SQL Injection Vulnerability Discovered in WooCommerce – Generic SQL Injection Attacks

SQL Injection Vulnerability Discovered in WooCommerce – Generic SQL Injection Attacks

On 15th July 2021, a critical SQL-injection security vulnerability in the WooCommerce e-commerce platform and a related plugin was reported which might affect millions of websites around the world. The vulnerabilities were detected on the 13th of July and fixed in WooCommerce versions 3.3.6 to 5.5.1 and WooCommerce Blocks versions 2.5.16 to 5.5.1. Though they pushed a forced automatic update to all affected websites, it is recommended to manually check your website and make sure that everything is up to date.

What is the exploit impact? As per the announcement from WooCommerce, this vulnerability allows an unauthenticated attacker to access arbitrary data in an online store’s database. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information

So what is an SQL Injection attack and how to prevent it? SQL injection is a web security vulnerability that allows an attacker to interfere with the SQL queries that an application makes to its database. This type of vulnerability allows a malicious hacker to affect the database in a way that makes it display information or behave differently in ways it’s not supposed to. This is a common attack vector and can be mostly detected using some website auditing tools. The developer of every application must do proper validation of the user input through any form or from the URI and filter them properly.

Can cPGuard protect your website from such vulnerabilities? Yes, the cPGuard WAF is powered by Malware.Expert ModSec rules set can protect your websites from such generic attacks including SQL injection. So cPGuard can already defend against such attacks and protect your websites. It also works along with the IPDB Distributed  Firewall module which can detect and block the repeated attacking IPs on all our customer servers. 

Malware in nulled WordPress themes…The story continues…

Malware in nulled WordPress themes…The story continues…

The subject is pretty familiar for most of the WordPress developers and people who maintain the websites. Everyone who takes their website security seriously will honor the advice but there are still some people who wish to take short-cuts and install nulled themes and plugins. Such people are not saving money to add more modules to their website, rather opening a remote website management option to the hacker.

We have added some articles before about such websites which you should not relay to download the plugins or themes. Today I am going to talk about another such website, which is “freewordpresthemes [dot] com”. They are offering a few WordPress themes which you can download free from their website and they are packed with Malware inside. We found them during our regular inspection through the reported malware by our scanner engine. So the cPGuard scanner engine already protects you from the particular malware injected into their package.

So now let us take a look into the actual injection in their package. We found the below injected code in their “functions.php” file which is actually referring to a TXT file in their website.

The injected code actually pulls some code from their website, creates a new file under the public space of the website, adds some code to it which is the remote hand for the hackers.

So what does that mean? Yes, installing and enabling this theme means you have opened up your website to an anonymous person who can make changes to your website without permission.

So how can you escape from such threats? There is only one answer to that…download the themes and plugins from reliable sources. You should be ready to pay for the software that is going to serve your requirements or you should find some alternate options instead of opting for such short-cuts. Even though there are numerous incidents and reports around there regarding such issues, people who do not act wisely will end up in such troubles. 

You can also deploy security solutions like cPGuard on your server to protect you from such threats. But ultimately it is not recommended to use any nulled software if security matters! 

Do we really need resource comsumption settings for cPGuard?

Do we really need resource comsumption settings for cPGuard?

What do you mean by resource consumption?

Every software needs some resources to run on a system and perform its operations. The amount of resources each program need is different and depends on the task it performs. Softwares that need to run multiple algorithms, do complex computations and has a lot of file and network operations are usually highly resource-intensive (specifically CPU, RAM and Disk IO). An anti-virus scanner come under this category as there are a large number of file read writes, content analysis, pattern recognition and comparisons to be performed.

On a server environment resources and limited and required to be available on-demand for the servers primary task. Therefore antivirus scanners have settings to adjust the resources it can consume or schedule the scanner to run in off-peak hours.

So why cPGuard does not allow users to limit it?

