CMS
Joomla 3.8.3 is now available
Joomla 3.8.3 is now available; this is a security release that doesn’t introduce any new feature, rather it fixes security issues and improves performances.
In particular, this release adds support for PHP 7.2 multiple download sources on update servers (AKA download mirrors), TinyMCE has been updated to version 4.5.8, improvements for multilingual support and search performances for big sites. A complete list of fixes is available at this address.
This version is available within the admin console or at this address.
Meanwhile, the Alpha 1 version of the upcoming Joomla 4.0 is available. The preview include new Bootstrap 4 templates, removal of obsolete functions, a new installation wizards, integration of Joomla Framework packages and a renewed Application for Consoles.
WordPress 4.9 is now available
WordPress 4.9, nicknamed “Tipton”, is now available. This version introduces several new features, including a Customizer with new features, improvements to the system code, new widgets and several new features for developers like improved JavaScript API customizer, CodeMirror (a new library for code revision), MediaElement.js update to version 4.2.6 and other improvements to plugin and translation files management.
This version is available in the administration console or at this address.
Version 4.9.1 is available as well. This is a security release that doesn’t introduce any new feature, rather it fixes security issues. Improvements of this release include a properly generated hash for the newbloguser key instead of a determinate substring, addition of escaping to the language attributes used on html elements, ensuring the attributes of enclosures are correctly escaped in RSS and Atom feeds and removal of the ability to upload JavaScript files for users who do not have the unfiltered_html capability.
Eleven additional bugs have been fixed, including issues relating to the caching of theme template files, a MediaElement JavaScript error preventing users of certain languages from being able to upload media files and the inability to edit theme and plugin files on Windows based servers.
Further information about this version are available at this address.
Keylogger found in more than 5.000 WordPress sites
More than 5.000 WordPress sites contain a malware related to the cloudflare.solutions domain, which is no-way affiliated with CloudFlare, as Sucuri reports in this article.
The malware contains a keylogger that records every key input (including access credentials and credit card data) and a JavaScript script (CoinHive) that mines crypto-currencies.
As a remediation, Sucuri suggests to check the functions.php file of the theme being used and delete the add_js_scripts function and any reference to it in the add_action parts and change password and username used to access the site.
Magento security updates are available
Magento rebranded their products (Magento Community Edition is now Magento Open Source and Magento Enterprise Edition is now Magento Commerce) and released security updates for the releases Magento Commerce 1.14.3.7, Magento Open Source 1.9.3.7 and SUPEE-10415 (a patch for Magento 1.x versions and older) that fix issues related to Cross-site Request Forgery (CSRF), Denial-of-Service (DoS) and Remote Code Execution vulnerabilities for logged Admins.
Further information, including update instructions, are available at this address.
Moreover, Magento released the Security Scan tool for both Commerce and Open Source edition that performs a real-time analysis and suggests remediation for any security issue of the e-commerce site it scans. Aimed to the B2B sector, Magento has published the “B2B Commerce Best Practices” ebook and the Magento B2B Resource Hub, which contains strategies, tactics, advice and suggestions.
Released PHP 7.2.0
The new release of PHP 7.2.0 is now available.
The new feature of this version include the conversion of numeric keys in object/array casts, the counting of non-countable objects, hashContext as Object, Argon2 in password hash, improved TLS constants to sane values, Mcrypt extension removed and a new sodium extension.
A complete list of new features and bugfixes is contained in the changelog files available at this address.
WordPress’ bbPress is vulnerable to SQL Injection attacks
Sucuri warns in a detailed post that the bbPress plugin for WordPress is vulnerable to SQL Injection attacks.
bbPress transform a WordPress site in a forum, and it’s used by more than 300.000 users; the vulnerability is due to an improper use of a database abstraction class, as it happened some time ago with the Netxtend Gallery plugin.
Actually the vulnerability is fixed by simply updating WordPress, but bbPress hasn’t released a patch yet according to the release notes. Sucuri warned developers last march, the security disclosure documentation is available at this address.
WordFence finds vulnerabilities in Formidable Forms, Duplicator and Yoast SEO WordPress plugins
WordFence (now called Defiant) has found several vulnerabilities in popular WordPress plugins.
In particular, Formidable Forms 2.05.02 and older suffer from SQL Injection, Cross Site Scripting and Remote Code Execution attacks, Duplicator 1.2.28 and older and Yoast SEO 5.7.1 and older suffer from Cross Site Scripting attacks.
Dedicated updates for each plugin that fix any problem are available.