LFI to RCE via access_log injection

#WordPress is the #CMS target of choice for #cyber crooks


WordPress is the most attacked website content management system (CMS), according to security firm Imperva.

The company's fifth annual Web Application Attack Report said that websites running WordPress were attacked 24 percent more than those running on all other content management systems combined.

The report revealed that WordPress also suffered 60 percent more Cross Site Scripting incidents than all other CMS-running websites combined.

Produced by the company's Application Defense Centre research team, the report is the result of ADC analysis of a subset of 99 applications protected by Imperva's Web Application Firewalls over a period of nine months from 1 August 2013 to 30 April 2014.

Other key findings include an increase of 10 percent in SQL Injection attacks, as well as an increase of 24 percent in Remote File Inclusion attacks.

In addition, the ADC research team found that attacks have got dramatically longer in duration, lasting 44 percent longer than in the period covered in the fourth annual report.

WordPress has not had the best of luck lately. Earlier this year, over 1,000 legitimate WordPress websites were hijacked by hackers in a bid to connect users to a criminal botnet and force them to unknowingly launch distributed denial of service attacks.

Securi, the firm that revealed the hack, said in a blog post that it uncovered the botnet while examining an attack on one of its customers and traced the sources to over 162,000 legitimate WordPress websites.

In June, WordPress joined the Reset the Net campaign to fight against mass surveillance, which also had support from parties including Edward Snowden, Twitter, Reddit, Imgur, Google and Mozilla.



source

Comments