We have strictly maintained a “performance-oriented” approach while building cPGuard and wanted it to run smoothly on the smallest of servers. The cPGuard scanner engine core is built to work fast and consume minimal resources. Some of the major points that help us achieve better performance with lower resources are

  • We scan only relevant files/locations, unlike the competitors where they scan a lot of unnecessary locations and waste server resources.
  • Our core scanner is single-threaded and will not cause a total server spike. So CPU limiting is not required for our scanner daemon
  • Our highly efficient and optimised algorithms leave only a very small memory footprint.
  • Our IPDB rules contain only active attack sources and thus load only minimal rules and reduce network overhead
  • WAF contains only minimal but generic rules which effectively block most and major web attacks

Do you have any proof?

Yes, we have and we can confidently claim our statement. The biggest proof is that in the last 4 years the complaints due to resource usage are close to ZERO. The major portion of most systems that can cause a load spike on the server is the scanner module. Our scanner is fine-tuned to avoid such a scenario and it is one of the fastest scanners available in the market. It is tested and confirmed that the cPGuard scanner engine is more than 7x faster than that of our competitors. The screenshot below of the manual scan option in cPGuard, where it completed scanning 41K+ files in just 7 mins.

 

So is there any advantage with Resource Consumption settings?

Yes, there is if the scanner module is resource hungry. It will help to reduce server load but it will drastically slow down the scanning process and will engage resources for a longer time. As I stated earlier, that is not a problem with cPGuard and you do not need to worry about setting up such values and monitoring our services.

Ok, I have few more questions…

We are happy to address them…feel free to reach our support team and we will be more than happy to answer your questions!

What are the advantages of cPGuard WAF compared to competing solutions?

What are the advantages of cPGuard WAF compared to competing solutions?

What is cPGuard WAF?

The cPGuard WAF module is an important part of cPGuard security suite to protect your websites from malicious traffic and attacks. It is powered by Malware.Expert commercial ModSec rules and are loaded with a wide variety of protection levels. With cPGuard, you can implement the WAF rules quite easily and flexibly and enforce maximum website protection based on your preference. We have rules to protect major attack like the following which is well explained in the following sections

 

  1. WordPress/Joomla and other CMS brute-force attacks
  2. Crawler bots  and exploit/vulnerability scanner prevention
  3. Generic attacks like XSS, SQL injection, WP abuses, etc
  4. Block malicious files upload via web
  5. Zero-day exploits blocking
    etc

What are the important modules of cPGuard WAF?

The cPGuard WAF consists of various types of rules and each can stop different types of attacks. The major advantage in enabling the WAF with cPGuard is, you can select the set of rules that you wish to enable for your websites. So unlike the competing WAF solutions, our rules are quite wisely separated and let the customers to choose the protection level.

  • RBL Protection:- This provides the advanced DDoS protection for POST attacks [ brute-force, script exploits ] and blocks common abusive IP addresses collected through our network of servers with cPGuard installed. We recommend turning this ON if you are getting too many POST attacks as it can help to block many attacks before reaching your application and helps to reduce server load.
  •  Captcha Protection :-  Recommended This ruleset will enforce all users to verify not as bot before accessing the CMS [ like WordPress, Joomla, etc ] login pages or submitting the login credentials. Once they are identified as a real user, they will be able to login to their website. This can greatly reduce the load due to brute-force attacks. You can also define the set of URIs that you wish to protect using the captcha system, which makes the protection more powerful and flexible.
  • WEBSHELL protection:- If you enable this ruleset, your server will be protected from the execution of PHP shells like following
    • Phoenix WebShell
    • FilesMan
    • c99shell
    • b374k
    • WSO
    • Ani-Shell

    Frontpage may open in web shells, but command execution [ like a copy, delete, move, etc ] is blocked. You can enable this rules set if you control all the web apps on your server.

