Magento 18.104.22.168 is now available via Softaculous. This release includes security patch SUPEE-6285 and it is strongly recommended to update your sites immediately.
You can refer to the following guide on how to upgrade your installations :
Details of the security patch are listed below :
SUPEE-6285 Patch Bundle
Date of Release: 07/07/2015
This bundle includes protection against the following security-related issues:
- Customer Information Leak via RSS and Privilege Escalation
- Request Forgery in Magento Connect Leads to Code Execution
- Cross-site Scripting in Wishlist
- Cross-site Scripting in Cart
- Store Path Disclosure
- Permissions on Log Files too Broad
- Cross-site Scripting in Admin
- Cross-site Scripting in Orders RSS
Source : http://docs.magento.com
WordPress team has released WordPress 3.6.1 which is a Maintenance and Security Release
WordPress 3.6.1 is also a security release for all previous WordPress versions and it is strongly recommend you update your sites.
WordPress has been updated to 3.6.1 in Softaculous. You can update your installation with just one click. Here is the guide :
The WordPress security team resolved three security issues, and this release also contains some additional security hardening.
The security fixes include :
- Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution.
- Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user.
- Fix insufficient input validation that could result in redirecting or leading a user to another website.
The additional security hardening include:
- Updated security restrictions around file uploads to mitigate the potential for cross-site scripting. The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML.
Source : http://wordpress.org
WHMCS has released new patches for the 4.5, 5.0, 5.1, and 5.2 minor releases. These updates provide targeted changes to address security concerns with the WHMCS product. You are highly encouraged to update immediately.
WHMCS has rated these updates as including critical or important security impacts.
The following full-release versions of WHMCS have been published and address all known vulnerabilities:
The latest public releases of WHMCS are available inside members area at WHMCS.
WHMCS has been updated to 5.2.6 in Softaculous as well. If you have Softaculous installed on your server you can upgrade to the latest version of WHMCS via Softaculous.
PLEASE NOTE: The 4.5 series reached End Of Life as of June 30th 2013. WHMCS is aware that some customers have not moved to an LTS version due to the newness of the LTS policy. The related 4.5 patch release published along with this Security Advisory is provided as a courtesy to those customers. From this point forward, there will be no more patches provided for 4.5 or any other release that has reached EOL.
There is no reason to believe that these vulnerabilities are known to the public. As such, WHMCS will only release limited information regarding the vulnerabilities at this time.
Once sufficient time has passed to allow WHMCS customers to update their installed software, WHMCS will release additional information regarding the nature of the security issue.
These Targeted Security Releases and Patches address 9 vulnerabilities in WHMCS versions 4.5, 5.0, .5.1, and 5.2.
Source : http://www.whmcs.com
WordPress team has released WordPress 3.5.2 Maintenance and Security Release
This is the second maintenance release of 3.5, fixing 12 bugs.
This is a security release for all previous versions and it is strongly recommend you update your sites immediately.
WordPress has been updated to 3.5.2 in Softaculous. You can update your installation with just one click. Here is the guide :
The WordPress security team resolved seven security issues, and this release also contains some additional security hardening.
The security fixes included:
- Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
- Disallow contributors from improperly publishing posts or reassigning the post’s authorship.
- An update to the SWFUpload external library to fix cross-site scripting vulnerabilities.
- Prevention of a denial of service attack, affecting sites using password-protected posts.
- An update to an external TinyMCE library to fix a cross-site scripting vulnerability.
- Multiple fixes for cross-site scripting.
- Avoid disclosing a full file path when a upload fails.
Source : http://wordpress.org
Currently a large distributed brute force attack against WordPress sites has been occurring. A large botnet with more than 90,000 servers is attempting to get into the WordPress admin dashboard by cycling through different usernames and passwords. The attack is widespread and very vigorous. This attack seems to be so powerful that it is affecting almost every major web hosting company around the world.
Similar large-scale attack had occurred in October of 2012 when WordPress.com disclosed that some 50,000 sites were compromised.
What should we do ?
1. The FIRST step is to login to your WordPress and change your password to something very secure. Here is a guide on selecting a strong password.
2. Install the Limit Login Attempts plugin. This will prevent from the attackers to login after certain attempts even if they manage to determine the combination of your login details.
3. Allow access to wp-login.php only to specific range of IP using .htaccess