As part of a vulnerability research project Sucuri, have been auditing multiple open source projects looking for security issues. While working on the WordPress plugin NextGEN Gallery, they discovered a severe SQL Injection vulnerability. This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive user information.
This vulnerability can be exploited by attackers in at least two different scenarios:
- If you use a NextGEN Basic TagCloud Gallery on your site, or
- If you allow your users to submit posts to be reviewed (contributors).
This issue existed because NextGEN Gallery allowed improperly sanitized user input in a WordPress prepared SQL query; which is basically the same as adding user input inside a raw SQL query.
Using this attack vector, an attacker could leak hashed passwords and WordPress secret keys in certain configurations.
The golden rule is “never trust the input”. This leads to better security and safe customers.
In every scenario the developer must ask a few simple questions:
- Is this input safe enough?
- Is it sanitized?
- Do we follow any framework-specific rules and best practices?
WordPress uses the PHP vsprintf function in order to prepare SQL statements in $wpdb->prepare(); which means that the SQL statement uses a format string and the input values as its arguments.
The conclusion is that’s never a good idea to supply user input in the format string because it may not be sanitized against characters that could create valid arbitrary sprintf/printf directives.
More infos can you find here: SQL Injection Vulnerability in NextGEN Gallery for WordPress
Wordfence published today an interesting report: the WordPress Attack Activity Report.
This new of a kind report shows the attack data for the previous month from the 1st to the end of the month and provides an analysis on the attack activity targeting WordPress websites.
The report includes a table that lists the most active attack IPs for December 2016. Ukraine still owns the top spot. Ukraine absolutely dominates the report. Out of 25 top IPs 13 are based in Ukraine.
Enjoy the rest of the report here: https://www.wordfence.com/blog/2017/01/december-2016-wordpress-attack-activity-report/
WHAT’S TRENDING IN TYPE
Typewolf is the absolute best resource available for everything related to typography on the web.
Typewolf is an independent site that features typefaces from all type foundries regardless of where the fonts can be purchased.
A critical remote code execution vulnerability in PHPMailer has been discovered by Polish researcher Dawid Golunski.
The vulnerability was announced on legalhackers.com yesterday but proof of concept exploit details were not included.
Unfortunately someone posted a proof of concept to exploit-db and to github demonstrating how the vulnerability can be exploited in the PHPMailer library, but not targeting any web application that is in use.
the digital agency – https://aerolab.co
What’s new for XD on mobile?
- Browse and open XD documents saved in Creative Cloud Files
- View XD documents even when you’re offline
- Browse all artboards in an XD document
- Turn hotspot hints on or off
- Share the current screen as an image
Read it here: December update of Adobe Experience Design CC
This month’s big news is that the first public beta for Adobe XD for Windows 10 is ready for you. More here: Windows release.
There are many plugins available for PS users, but in this article you can find the best of those that you can download and use straight away.
Source: The 42 best Photoshop plugins
Here is the list
- Google Nik Collection
- Getty Images
- Fixel Contrastica 2
- Perfect Resize 9.5
- B&W Effects
- Kubota Texture Tools Industrial
- Page Curl
- PSD Cleaner
The rest later…
Becoming a Virtual Reality Designer: Lessons from a VR intern at Facebook
- Lesson #1 : Create your own curriculum
- Lesson #2 : Put it on your face
- Lesson #3: Choose your platform
- Lesson #4: Learn the terminology
- Lesson #5: Lean into your strengths
Source: Becoming a Virtual Reality Designer