  • SCANNER protection:-  Recommended This will help to keep away bad crawlers from your system. This is a major headache for web hosts and causes unnecessary use of system resources. It can block
    • Bad User-Agents
    • Bad search engine crawlers (Cause High loads)

In addition to the above rules set, the WAF consists of rules to stop brute-force attacks and to enable web-based files scanning.

Why cPGuard WAF is better than the competing WAF solutions?

Our WAF is top-notch to block major automated attacks with less server load compared to the competing WAF solutions. In addition, we cause very minimal or zero false positives in most cases with an option to whitelist rules if they find any isolated issues with any rules.

In general, cPGuard WAF outperform all other competing WAF solutions based on the following points

  • We have very minimal but generic WAF rules. That helps to offer a wide range of protection with very little server load
  • Rules are generic and thus can block the same types of attacks with different vectors
  • We carefully watch the latest exploits and release rules to protect them
  • We have explicit generic rules to protect common CMS systems
  • Our Captcha protection system is one of the best which can stop all brute-force and bot attacks towards your CMSes
  • Cloud-based central system to analyze the latest web threats and to block them 
  • The WAF module is clubbed with IPDB Firewall in the core which will eventually help to stop attacks in the system firewall even before it reaches the application server

Have more questions?

In case you are misleaded by some marketing emails about our software and WAF module and would like to know more, please feel free to reach us. Our team is always happy to answer your questions and explain about the cPGuard software

What are the recent changes in IPDB?

What are the recent changes in IPDB?

What is IPDB Firewall?

In cPGuard, we have multiple modules that work at different layers to stop various attacks. The IPDB firewall module is a system-level firewall that can block many of the attacks before it reaches your application servers.

The main components of the IPDB firewall are

1. The Cloud Advisor:– is a server cluster containing multiple servers dedicated to collecting, building and distributing a list of unsafe IPs. We have a huge list of bad IPs built on data collected from attacks we have blocked (WAF, Bruteforce, CSF and access logs), our partners like Malware.Expert and other 3rd party sources. Our algorithms, after whitelisting major providers like Cloudflare, Google etc to avoid false positives, dynamically score IPs based on various parameters to build a refined list containing only the latest and relevant threats

2. The Server Agent: cPGuard server application downloads the list of bad IPs from the cloud advisor and creates a blocklist using IPSET and IPTABLES to effectively block requests from these IPs. The block list is periodically reloaded to fetch the latest IPs and drop old IPs from the list

What are the recent updates in IPDB?

Over the past few versions after the initial release of IPDB, we have been continuously working on it to enhance the performance of IPDB module. With that said, we were able to bring in so many updations so block more attacks with fewer false positives. Few of the major changes include

  • Refined blacklist Logic:- We now have a better algorithm to mark an IP address as bad and put it into the global blacklist. That helps to eliminate a significant share of false positives from the total blacklist.
  • Enhanced whitelist:- Based on the feedback from our clients, we have added many more major players including search engines, CDN providers, monitoring agents, etc into the blacklist which helped to refine the central list.
  • Better CLI Tools:- For a Linux geek, it is always handy to work from CLI than doing any tasks from GUI. So we have added more CLI tools to handle IPDB using commands
  • Network whitelist:- Now you can whitelist a Network using a defined format. This will help to whitelist a range of your IP address and that makes the tool handier. You can add whitelist from cPGuard settings or via our command line utility
$ /etc/cpguard/scripts/cpgbin allowip <ip address/range>
 
$ /etc/cpguard/scripts/cpgbin allowip 208.xxx.xxx.xxx
$ /etc/cpguard/scripts/cpgbin allowip 208.xxx.xxx.xxx/24 

 

  • New IPDB stats UI:- You can now view requests being blocked in realtime from the new IPDB section in cPGuard UI. We will be rolling out more reports and stats on IPDB in coming versions.

Wait…I have some complaints or suggestions

We would love to hear from you and our team can work based on your feedback. Kindly reach our support team with your feedback and we will process it accordingly.