Top 10 app vulnerabilities: Unpatched plugins and extensions dominate

Despite the existence of patches, the proliferation of unpatched installations are enticing targets for malicious actors, according to a WhiteHat report.

Security vulnerabilities are a reality of working in IT, with tech professionals tasked with ensuring devices on network are secured against the latest disclosed flaws. With thousands responsibly disclosed each year—to say nothing of vulnerabilities sold on the Dark Web—the task of maintaining the security integrity of devices and applications running on your network can be daunting.

On Wednesday, WhiteHat Security released its Top 10 Application Security Vulnerabilities of 2018report, detailing the most common exploits used last year. Most, if not all, of these vulnerabilities are still being exploited in the wild by malicious actors, with some of the vulnerabilities existing as components in software packages that you may be unaware you are using.

Here are the top 10 app security vulnerabilities to watch out for in the coming year.

1. jQuery File Upload (CVE-2018-9206)

Cryptojacking: A Hidden Cost

Cryptojacking is one of the newest – and most lucrative– threats to cybersecurity in the last two years. Easy to carry out and difficult to detect, these attacks involve cybercriminals taking control of a third-party device’s CPU to mine valuable...

Though the jQuery File Upload vulnerability was only identified last year, hackers have used it to implant web shells and commandeer vulnerable servers since at least 2016, researchers at Akamai told our sister site ZDNet. The plugin is the second most-starred jQuery project on GitHub, second only to the jQuery framework itself.

2. Magecart credit card skimming

A variety of malicious groups are using Magecart to inject malware into ecommerce sites to steal payment details. Magecart is the key behind the TicketMaster, British Airways, and Neweggbreaches, the Shopper Approved ecommerce toolkit, and extensions of ecommerce platform Magento, first reported in 2018, with OXO International disclosing a data breach in January 2019.

3. WordPress Denial of Service (CVE-2018-6989)

The ubiquity of WordPress makes the blogging platform a popular target for malicious actors, with this vulnerability allowing unauthenticated users to abuse the load-scripts.php component to request mass quantities of JavaScript files, quickly overloading servers.

4. Drupalgeddon 2 (CVE-2018-7600)

One of the design quirks of Drupal is the use of the hash (#) in the beginning of array keys to signify special keys requiring further computation. This, combined with how PHP handles arrays in parameters, led to a vulnerability exploitable by anyone visiting a page with a maliciously-crafted URL. Fundamentally, the patch for this did nothing other than sanitize inputs.

The vulnerability was nicknamed "Drupalgeddon 2: Electric Hashaloo" by noted programmer Scott Arciszewski of Paragon Initiative among other members of the Drupal community.

5. Drupalgeddon 3 (CVE-2018-7602)

The first attempt to patch this issue was not entirely successful, with a secondary vulnerabilityinvolving URL handling of GET parameters that were not properly sanitized to remove the # symbol, creating a remote code execution vulnerability.

Despite the highly publicized nature of the vulnerability, over 115,000 Drupal websites were still vulnerable to the issue months after patches were issued, and various botnets were actively leveraging the vulnerability to deploy cryptojacking malware.

6. Telerik's RadAsyncUpload

With this vulnerability, a default, hard-coded encryption key allows attackers to decrypt data and modify script configuration, including changing allowable file types and destinations where the file should be saved.

7. Spring Data Commons (CVE-2018-1273)

Pivotal's Spring Data Commons contained a vulnerability allowing an unauthenticated remote user the ability to send "specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding that can lead to a remote code execution attack."

8. MathJax XSS (CVE-2018-1999024)

The open source MathJax library, used to make MathML, LaTeX and ASCIIMathML notation look better in web pages, contained a cross site scripting (XSS) vulnerability in the \unicode{} macro allowing JavaScript to be injected in a web page.

9. Flash Player Hack (CVE-2018-4878)

Given Adobe's track record with Flash, the absence of a vulnerability may be more noteworthy than the existence of one. A use-after-free exploit was leveraged by suspected North Korean hackers, delivered through maliciously crafted Excel documents.

10. Spring OAuth Approval (CVE-2018-1260)

A vulnerability in the default approval endpoint in Spring OAuth allows for a remote code execution using injected Spring Expression Language. According to WhiteHat Security, "This remote code execution occurs when a malicious attacker creates an authorized request to the authorization endpoint, and the resource owner is then able to forward to the approval endpoint."

What to do to keep your organization secure

All of these vulnerabilities can be addressed by simply updating to the latest available version of the software. Particularly in the case of Drupal and WordPress, relying on extensive custom code that hampers the ability to perform upgrades in a timely manner should be strongly avoided, as this creates enticing targets for malicious actors.

Knowing what software is used in your organization is also paramount. In particular, the ubiquity of WordPress has led to plugin-specific vulnerabilities, though such plugins are typically not the highest priority updates in any organization. Check out TechRepublic's coverage of the WordPress plugins most vulnerable to attacks.