180 security bugs, many of which were in libraries that are used widely in web applications. Of the discovered vulnerabilities, 70 were assigned CVEs.

ODGen shows how much more needs to be done to secure the open source JavaScript ecosystem and how the adaptation of existing tools can help in developing holistic approaches to securing Node.js libraries.

In the future, Cao said, the team might extend ODGen to other programming languages used in web applications, including PHP and Java.

**YOU MIGHT LIKE** Ethereum Foundation offers $1m bug bounty payouts with proof-of-stake migration multiplier