Mod_Security JSON Audit Logs, Revisited

Last year I took a look at generating Mod_Security audit logs as JSON data, rather than the module’s native format (which is… err… difficult to parse). My initial approach was incomplete, needlessly introduced additional dependencies, and leaked like a sieve; I ended up abandoning this to work on FreeWAF. Some new use uses came up that would benefit from more structured Mod_Security audit logs, so I’ve revamped a patch to emit JSON data using a more sane approach.

Continue reading

FL3R User Agent Comments – Unauthenticated Injection into Posts and Dashboard

The plugin FL3R User Agent Comments is vulnerable to a stored XSS attack that allows for arbitrary Javascript execution in the context of the admin dashboard, as well as injection into any page which displays comments.

Continue reading

Building OpenResty with PCRE JIT

I’ve made some quick notes about this before, but I actually managed to forget the correct flags to make everything go zoom last night while doing some testing, so I’m writing a quick walkthrough for properly building in JIT support into OpenResty’s ngx.re.* calls.

Continue reading

FreeWAF – Updates and New Features

January tends to be a pretty quiet month in the admin/operations world. Most people are still coming back from holiday, new yearly plans are being made, meetings are held, and the server monkeys… sit and watch the graphs scroll by. The rest of the world’s gradual return to work means the start of a seasonal upswing, but we’re still in a relatively low point, so that generally means a light workload. That extra free time has given me a chance to put in a good chunk of work towards FreeWAF, cleaning up code, adding new features, and interacting with a total stranger (score!). I’ve just tagged a new release, v0.4, which provides a handful of new features that were sorely missing:

Continue reading

Fancybox for WordPress – Zero Day and Broken Patch

A malicious iframe has been making its rounds due to a broken non-existent security check in the admin section of the Fancybox for WordPress plugin. Samples of affected sites indicate the vulnerability is being used to initiate a drive-by download targeting MSIE browsers (potentially targeting a recently-announced unpatched IE exploit?). The plugin exploit vector results from poor handling of unauthenticated requests to the plugin’s admin options page (taken from fancybox.php):

Continue reading

Fake Googlebot WordPress Login Bruteforce

… sigh.

A few hours ago we started seeing an interesting trend. A highly distributed set of clients is attempting to authenticate to WordPress sites using a very distinct pattern. Captures and initial analysis below.

Continue reading

Graveyard Tarpittin’

One of the advantages of having a rotating graveyard schedule (two weeks of 10 PM shifts, followed by two months of normal living) is that quiet nights allow for copious amounts of time to muck around on the Internet. One topic that’s piqued my interest over the last few days is tarpitting. Purposefully delaying responses seems a little more interesting than strictly rate limiting; it’s a little more of a retaliatory attitude, without causing any damage at the other end of the connection. Most of the writing I’ve found related to the idea is focused on lower-layer implementation (e.g. the TARPIT iptables module) or SMTP, so I decided to roll my own for HTTP services.

Continue reading