How to Botch a Security Vulnerability Discovery – WooThemes Case Study

Mon, Apr 30, 2012

Jason Gill disclosed a bug in the WooThemes WooFramework that allows any website visitor to run and see the output of any shortcode.

This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. WordPress installations with unsecured shortcodes (such as [php] which allows raw PHP code to be run) are vulnerable to serious attacks if WooThemes are installed, even if they are not the selected theme for the site. It would be trivial to identify common insecure shortcodes and then attempt them against common WooThemes to attempt to run malicious code on the remote server.

The response from the WooThemes folks to this security vulnerability was less than stellar. This is a case study into the mistakes made by WooThemes during this incident that should hopefully serve as a model for what not to do.

Tax Scam Uses Popular Education Credit To Trick Victims

Mon, Apr 16, 2012

The IRS announced that it is actively investigating a tax scam seen in recent weeks related to the filing of tax returns claiming fraudulent refunds.

The scammers claim they can obtain for the victims a tax refund based on the American Opportunity Tax Credit, even if the victim was not enrolled in college. The scammers claim that refunds are available even if the victim went to school decades ago. There is also a variation of this scheme that claims the college credit is available to compensate people for paying taxes on groceries.

Get Bulletproof Web Security

Learn More
Start your 14 day free trial now

Search

@LightPointSec on Twitter

  • Join us on 5/19 at the @NatlAquarium as we celebrate being a top 3 finalist in the @InvMDChallenge http://t.co/50Wl1S5wrh 2 days ago
  • Thanks! RT @BethanyHobbs: Good luck to InvestMD finalists and HoCo area locals @Vasoptic and Light Point Security! http://t.co/ErpWkHq6s0 2 days ago
  • RT @threatpost: Certificate Revocations Shoot Up in Wake of #OpenSSL #Heartbleed Bug - http://t.co/gwrW4oJweF 5 days ago
  • RT @TechJournalist: First Arrest Related to Heartbleed SSL Flaw Reported http://t.co/r5CoaT6vW9 6 days ago
  • RT @ZulyGonz: The number of booth babes at RSA is too damn high http://t.co/zCEubtkRiQ #RSAC http://t.co/8lt1t4nfnf 9 days ago