Information Security News
Today, Wordpress4.0.1 was released, which addresses a critical XSS vulnerability (among other vulnerabilities). 
The XSS vulnerability deserves a bit more attention, as it is an all too common problem, and often underestimated. First of all, why is XSS Critical? It doesnt allow direct data access like SQL Injection, and it doesnt allow code execution on the server. Or does it?
XSS does allow an attacker to modify the HTML of the site. With that, the attacker can easily modify form tags (think about the login form, changing the URL it submits its data to) or the attacker could use XMLHTTPRequest to conduct CSRF without being limited by same origin policy. The attacker will know what you type, and will be able to change what you type, so in short: The attacker is in full control. This is why XSS is happening.
The particular issue here was that Wordpress allows some limited HTML tags in comments. This is always a very dangerous undertaking. The word press developers did attempt to implement the necessary safeguards. Only certain tags are allowed, and even for these tags, the code checked for unsafe attributes. Sadly, this check wasnt done quite right. Remember that browsers will also parse somewhat malformed HTML just fine.
A better solution would have probably been to use a standard library instead of trying to do this themselves. HTML Purifier is one such library for PHP. Many developer shy away from using it as it is pretty bulky. But it is bulky for a reason: it does try to cover a lot of ground. It not only normalizes HTML and eliminates malformed HTML, but it also provides a rather flexible configuration file. Many lightweight alternatives, like the solution Wordpress came up with, rely on regular expressions. Regular expressions are typically not the right tool to parse HTML. Too much can go wrong starting from new lines and ending somewhere around multi-bytecharacters. In short: Dont use regular expressions to parse HTML (or XML), in particular for security.
Google has released a Firing Range for assessing various web application scanners, with what looks like a real focus on Cross Site Scripting. The code was co-developed by Google and Politecnico di Milano
Source code is on github at https://github.com/google/firing-range
App Engine deploy is at http://public-firing-range.appspot.com/
Posted by InfoSec News on Nov 20http://www.nextgov.com/cybersecurity/2014/11/report-government-has-only-5-years-secure-internet-things/99446/
Posted by InfoSec News on Nov 20http://www.theregister.co.uk/2014/11/19/sms_pwnage_on_meellions_of_flawed_sim_cards_popular_4g_modems
Posted by InfoSec News on Nov 20http://www.panarmenian.net/eng/news/184943/
Posted by InfoSec News on Nov 20http://arstechnica.com/security/2014/11/unscheduled-windows-update-kills-critical-security-bug-under-active-attack/
Posted by InfoSec News on Nov 20http://healthitsecurity.com/2014/11/17/health-data-security-still-catching/
Posted by InfoSec News on Nov 20http://www.computerworld.com.au/article/560036/long-running-android-botnet-evolves-could-pose-threat-corporate-networks/
Posted by InfoSec News on Nov 20http://rt.com/usa/206663-detroit-bitcoin-ransom-database/