{"id":299,"date":"2015-05-06T13:39:42","date_gmt":"2015-05-06T11:39:42","guid":{"rendered":"http:\/\/web.comunicazion.eu\/blog\/?p=299"},"modified":"2015-05-06T13:55:16","modified_gmt":"2015-05-06T11:55:16","slug":"importante-vulnerabilidades-de-seguridad-en-wordpress-y-magento","status":"publish","type":"post","link":"https:\/\/web.comunicazion.eu\/blog\/importante-vulnerabilidades-de-seguridad-en-wordpress-y-magento\/","title":{"rendered":"Importante &#8211; Vulnerabilidades de seguridad en WordPress y Magento"},"content":{"rendered":"<p><strong>WordPress Vulnerability<\/strong><br \/>\nThis is a new, serious vulnerability, announced recently which has the potential to cause some damage and disruption. Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. The script is triggered when the comment is viewed. <b>Impact:<\/b> If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.<\/p>\n<p>Alternatively the attacker could change the administrator\u2019s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system. You can find more details about the impact and solution for the same by clicking <a href=\"http:\/\/klikki.fi\/adv\/wordpress2.html\" target=\"_blank\">here<\/a>.<\/p>\n<p><b>Steps you need to take:<\/b> We would request you to go through the recommendations and update your WordPress website using the patch available <a href=\"http:\/\/klikki.fi\/adv\/wordpress2.html\" target=\"_blank\">here<\/a>.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Magento Vulnerability<\/strong><br \/>\nThis is a vulnerability that has been recently reported too. The vulnerability is actually comprised of a chain of several vulnerabilities that ultimately allow an unauthenticated attacker to execute PHP code on the web server. <b>Impact:<\/b> The attacker can bypass all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system. This attack is not limited to any particular plugin or theme. All the vulnerabilities are present in the Magento core, and affects any default installation of both Community and Enterprise Editions. For more details about the same, please click <a href=\"http:\/\/forums.myorderbox.com\/index.php?\/topic\/5513-important-vulnerabilities-discovered-in-wordpress-and-magento\/#entry11355\" target=\"_blank\">here<\/a>.<\/p>\n<p><b>Steps you need to take:<\/b> If you are using the mentioned vulnerable versions of Magento, we<\/p>\n<p>would request you to patch it using the updates provided in the following link : <a href=\"http:\/\/blog.checkpoint.com\/2015\/04\/20\/analyzing-magento-vulnerability\/\" target=\"_blank\">http:\/\/blog.checkpoint.com\/<wbr \/>2015\/04\/20\/analyzing-magento-<wbr \/>vulnerability\/<\/a>.<\/p>\n<p>You can test whether your Magento website is vulnerability or not, using <a href=\"https:\/\/shoplift.byte.nl\/\" target=\"_blank\">this tool<\/a>.<\/p>\n<p>We strongly recommend you access all your packages and patch them immediately to avoid any issues. In case you require any information regarding this email, please feel free to get in touch with us.<\/p>\n<p>[tabs class=\u00bbyourcustomclass\u00bb]<br \/>\n[tab title=\u00bbLeer en espa\u00f1ol &#8211; Vulnerabilidad WordPress\u00bb]Esta es una nueva, grave vulnerabilidad, anunci\u00f3 recientemente que tiene el potencial de causar alg\u00fan da\u00f1o y perturbaci\u00f3n. Las versiones actuales de WordPress son vulnerables a un XSS almacenado. Un atacante no autenticado puede inyectar JavaScript en los comentarios de WordPress. El script se activa cuando el comentario es visto. Impacto: Si desencadenado por un administrador ha iniciado sesi\u00f3n en, en la configuraci\u00f3n por defecto el atacante puede aprovechar la vulnerabilidad para ejecutar c\u00f3digo arbitrario en el servidor a trav\u00e9s de los editores de plugins y temas.<\/p>\n<p>Alternativamente, el atacante podr\u00eda cambiar la contrase\u00f1a del administrador, crear nuevas cuentas de administrador, o hacer cualquier otra cosa que el administrador ha iniciado sesi\u00f3n actualmente en puede hacer en el sistema de destino. Puede encontrar m\u00e1s detalles sobre el impacto y la soluci\u00f3n para el mismo haciendo clic aqu\u00ed.<\/p>\n<p>Los pasos que deben tomar: Queremos pedirle que vaya a trav\u00e9s de las recomendaciones y actualizar su sitio web WordPress usando el parche disponible aqu\u00ed.[\/tab]<br \/>\n[tab title=\u00bbMagento\u00bb]Se trata de una vulnerabilidad que se ha informado recientemente tambi\u00e9n. La vulnerabilidad es en realidad compuesto de una cadena de varias vulnerabilidades que en \u00faltima instancia permite a un atacante no autenticado ejecutar c\u00f3digo PHP en el servidor web. Impacto: El atacante puede pasar por alto todos los mecanismos de seguridad y control de las ganancias de la tienda y su base de datos completa, lo que permite el robo de tarjetas de cr\u00e9dito o cualquier otro acceso administrativo al sistema. Este ataque no se limita a ning\u00fan plugin o tema en particular. Todas las vulnerabilidades est\u00e1n presentes en el n\u00facleo de Magento, y afecta a cualquier instalaci\u00f3n por defecto de ambos comunitarias y Enterprise Editions. Para m\u00e1s detalles sobre el mismo, por favor haga clic aqu\u00ed.<\/p>\n<p>Pasos que debe tomar: Si est\u00e1 utilizando las versiones vulnerables mencionadas de Magento, que<\/p>\n<p>pedir\u00eda que parchear usando las actualizaciones previstas en el siguiente enlace: http:\/\/blog.checkpoint.com\/2015\/04\/20\/analyzing-magento-vulnerability\/.<\/p>\n<p>Usted puede probar si su sitio web Magento es la vulnerabilidad o no, el uso de esta herramienta.<\/p>\n<p>Le recomendamos que acceda a todos sus paquetes y el parche de inmediato para evitar cualquier problema. En caso de requerir cualquier informaci\u00f3n relacionada con este correo electr\u00f3nico, por favor no dude en ponerse en contacto con nosotros[\/tab][\/tabs]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>WordPress Vulnerability This is a new, serious vulnerability, announced recently which has the potential to cause some damage and disruption. Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. The script is triggered when the comment is viewed. Impact: If triggered by a logged-in administrator, <a href=\"https:\/\/web.comunicazion.eu\/blog\/importante-vulnerabilidades-de-seguridad-en-wordpress-y-magento\/\"> read more <span class=\"meta-nav\"><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":310,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[5],"tags":[],"class_list":["post-299","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-noticias"],"jetpack_featured_media_url":"https:\/\/web.comunicazion.eu\/blog\/wp-content\/uploads\/2015\/05\/mejoras-www.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/web.comunicazion.eu\/blog\/wp-json\/wp\/v2\/posts\/299","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/web.comunicazion.eu\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/web.comunicazion.eu\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/web.comunicazion.eu\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/web.comunicazion.eu\/blog\/wp-json\/wp\/v2\/comments?post=299"}],"version-history":[{"count":0,"href":"https:\/\/web.comunicazion.eu\/blog\/wp-json\/wp\/v2\/posts\/299\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/web.comunicazion.eu\/blog\/wp-json\/wp\/v2\/media\/310"}],"wp:attachment":[{"href":"https:\/\/web.comunicazion.eu\/blog\/wp-json\/wp\/v2\/media?parent=299"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/web.comunicazion.eu\/blog\/wp-json\/wp\/v2\/categories?post=299"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/web.comunicazion.eu\/blog\/wp-json\/wp\/v2\/tags?post=299"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}