Well yea, wordpress known as one of the open source cms vendor with really really good care of their security, so if they release something new, it must’ve been a security fix, or features improvements. Version 2.8.6, is one of its release from their security fix outlet.

There are 2 Security Fixes:

From official wordpress blog regarding this WordPress 2.8.6 Security Release :

2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.

Plain english would be read like this : There re 2 security problems which could be exploited by one of your registered user – with posting privileges and logged in. So actually, this security problem is an exploitable problem by someone who’s already in (logged in as a registered user), and has posting privilege (authors, editors, or other user with custom privileges with posting ability in it.) Long story short : Exploitable by inside man.

The 2 Security Problems Are

1. An XSS vulnerability in Press This discovered by Benjamin Flesch.
2. An issue with sanitizing uploaded file names that can be exploited in certain Apache configurations, discovered by Dawid Golunski.

Be advise, IF you guys have a blog with multiple authors, and there’s a possibility one of them has a possibility to go “bad”, this release is definitely recommended for you.
Alrite.. catch up with you later!

Stefan Esser of suspekt.org recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand().

With his help, WordPress team worked around these problems and were releasing WordPress 2.6.2, last September 8, 2008. Yeah, I know, i ‘m a bit late to write this, but it’s always better be late then not knowing at all, right?

Should I upgrade?

If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. Stefan Esser has already release details of the complete attack, both for SQL Column Truncation and the weakness of mt_rand(). The attack is difficult to accomplish, but its mere possibility means, upgrading to 2.6.2 is recommended.

Some bloggers and sys admin with open registration feature for their site or blog, has closed their registration temporarily until they got chances to upgrade to 2.6.2. Wiser choice I must say, couldn’t agree more.

Version 2.6.2 Bugs, Fixes and Security Patches

There ‘re some bugs found for 2.6.1 or previously 2.6, and the 2.6.2 have all the fixes and security patches. If you ‘re interested to take a look at the 2.6.2 bugs and fixes list, headed to this page of that contains a handful of bug fixes.

So, wait no more, upgrade now! For all of you who upgrade it already, congrats!

[ Indonesian version → ]

Alrite, let’s take a break for a while.. Put the whole search engine optimization tipsy tricks a side for a minute or two.. and take a look at our daily life a bit. It’s been a while since my last post about vulnerability, and it’s kinda answering my oldest call about how much I care to this security world years ago.
The subject above should tell us the idea of the topic I ‘m gonna write. Uh huh, you got it right buddy, Citibank ‘s Customers ATM PIN have been compromised! This subject is kinda spooky, but the real life situations are even more frightening!

I just finished this scary headline in yahoo, that hackers broke into Citibank’s network of ATMs inside 7-Eleven stores and stole customers’ PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.

The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs — the numeric passwords that theoretically, I repeat, theoretically, are among the most closely guarded elements of banking transactions — by attacking the back-end computers responsible for approving the cash withdrawals.

Is it even possible to do?

Well, from my experiences in the past when I still work on this “un-paid job not even a dime called being a freelance security adviser which most people not even know we were existed since we’re all writing security advisories using a cyber-nickname” group, there ‘re no such thing as “impossible” in hacker ‘s dictionary.
This group I used to work for ( for free ), our everyday activities is scanning for network vulnerabilities, and checking some software bugs, writing the advisories about it, and issued them in major security sites, contacting the vendors, and the best part of it, without getting paid. Whoa..
Yup, you heard me right, there still such people doing it, for some noble purposes. Me? I ‘m just a former, not anymore one of them now. As I built this tiny wonderful world we used to call “a family”, I should work my a55 out to monetize my expertize — ( is it even called an expertize? lol ) — to survive this rude world!

Back to the main issue, Yup it’s possible, nothing is impossible, the word impossible is not even existed in hacker ‘s glossary, not even in their vocabulary. You know most known hacker ‘s quote? “We did it because we can”. Whatta spirit!
From here, I ‘m gonna use the word “the bad guy” to replace the word hacker, coz I don’t agree to this public opinion that hackers always being referred to the bad guys.

How this Scary thing even possible from Happening?

Okay, we’re step into the mechanism, the how to, and the hole they’re into.

The bad guys are targeting the ATM system’s infrastructure, which is increasingly built on Microsoft Corp.’s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption — which means encoding them to cloak them to outsiders — some ATM operators apparently aren’t properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.

In plain english:

There ‘s a hole, which, it’s possible for us who know how to manage to get there, could take the advantages of the PIN data leaking.

This hole is created, from un-clean practices of some ATM operators who don’t properly doing the most basic known security practice called encryption.

Where’s the hole exactly? It’s between the automated teller machines and the computers that process the transactions, while in transit.

Avivah Litan, a security analyst with the Gartner research firm said:

“PINs were supposed be sacrosanct — what this (read: the hole and the PIN data leaking) shows is that PINs aren’t always encrypted like they’re supposed to be. The banks need much better fraud detection systems and much better authentication.”

The How to..

Woohoo.. The How to.. The best part of all advisories articles. Let’s conclude a bit. So.. There ‘s a hole, where the PIN data are leaking, and they’re leaking badly. How the bad guys (or should I say: we wannabe. lol) managed to get there?

Well.. It’s still a mystery.

Are you expecting some thing like: copy and paste the whole part of the script below, compile it to be a php executable file, execute it through a web interface using any favorite browser you used to use. Do you?

The most recent updates on this situation:

A critical issue in the investigation is how the bad guys infiltrated the system, a question that still hasn’t been answered publicly.

All that’s known is they broke into the ATM network through a server at a third-party processor, which means they probably didn’t have to touch the ATMs at all to pull off the heist.

They could have gained administrative access to the machines — which means they had carte blanche to grab information — through a flaw in the network or by figuring out those computers’ passwords. Or it’s possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.

All I can say is, in some hacker’s glossary meaning, it’s a direct attack.
If the bad guy finally found the leak, means the hole of this system has been there since the day its build, right? Actually it help us finally figured, that there ‘re something not right ( please notice: i don ‘t use the word “wrong”) from the first place.

Vendor ‘s Respond

Citibank, part of Citigroup Inc., has declined to comment on the technique or how many customers’ accounts were compromised. It said it notified affected customers and issued them new debit cards.
“We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts,” the bank said in a statement.

Oh well, we ‘re all agreed, the most interesting part of any vulnerability articles is the vendor responses.
The great part is It said it notified affected customers and issued them new debit cards… We do not hold them responsible for fraudulent activity in their accounts..
Refunded all the loss? Have no idea, hoping so..

Alrite guys… Be aware. Be safe.

[ Indonesian Version ]

This category was created based on that very idea, advisories, and mostly educational purposes. Some of the articles are taken from the security sites with full sincere and respects of its writer. It’s an advisories anyway. It originally found, written, and publish for its vendor and origin’s consideration. It’s an educational material for all people who have the same concern for security, and how to make this world belong to the securest system as humanly as possible.

Taking my part carrying the responsibility of spreading the knowledge to the people in this mother earth, this category was born.

So, enjoy the reading, hope you found it useful.