| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACAgZ507exLA4Zv9MysB7E99-Gg_4xn2wqNAM+ew2MiZhTSP0Q@mail.gmail.com> Date: Fri, 11 Mar 2016 19:32:49 +0100 From: Steffen Rogge <it.steffen.rogge@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Wordpress Configuration Error on XDA-Developers.com led to full Web-Server Access and shut down website Hello Subscribers, As an Introduction i would like to say that this is my first announcement and i am not happy about the way it went. I am a daily reader of the website XDA-Developers which is mainly announcing information about Android Devices and mobile trends. At the 07.03.2016 around 10:10 AM i accessed on of their articles an landed on a strange 404 Page telling me that http://www.xda-developers.com/antutu-releases-report-on-current-top-10-smartphone-socs/wp-config.php could not be found. As a security interested guy i tried to access /wp-admin/install.php and voila, the Wordpress first setup Page was available. The vulnerability had to be closed ASAP because of 35.000 users being online at that time, so i created a free mysql database online and let it run trough the setup. After it was complete the site was not accessible anymore and the only post shown was the Wordpress Hello World post. With that said anyone could have used the vulnerability to install wordpress and upload a webshell in less than a minute und deploy another webshell hidden in the web root and dumping the user database afterwards or gain access to hidden files. As i wanted to tell XDA that their site had to be compromised to prevent damage i tried to contact them trough various channels. Emails to the webmaster, private messages to the site admin and editors, several twitter posts but no one was giving any attention to the problem. The site was back up shortly after, but there was no sign of them announcing that someone had access to their webserver, as if nothing ever happened. I hope not all the sites who have my data saved are treating it that way and i am kind of dissappointed, because i thought such a popular site would be able to deal with security issues and raise truth public awareness. The Security Issue is fixed by now and i hope they will change their mind when the next incident happens. Thank you for providing this great mailing list and another thank you goes to GOLEM.de which provided me with help in this topic and how to handle it. *TIMELINE:* 2016-03-07 # 10:10 AM Vulnerability discovered 2016-03-07 # 10:15 AM Completed Setup to prevent Site from further damage 2016-03-07 # 10:24 AM Contacted Webmaster via Email-Address from Google Cache 2016-03-07 # 11:30 AM Contacted Site Admin, Managing Editor and another Editor via private messaging system after the site was up again 2016-03-07 # 01:13 PM Twitter post to website account to inform about security breach,after not response so far 2016-03-08 # 08:13 AM Email to Golem.de on how to deal with the security issue 2016-03-11 # 05:46 AM Received email from Golem.de with the advice to publish it here Still no response (Email or News) from XDA-Developers Regards, Steffen Rogge _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists