The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Administrator role or above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-0585: Updates.php in all-in-one-seo-pack/tags/4.2.9/app/Common/Main – WordPress Plugin Repository

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Jessica Haworth 24 February 2023 at 13:09 UTC  
Updated: 24 February 2023 at 13:15 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

  

Twitter faced further criticism this week when Elon Musk’s social networking platform announced SMS-based 2FA will only be available to paying customers going forward.

The social media site historically enabled two-factor authentication (2FA) to all users, providing they connected their mobile phone number to their account.

This week, however, users were warned that this security option would no longer be available to users who did not pay for verification.

Of course, this sparked huge backlash online, particularly among the majority of those with non-paid accounts.

It’s worth noting, though, that users can still use 2FA with third-party authentication apps such as Google Authenticate.

Want the latest web security news straight to your inbox? Sign up to our newsletter here

Elsewhere, web hosting provider GoDaddy announced it had fallen victim to a cyber-attack… and this was part of a campaign lasting almost three years.

The company announced in a statement that it had evidence of an intrusion that took place back in December 2022, when “a small number of customers” complained about their websites being intermittently redirected.

In a filing to the US Securities and Exchange Commission (PDF), the American domain registrar also divulged that it had evidence this attack was linked to an earlier incident in March 2020, when an attacker “compromised the hosting login credentials of approximately 28,000 hosting customers to their hosting accounts as well as the login credentials of a small number of our personnel”.

GoDaddy says it believes these attacks, together with a 2021 compromise of its hosted WordPress service, “are part of a multi-year campaign by a sophisticated threat actor group”.

BACKGROUND Truffle Security relaunches XSS Hunter tool with new features

Finally, the maintainers of newly resurfaced tool XSS Hunter announced the introduction of optional end-to-end (e2e) encryption to its fork after a backlash from privacy-conscious users.

Truffle Security, which launched a new fork of the open source utility after its deprecation by original creator Matthew Bryant, were criticized earlier this month for inspecting potentially sensitive data generated by users after they shared anonymized statistics about the vulnerabilities unearthed.

As reported by The Daily Swig, users have now been reassured that e2e encryption has been added to the fork in a statement given by Truffle Security’s founder.

We also recently reported that Belgium has become the first European country to adopt a national, comprehensive safe harbor framework for ethical hackers, and how Frans Rosén topped PortSwigger’s top 10 web hacking techniques of 2022 with his research ‘Account hijacking using dirty dancing in sign-in OAuth-flows’.

You can catch up with the full range of our recent news coverage by visiting The Daily Swig’s homepage.

Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   FortiNAC / Critical / Unauthenticated RCE / An external control of file name or path in certain Fortinet FortiNAC versions allow attackers to execute unauthorized code / Patched and disclosed February 16
*   Node.js / Medium / CLRF injection / The fetch API in Node.js did not prevent CRLF injection in the host header potentially allowing attacks such as HTTP response splitting and HTTP header injection / Patched and disclosed February 16
*   Node.js / High / Permissions policies bypass / Non-authorized modules potentially accessible via / Patched and disclosed February 16
*   Kardex MLOG / Severity TBC / RCE / SSTI to RCE due to sanitization issue on industrial web interface / Patched January 24, disclosed February 7
*   Apache Kerby / LDAP injection / Vulnerability exists in / Patched and disclosed February 20

**Research and attack techniques**

*   PortSwigger’s\* Gareth Heyes demonstrated how to detect server-side prototype pollution without causing denial-of-service at AppSec Dublin conference earlier this month.
*   Researchers from CyberXplore detailed how they hacked GitHub for a whole month, resulting in the finding of six vulnerabilities, which are detailed in this blog post.
*   Software engineer Matt Frisbie built a purposely-malicious Google Chrome extension that steals as much data as possible to demonstrate what users could expose themselves to if they aren’t careful with what they install.

A security researcher has praised the merits of hacking on Apple’s bug bounty program

**Bug bounty/vulnerability disclosure**

*   A write-up from security researcher Omar Hashem, who fully took over a HubSpot account, details his failures on the path to exploitation. Research is inherently about trial and error, yet few write ups shared online talk about the things that didn’t work.
*   A researcher calling themselves ‘infiltrateops’ shared details on how they were awarded a decent payout from Apple and lauded the response from its security team.
*   Google released a review of all of the bugs found in its vulnerability reward program in 2022, revealing it fixed more than 2,900 issues in that year alone.

**New open source security tools**

*   Legitify, a tool for detecting and remediating security issues across GitHub and GitLab assets, added support for GPT-based misconfiguration scanning.
*   GuardDog, a tool used to identify malicious Python packages using Semgrep and package metadata analysis, has been updated to provide npm support, new heuristics, and easier CI integration.

\*PortSwigger is the parent company of The Daily Swig.

PREVIOUS EDITION Deserialized web security roundup: KeePass dismisses ‘vulnerability’ report, OpenSSL gets patched, and Reddit admits phishing hack

Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.

**Apache Airflow Google Provider Improper Input Validation vulnerability**

Moderate severity GitHub Reviewed Published Feb 24, 2023 to the GitHub Advisory Database • Updated Feb 24, 2023

GHSA-8g23-2q5p-8866: Apache Airflow Google Provider Improper Input Validation vulnerability

GHSA-h8p2-8g72-qpgh: Apache Airflow Google Provider Improper Input Validation vulnerability

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2023-25691

CVE-2023-25692

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 17 and Feb. 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed...

Threat Round up for February 17 to February 24

An investigation into data safety labels for Android apps available on the Google Play Store has uncovered "serious loopholes" that allow apps to provide misleading or outright false information.
The study, conducted by the Mozilla Foundation as part of its *Privacy Not Included initiative, compared the privacy policies and labels of the 20 most popular paid apps and the 20 most popular free

An investigation into data safety labels for Android apps available on the Google Play Store has uncovered "serious loopholes" that allow apps to provide misleading or outright false information.

The study, conducted by the Mozilla Foundation as part of its \*Privacy Not Included initiative, compared the privacy policies and labels of the 20 most popular paid apps and the 20 most popular free apps on the app marketplace.

It found that, in roughly 80% of the apps reviewed, "the labels were false or misleading based on discrepancies between the apps' privacy policies and the information apps self-reported on Google's Data safety form."

"The apps aren't self-reporting accurately enough to give the public any meaningful reassurance about the safety and privacy of their data," Mozilla further said, adding consumers are being led to "believe these apps are doing a better job protecting their privacy than they are."

Three of the apps – UC Browser - Safe, Fast, Private; League of Stickman Acti; and Terraria – did not have their Data safety sections filled at all. A mere 6 of the 40 apps received an "OK" grade.

Last year, Google began rolling out a new Data safety section on the Play Store that spells out the apps' privacy and security practices. It's also the company's answer to Apple's app privacy labels that came into effect in December 2020.

However, there are some crucial differences. Apple's labels emphasize on what data is being collected, including those that are collected for tracking purposes as well as information that's linked to the users.

Google's labels, on the other hand, allows developers to provide more context as to why such a data collection may be required and the security principles that are used to safeguard the information.

That said, both systems rely on developers to be transparent about how their apps use data. While Apple has instituted routine checks to ensure that the labels don't provide a false sense of security, Google leaves developers to make "complete and accurate declarations."

Now according to Mozilla, these self-reported labels may not be an accurate representation of an app's data-gathering policies, calling into question the effectiveness of such a framework in enhancing privacy transparency and enabling users to make informed decisions.

"For example, Google exempts apps sharing data with 'service providers' from its disclosure requirements, which is problematic due to both the narrow definition it uses for service providers and the large amount of consumer data involved," Mozilla said.

To that end, Mozilla refutes Snapchat, TikTok and Twitter's claims that their apps don't "share user data with other companies or organizations," stating that the apps' privacy policies explicitly mention sharing user information with advertisers and internet service providers, among others.

It's worth pointing out here that apps can be exempted from disclosing data sharing provided they have sought users' consent, if the data is being shared with a developer's service provider, or if the data is fully anonymized.

The American non-profit is also recommending Apple and Google to adopt a universal nutrition labeling standard, alongside urging the tech giants to "explain their enforcement action against apps that don't comply and take some responsibility for ensuring the accuracy of the information apps report."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Majority of Android Apps on Google Play Store Provide Misleading Data Safety Labels

At the inaugural CloudNativeSecurityCon, DevSecOps practitioners discussed how to shore up the software supply chain.

At the recent CloudNativeSecurityCon in Seattle, 800 DevSecOps practitioners gathered to address a myriad of software supply chain security issues, including the security of container images and the impact of zero trust on the software supply chain.

As of last year, there were 7.1 million cloud-native developers, 51% more than the 4.7 million 12 months earlier, Cloud Native Computing Foundation executive director Priyanka Sharma said in the opening keynote. "Everyone is becoming a cloud-native developer," Sharma said.

However, this rapid shift to cloud-native development can be a source of concern, since the rapid release cycles may lead to organizations not following secure lifecycle development (SDLC) practices, Sharma warned. Snyk's 2022 State of Cloud Security report found that 77% of organizations acknowledged that they have poor training and lack effective collaboration among developers and security teams.

"There are siloed teams often working in separate countries, time zones, using different tools, policy frameworks," Sharma said. "In the cloud-native environment, we are interacting with so many other entities. Throw in a lack of security policy, and there's the recipe for your security breach."

The lack of security policies is fueling an increase in vulnerabilities due to misconfigurations. An alarming 87% of container images running in production have critical or high-severity vulnerabilities, up from 75% a year ago, according to the Sysdig 2023 Cloud-Native Security and Usage Report. Yet only 15% of those unpatched critical and high vulnerabilities are in packages that are in use at runtime where a patch is available.

Sysdig's findings are based on telemetry gathered from thousands of its customers' cloud accounts, amounting to billions of containers. The high percentage of critical or high-severity vulnerabilities in containers is the outgrowth of the rush by organizations to deploy modern cloud applications. The push has created an influx of software developers moving to the more agile continuous integration continuous development (CI/CD) programming model.

Sysdig's report recommended filtering to isolate only the critical and highly vulnerable packages in use in order to focus on packages that present the most risk. Further, only 2% of the vulnerabilities are exploitable. "By looking at what has in use exposure, that is what is actually in use at runtime, and having the fix available will help teams prioritize," Sysdig threat researcher Crystal Morin wrote in the report.

**5 Elements of Zero Trust Implementation**

Sharma pointed to last year's Cost of a Data Breach report from IBM and Ponemon Institute, which showed that 79% of organizations have not moved to a zero-trust environment. "That is really not good," Sharma said. "Because almost 20% of breaches are occurring because of a compromise at a business partner. And keep in mind that almost half the breaches that occur are cloud-based."

A key barrier to instituting zero trust is environments where permissions are not under control. According to the Sysdig report, 90% of permissions granted are not used, creating an easy path for stealing credentials. According to the report, "teams need to enforce least privilege access, and that requires an understanding of which permissions are actually in use."

Zack Butcher, founding engineer at Tetrate and an early engineer on Google's service mesh project Istio, said creating a zero-trust environment isn't that complicated. "Zero trust itself isn't a mystery," Butcher told attendees. "There's a lot of FUD \[fear, uncertainty, and doubt\] around what zero trust is. It's fundamentally two things: people process and runtime controls that answer and mitigate the question, 'what if the attacker is already inside that network?'"

Butcher identified five policy checks that would make up a zero-trust system:

1.  Encryption in transit to ensure messages can't be eavesdropped
2.  Service level identity to enable authentication at runtime, ideally a cryptographic identity
3.  The ability to use those identities to be able to perform runtime service-service authorization to control which workloads can talk to each other
4.  Authenticating the end user in session
5.  A model that authorizes the actions users are taking on resources in the system

Butcher noted that while these are not new, there is now an effort to create an identity-based segmentation standard with the National Institute of Standards and Technology (NIST). "If you look at things like API gateways and ingress gateways, we do these checks usually," he said. "But we need to be doing them, not just at the front door, but every single hop in our infrastructure. Every single time anything is communicating, we need to be applying, at minimum, these five checks."

**NIST Standard Coming Up**

During a breakout session, Butcher and NIST computer scientist Ramaswamy "Mouli" Chandramouli explained the five controls and how they fit into a zero-trust architecture. Tools such as a service mesh can help implement many of those controls, Butcher said.

The presentation is an outline for a proposal that will be presented as NIST SP 800-207A: A Zero Trust Architecture (ZTA) Model for Access Control in Cloud Native Applications in Multi-Location Environments. "We expect to have this out for initial public review sometime in June," Butcher said.

Butcher said supply chain security is a critical component of a zero-trust architecture. "If we can't inventory and attest what's running in our infrastructure, we leave a gap for attackers to exploit," he said. "Zero trust as a philosophy is all about mitigating what an attacker can do if they are in the network. The goal is bounding their attack in space and time, and controlling the applications that execute in that infrastructure is a key element of bounding the space an attacker has to work with."

87% of Container Images in Production Have Critical or High-Severity Vulnerabilities

An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.

Updates are now available for the v19.x, v18.x, v16.x, and v14.x Node.js release lines for the following issues.

This security release includes OpenSSL security updates as outlined in the recent OpenSSL security advisory.

Impacts:

*   All versions of the 19.x, 18.x, 16.x, and 14.x release lines.

**Node.js Permissions policies can be bypassed via process.mainModule (High) (CVE-2023-23918)**

It was possible to bypass Permissions and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy.

Thank you, to @goums for reporting this vulnerability and thank you Rafael Gonzaga for fixing it.

Impacts:

*   All versions of the 19.x, 18.x, 16.x, and 14.x release lines.

**Node.js OpenSSL error handling issues in nodejs crypto library (Medium) (CVE-2023-23919)**

In some cases Node.js did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service.

Thank you, to Morgan Jones and Ryan Dorrity from Viasat Secure Mobile for reporting and discovering this vulnerability and thank you Rafael Gonzaga for fixing it.

Impacts:

*   Versions of < 19.2.0 and lower of the 19.x release line and all versions of the 18.x, and 16.x release lines.

The fetch API in Node.js did not prevent CRLF injection in the 'host' header potentially allowing attacks such as HTTP response splitting and HTTP header injection.

Thank you, to Zhipeng Zhang (@timon8) for reporting this vulnerability and thank you Robert Nagy for fixing it.

Impacts:

*   All versions of the 19.x, 18.x and 16.x release lines.

The Headers.set() and Headers.append() methods in the fetch API in Node.js were vulnerable to a Regular Expression Denial of Service (ReDoS) attacks.

Thank you, to Carter Snook for reporting this vulnerability and thank you Rich Trott for fixing it.

Impacts:

*   All versions of the 19.x, 18.x, and 16.x release lines.

Node.js would search and potentially load ICU data when running with elevated priviledges. Node.js was modified to build with ICU_NO_USER_DATA_OVERRIDE to avoid this.

Thank you, to Ben Noordhuis for reporting this vulnerability and thank you Rafael Gonzaga for fixing it.

Impacts:

*   All versions of the 19.x, 18.x, 16.x, and 14.x release lines.

This security release also includes an npm update for Node.js 14 to address a number of CVEs which either do not affect Node.js or are low severity in the context of Node.js. You can get more details for the individual CVEs in nodejs-dependency-vuln-assessments.

Impacts:

*   All versions 14.x release lines.

**Downloads and release details**

Thanks to Rafael Gonzaga and Richard Lau for their work on the releases.

*   Node.js v14.21.3 (LTS)
*   Node.js v16.19.1 (LTS)
*   Node.js v18.14.1 (LTS)
*   Node.js v19.6.1 (Current)

The Node.js project is delaying the planned security releases until Thursday February 16 2023 due to the need for additional testing and validation.

The Node.js project will release new versions of the 14.x, 16.x, 18.x and 19.x releases lines on or shortly after, Tuesday February 14 2023 in order to address:

*   2 low severity issues.
*   2 medium severity issues.
*   1 high severity issues.
*   OpenSSL security updates for which the highest vulnerability severity is high. You can read more about this update in the OpenSSL security advisory.

The 19.x release line of Node.js is vulnerable to 2 low severity issues, 2 medium severity issues and 1 high severity issue and the OpenSSL vulnerabilities.

The 18.x release line of Node.js is vulnerable to 2 low severity issues, 2 medium severity issues and 1 high severity issue and the OpenSSL vulnerabilities.

The 16.x release line of Node.js is vulnerable to 2 low severity issues, 2 medium severity issues, and 1 high severity issue and the OpenSSL vulnerabilities.

The 14.x release line of Node.js is vulnerable to 1 low severity issue, and 1 high severity issue and the OpenSSL vulnerabilities.

Releases will be available on, or shortly after, Tuesday February 14 2023.

The current Node.js security policy can be found at https://nodejs.org/en/security/. Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.

Tag

#google