Our web honeypots picked up some interesting attack traffic. The initial web application attack vector (PHP-CGI vulnerability) is not new, the malware payload is. We wanted to get this information out to the community quickly due to the following combined threat elements -
A local file inclusion vulnerability in the WordPress Slider Revolution Plugin has been released:
If you are heading out to Blackhat USA 2014 in Las Vegas this week, please stop by the Arsenal Tools area on Thursday morning to see live demonstrations of ModSecurity's advanced features.
There are news reports of new Wordpress XML-PRC brute force attacks being seen in the wild. The SANS Internet Storm Center also has a Diary entry showing similar data. We have captured similar attacks in our web honeypots so we wanted to share more data with the community. Please reference earlier blog posts we have done related to Wordpress:
Thanks goes to my SpiderLabs Research colleague Robert Rowley for help in validating data for this blog post.
Our web honeypots picked up some increased scanning/exploit activity for the following file upload vulnerability in Open Flash Charts -
Since the number of applications that accept JSON input is growing, it is natural to expect that JSON will be also used to transport web application attacks payloads. This leads to the next logical question with regards to defense: Can your Web Application Firewall (WAF) understand JSON? These different web technologies are similar to verbal languages and WAFs need to be multi-lingual to correctly identify attacks and minimize false positives. It is for this reason that we have added JSON support to ModSecurity.
The ModSecurity Project team is pleased to announce the availability of v2.8.0. To see the full release notes or download the the source packages, see the ModSecurity GitHub project release tab: