PHP is an open source, general-purpose scripting language used for web development that can also be embedded into HTML. It has over 9 million users, and is used by many popular tools, such as WordPress, Drupal, Joomla!, and so on. This week, a high-level security update was released to fix a remote code execution vulnerability (CVE-2016-10033) in PHPMailer, which is an open source PHP library for sending emails from PHP websites. This critical vulnerability is caused by class.phpmailer.php incorrectly processing user requests. As a result, remote... [Read More]
by RSS Zhouyuan Yang  |  Jan 05, 2017  |  Filed in: Security Research
Overview WooCommerce is an open source e-commerce plugin for WordPress. It is designed for small to large-sized online merchants using WordPress. According to WooCommerce, the plugin now powers over 30% of all online stores running WordPress with over one million downloads. FortiGuard Labs discovered another Cross-Site Scripting (XSS) vulnerability in WooCommerce. FortiGuard disclosed a different XSS vulnerability in WooCommerce earlier this year, leading Fortinet’s Chris Dawson to ask if it was time to worry about WordPress. As... [Read More]
by RSS Peixue Li  |  Nov 17, 2015  |  Filed in: Industry Trends
“I want my MTV...” One of the most iconic lines from one of the greatest rock songs of the 80’s, “Money For Nothing”. OK, not just from the 80’s, but of all time. But rock nostalgia aside, this is the line that pops into my head every time I think about redesigning my website. It’s an ancient, outdated piece of garbage, thrown together quickly in Dreamweaver back in the days when people did that sort of thing. And each time I get ready to do something about it, I hear Mark Knopfler’s awesome guitar... [Read More]
by RSS Chris Dawson  |  May 15, 2015  |  Filed in: Industry Trends
Cross-site scripting (XSS) vulnerabilities have become fairly commonplace in web applications and crop up frequently in content management systems like WordPress and Joomla! While WordPress is the most popular CMS on the Web, and therefore a popular and potentially lucrative target for hackers, it’s not the only one. Joomla! is the second most popular CMS on the market, running just under 3% of all websites. FortiGuard recently discovered a persistent XSS vulnerability for Joomla!’s top e-commerce extension, VirtueMart, that could allow... [Read More]
by RSS Alex Harvey  |  May 06, 2015  |  Filed in: Industry Trends
As FortiGuard Labs discloses another WordPress Plugin XSS vulnerability, it’s time to think about CMS security. According to W3Techs, WordPress powers nearly 24% of all websites. There is a reason that it enjoys close to a 61% market share among content management systems: It is incredibly easy to set up and use It is actively maintained and updated A huge user community is there for support even if you don’t pay a host or service provider to support it The ability to easily customize and extend it with plugins, themes,... [Read More]
by RSS Chris Dawson  |  Mar 24, 2015  |  Filed in: Security Research
With over 12 million downloads, Photo Gallery is one of the most popular WordPress plugins; users should be sure to upgrade to the latest version. FortiGuard Labs disclosed a vulnerability today in the WordPress Photo Gallery plugin that could potentially be used to gather information from system administrators. With over 100,000 active installations and robust photo management and editing tools, this particular cross-site scripting vulnerability has significant security implications across the many retail, media, and other WordPress-driven websites... [Read More]
by RSS Aamir Lakhani  |  Mar 20, 2015  |  Filed in: Security Research
[Read More]
by RSS Stefanie Hoffman  |  Jun 28, 2014  |  Filed in: Industry Trends
In 1974 a 13-year old boy named David Dennis discovered that he could lock up a PLATO terminal by making an external request when no external device was present. This prompted David, a student at University High school in Champaign Illinois, to write a program that could send the request to multiple PLATO terminals at once. He first launched the program on a nearby university computer lab, forcing 31 frustrated students to restart their PLATO terminals. The Denial of Service attack was born. In early 2000s the attacks used to be spoofed. Over... [Read More]
by RSS Michael Perna  |  Feb 05, 2014  |  Filed in: