WordPress-плагин NextGEN Gallery уязвим перед SQL-инъекциями и установлен более 1 млн раз.

Здесь может быть ваша реклама

Специалисты компании Sucuri проводят аудит различных опенсорсных проектов с целью обнаружения уязвимостей и добавления их в базу Sucuri Firewall. Именно в ходе такого рутинного анализа эксперты наткнулись на популярный WordPress-плагин NextGEN Gallery, насчитывающий более одного миллиона активных установок. По заверениям разработчиков, плагин является самым популярным вариантом галереи для WordPress, а суммарное количество загрузок превышает 16,5 млн. Плагин настолько успешен, что для него самого существуют плагины.

Исследователи Sucuri обнаружили, что NextGEN Gallery страдает от ряда проблем. Самая опасная из них проявляется в том случае, если владелец сайта включает в настройках плагина опцию NextGEN Basic TagCloud Gallery. Данная функция позволяет администратору сайта присваивать изображениям теги и показывать посетителям галереи, навигация и группировка изображений в которых осуществляется посредством тегов.

Специалисты пишут, что плагин некорректно обрабатывает user input, будто user input поместили внутрь чистого SQL-запроса. В итоге атакующий может модифицировать параметры ссылки таким образом, что NextGEN Gallery выполнит нужные злоумышленнику действия. По мнению аналитиков Sucuri, при определенных обстоятельствах данная уязвимость может привести к утечке хешированных паролей и секретных ключей.

Сценариев эксплуатации у данной проблемы может быть два. Первый сценарий подразумевает использование шорткодов (shortcode) галереи тегов, но он потребует привилегий аутентифицированного пользователя. Атака будет работать, если на сайте открыта регистрация и возможность добавления контента. Второй способ предполагает обращение к тегам NextGEN Basic TagCloud, чего можно добиться, модифицируя URL галереи (если таковая уже существует на сайте).  В итоге исследователи оценили данную уязвимость на девять по десятибалльной шкале, так как эксплуатация проблемы вообще не требует каких-либо глубоких познаний.

Разработчики NextGEN Gallery уже представили патч, выпустив новую версию плагина (2.1.79). Однако в журнале изменений данное исправление сопровождается лишь обтекаемым комментарием: «Отрегулировано отображение тегов». О критической уязвимости разработчики предпочли «скромно» умолчать.

Источник — xakep.ru

Neither [Sirius or XM] has earned a dime in profits both forecast that they’ll break even within a year or two. In fact, what really separates wholesale jerseys china them is Stern, whose $500 million deal with Sirius is either a stroke of programming genius or a colossal waste of money the biggest gamble on an entertainer in any field, be it film, television, sports or radio.. But neither state is expected to sentence him to more than 20 years in prison. He will serve all the sentences concurrently, with actual custody time amounting to less than nine years, his attorneys said in court. With his sheer physcal presence and blistering speed, Ronaldo running at defenders was like a train heading towards them. Every club he has been at, his goal scoring record has been fantastic putting his ijuries aside, showing just how versatile he cheap nba jerseys is to play in any system.. Both genes and samples were clustered. The analysis was independently performed for E12.5 and E14.5.. A lot of firms need someone to answer the general inquiries of their clients and are NBA Jerseys Cheap cheap nfl jerseys always on the look out for receptionists. Although, cheap authentic jerseys the role can be monotonous, it offers relatively higher wages compared to the other second jobs and isn’t physically exhausting as for most part, you just have to deal with clients over the phone.. The Gc Ladies’ Mother of Pearl Stainless Steel Bracelet Watch comes with a round mother of pearl dial and matching white ceramic bracelet. This watch can be worn to a casual lunch with friends and also to a cocktail party. Court records show Jones, who has a history of trouble with the law during his NFL career, is accused of pushing and poking a man in the eye, then struggling with Cincinnati police officers by head butting, kicking and refusing to get into the police car. He then spit on a nurse’s hand while being booked into the jail, police said.. We anticipate this being a much different game than Cheap Jerseys the first time around. North America also exceeded expectations driven by three additional NFL stadium wins. We recently announced the Tennessee Titans which was closed in the third quarter and the Jacksonville Jaguars which is one of the fourth quarter wins. ResultsThe present analysis includes data for 21 missions aboard the ISS encompassing 3,248 days of spaceflight, of which 2,864 24 h intervals of actigraphy and photometry met the inclusion criteria for analysis using CPSS. Each participant (n=21, 15 males) contributed an average 155 (39) days of data Baratas Replicas Ray Ban in flight (Table 1), with an average of 137 24 h intervals of actigraphy and photometry that met inclusion criteria for analysis in CPSS (range 59 214 days).
marcus smart’s shooting woes continueThis year, instead of reviewing my trusty black history time line, which can be culturally significant, but let’s face it, a little boring to my kids, I went trolling for fun facts that every kid (Ok, especially my own two) could appreciate. And boy, what did I find! I wished I learned some of this stuff when I was in school. Here are my 12 kid tested and kid friendly facts for Black History Month. In the year 2003, Carmen Electra married Dave Navarro who is famous for oakley sunglasses being a member of the Red Hot Chili Peppers rock band Jane’s Addiction. They appeared on the MTV reality show titled «Till Death do us part: Carmen Dave». Carmen Electra and Dave Navarro announced their separation in the year 2006. Omalu named his discovery Chronic Traumatic Encephalopathy, soon learned of several more dead football players with similar issues, theorized many more were at risk of developing it, and marched straight to the nearest medical journal to publish his findings. It . Didn’t go as well as he’d hoped. The swag kit also includes gloves, a wool hat, a hand warming pouch similar to the ones NFL players use, and some sort of bandana type item that Francesa also tried on. «I don’t put anything ray ban outlet on my hair . If you had hair like mine, you wouldn’t cover it up either.». In order to purchase a controlling ownership, you must purchase the largest percentage of the team and it must be at least 30%. To be an owner without a controlling interest is easier, since as little as 1% of a team can be purchased. Partial ownership opportunities tend to arise more often.. Subscribe to USA TODAYAlready a Cheap Oakleys print cheap oakleys sunglasses edition subscriber, but don’t have a login?Activate your digital access.Manage your account settings.My cheap china jerseys AccountLog OutIn honor of Super Bowl 50, here are 50 things we learned inWeek 3:1. Atlanta Falcons QB Matt Ryan proved again why he has earned the «Matty Ice» cheap ray bans tag. He does not blink whenthe Falcons are trailing. She also worked NFL preseason games and scrimmages. «The guys don’t think of me as a female. They see me as just another official,» she said when she was hired.. So, the first one is going to be throwback nba jerseys a boat pose. And you’re going to sit down, nice elongated spine, chest, nice and open. Extend your arms out and slowly lift off your feet, off the ground. «No, I was excited because it was my first involvement in a test match in rugby union at full international level, and I was motivated by my usual fear of failure. That’s what drove me as a player, fear of being embarrassed by an opponent, and as a coach it’s the same thing. If you don’t do your homework you’ll get caught short.».

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *