For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.
WordPress wp-backup-plus Database Disclosure
Yet another WordPress plugin that publish the whole backup available for anyone to download. This continues to be a problem and shows the importance of disabling Directory Listening.
jQuery-File-Upload ImageTragick RCE
jQuery-File-Upload continue to be mentioned in Security Update after Security Update, and we still get Crowdsource submissions on different ways it can be used to exploit a system. We are looking forward to a more elaborated write-up in the future.
Microsoft Thumbs.db Exposure
It is commonly known that Mac OS saves a file in each directory called .DS_Store that contain a list of all files in that directory. However, as you do not per default actually see that file when using Mac OS itself, it is common that people accidentally upload this file to websites when they are uploading a whole folder.
Less known, although far from a secret, is that Windows actually have something similar called Thumbs.db. The file works in the same way and stores a thumbnail of all images in a directory. It happens in the same way that people accidentally upload this file. Read more here: https://github.com/thinkski/vinetto
This release our own security researchers spent some time fiddling around with Struts and implementing a lot of existing vulnerabilities, and ensuring all the tests works as they should.
Questions or comments on our latest security updates? Let us know in the section below.
Begin a scan for the latest vulnerabilities today. Start a free trial with Detectify here!
Already have an account? Login to check your assets.