WordPress Issues Emergency Patch for SQL Injection Vulnerability

WordPress Issues Emergency Patch for SQL Injection Vulnerability

WordPress announced the security release of version 4.8.3 this week to patch a vulnerability to website takeover through an SQL injection attack.

The Halloween fright, CVE-2017-14723, was discovered and reported to the bug bounty program in September by researcher Anthony Ferrara.

While WordPress core is not affected, according to the new release announcement, the new version hardens it to protect it from attacks via plugins and themes. In version 4.8.2 and earlier, “$wpdb->prepare() can create unexpected and unsafe queries,” allowing potential SQL injection. The new release changes the behavior of the esc_sql() function, which WordPress says will not affect most developers.

The vulnerability traces back to version 4.8.1, but Ferrara says the fix WordPress released with version 4.8.2 dealt with only “a narrow subset of the potential exploits.” 4.8.2 not only failed to actually solve the problem, according to Ferrara, but also rendered many sites and over a million lines of third-party code ineffective. He reported the bug the day after the release of 4.8.2, but WordPress closed his report, on grounds that “non documented functionality is non documented.”

Several messages back and forth followed, before Ferrara threatened on Oct. 16 to publicly report the vulnerability on the 19th. WordPress convinced Ferrara to hold off, and then threatened again on October 20 to take the issue public again on the 25th. Ferrara writes in his report of the disclosure process that the WP security team told him, “[o]ne of our struggles here, as it often is in security, is how to secure things while also breaking as little as possible.”

On the 27th, it seems another member of the WordPress team became involved, and Ferrara finally received the responses he was looking for. He acknowledged in his account of the incident the challenges facing the volunteer team dealing with the issue.

“The miss IMHO isn’t that a team of volunteers isn’t living up to my expectations, but that a platform that powers 25%+ of the Internet (or at least CMS-powered-Internet) isn’t staffed with full time security personnel,” he wrote. “Volunteers are amazing and can only do so much. At some point it comes down to the companies making money off of it and not staffing it that are ultimately the biggest problems…”

WordPress, for its part, thanked Ferrara for practicing responsible disclosure.

Source: TheWHIR

Malaysian Web Hosting Firm Exabytes Acquires HT Internet to Grow Managed Services

Malaysian Web Hosting Firm Exabytes Acquires HT Internet to Grow Managed Services

Malaysian web hosting provider Exabytes Group has acquired domains and web hosting company HT Internet, Telecompaper reports. The deal will allow Exabytes to branch into e-commerce and offer fully managed website and e-commerce services to its current client base of 75,000 customers and 200,000 websites. Financial details of the acquisition were not disclosed.

Exabytes will take over HT Internet’s Grow, DomainPlus, and other brands, and integrate the company’s team with its own, according to Telecompaper. The companies will share back-end resources, and the HT team will focus on growing the managed services business.

See also: Exabytes Acquires Singapore Cloud Hosting Provider Signetique

Growth in online services in emerging markets like Malaysia, and continued momentum in market like Singapore will contribute to Asia Pacific making up a larger share of the colocation data center market than North America by 2020, according to Structure Research.

The Malaysian government has made efforts to boost adoption of new technologies in the country, and Frost & Sullivan research found Malaysia’s IT market growing at a rate of roughly 9.5 percent (CAGR) from 2013-2017. Malaysia is also Southeast Asia’s largest e-commerce market, with $2.3 billion in revenues in 2015.

HT Internet was founded in 2011, and manages over 5,000 domain names. The company also offers website development, and online marketing and advertising services.

Exabytes, which was founded in 2001, is already piloting a fully managed website service in Malaysia, and Telecompaper reports it has plans to expand it to other markets, including Singapore and Indonesia.

Source: TheWHIR

AWS Takes Down Hundreds of Sites in Massive S3 Outage

AWS Takes Down Hundreds of Sites in Massive S3 Outage

Availability issues with the US-EAST-1 region of AWS’ S3 storage service caused downtime or slow performance for many websites on Tuesday.

Affected sites include Airbnb, Business Insider, Chef, Docker, Expedia, Heroku, Mailchimp, News Corp, Pantheon, Pinterest, Slack, and Trello, as well as parts of AWS’ own site, and ironically itsdownrigthnow.com and Down Detector, VentureBeat reports.

AWS acknowledged the issues before 7:30 a.m. Pacific, saying it was investigating. Shortly after 10:30 a.m. Pacific, the company updated the statement on its status page.

“We’re continuing to work to remediate the availability issues for Amazon S3 in US-EAST-1. AWS services and customer applications depending on S3 will continue to experience high error rates as we are actively working to remediate the errors in Amazon S3,” AWS service health dashboard said.

An hour later, AWS updated the message: “We continue to experience high error rates with S3 in US-EAST-1, which is impacting various AWS services. We are working hard at repairing S3, believe we understand root cause, and are working on implementing what we believe will remediate the issue.”

AWS suffered a service disruption lasting over five hours in 2015Google App Engine was down for nearly 2 hours in August, and problems at Telia Carrier affected many popular sites and services in June of last year.

Source: TheWHIR