news aggregator

Best practices for XML sitemaps & RSS/Atom feeds

Google Webmaster Central Blog - Thu, 2014-10-16 08:36

Webmaster level: intermediate-advanced

Submitting sitemaps can be an important part of optimizing websites. Sitemaps enable search engines to discover all pages on a site and to download them quickly when they change. This blog post explains which fields in sitemaps are important, when to use XML sitemaps and RSS/Atom feeds, and how to optimize them for Google.

Sitemaps and feeds

Sitemaps can be in XML sitemap, RSS, or Atom formats. The important difference between these formats is that XML sitemaps describe the whole set of URLs within a site, while RSS/Atom feeds describe recent changes. This has important implications:

  • XML sitemaps are usually large; RSS/Atom feeds are small, containing only the most recent updates to your site.
  • XML sitemaps are downloaded less frequently than RSS/Atom feeds.

For optimal crawling, we recommend using both XML sitemaps and RSS/Atom feeds. XML sitemaps will give Google information about all of the pages on your site. RSS/Atom feeds will provide all updates on your site, helping Google to keep your content fresher in its index. Note that submitting sitemaps or feeds does not guarantee the indexing of those URLs.

Example of an XML sitemap:

<?xml version="1.0" encoding="utf-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
 <url>
   <loc>http://example.com/mypage</loc>
   <lastmod>2011-06-27T19:34:00+01:00</lastmod>
   <!-- optional additional tags -->
 </url>
 <url>
   ...
 </url>
</urlset>

Example of an RSS feed:

<?xml version="1.0" encoding="utf-8"?>
<rss>
 <channel>
   <!-- other tags -->
   <item>
     <!-- other tags -->
     <link>http://example.com/mypage</link>
     <pubDate>Mon, 27 Jun 2011 19:34:00 +0100</pubDate>
   </item>
   <item>
     ...
   </item>
 </channel>
</rss>

Example of an Atom feed:

<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
 <!-- other tags -->
 <entry>
   <link href="http://example.com/mypage" />
   <updated>2011-06-27T19:34:00+01:00</updated>
   <!-- other tags -->
 </entry>
 <entry>
   ...
 </entry>
</feed>

“other tags” refer to both optional and required tags by their respective standards. We recommend that you specify the required tags for Atom/RSS as they will help you to appear on other properties that might use these feeds, in addition to Google Search.

Best practicesImportant fields

XML sitemaps and RSS/Atom feeds, in their core, are lists of URLs with metadata attached to them. The two most important pieces of information for Google are the URL itself and its last modification time:

URLs

URLs in XML sitemaps and RSS/Atom feeds should adhere to the following guidelines:

  • Only include URLs that can be fetched by Googlebot. A common mistake is including URLs disallowed by robots.txt — which cannot be fetched by Googlebot, or including URLs of pages that don't exist.
  • Only include canonical URLs. A common mistake is to include URLs of duplicate pages. This increases the load on your server without improving indexing.
Last modification time

Specify a last modification time for each URL in an XML sitemap and RSS/Atom feed. The last modification time should be the last time the content of the page changed meaningfully. If a change is meant to be visible in the search results, then the last modification time should be the time of this change.

  • XML sitemap uses  <lastmod>
  • RSS uses <pubDate>
  • Atom uses <updated>

Be sure to set or update last modification time correctly:

  • Specify the time in the correct format: W3C Datetime for XML sitemaps, RFC3339 for Atom and RFC822 for RSS.
  • Only update modification time when the content changed meaningfully.
  • Don’t set the last modification time to the current time whenever the sitemap or feed is served.
XML sitemaps

XML sitemaps should contain URLs of all pages on your site. They are often large and update infrequently. Follow these guidelines:

  • For a single XML sitemap: update it at least once a day (if your site changes regularly) and ping Google after you update it.
  • For a set of XML sitemaps: maximize the number of URLs in each XML sitemap. The limit is 50,000 URLs or a maximum size of 10MB uncompressed, whichever is reached first. Ping Google for each updated XML sitemap (or once for the sitemap index, if that's used) every time it is updated. A common mistake is to put only a handful of URLs into each XML sitemap file, which usually makes it harder for Google to download all of these XML sitemaps in a reasonable time.
RSS/Atom

RSS/Atom feeds should convey recent updates of your site. They are usually small and updated frequently. For these feeds, we recommend:

  • When a new page is added or an existing page meaningfully changed, add the URL and the modification time to the feed.
  • In order for Google to not miss updates, the RSS/Atom feed should have all updates in it since at least the last time Google downloaded it. The best way to achieve this is by using PubSubHubbub. The hub will propagate the content of your feed to all interested parties (RSS readers, search engines, etc.) in the fastest and most efficient way possible.

Generating both XML sitemaps and Atom/RSS feeds is a great way to optimize crawling of a site for Google and other search engines. The key information in these files is the canonical URL and the time of the last modification of pages within the website. Setting these properly, and notifying Google and other search engines through sitemaps pings and PubSubHubbub, will allow your website to be crawled optimally, and represented accordingly in search results.

If you have any questions, feel free to post them here, or to join other webmasters in the webmaster help forum section on sitemaps.

Posted by Alkis Evlogimenos, Google Feeds Team
Categories: sysadmin

PHP 5.6.2 is available

php.net - Thu, 2014-10-16 00:00
The PHP development team announces the immediate availability of PHP 5.6.2. Four security-related bugs were fixed in this release, including fixes for CVE-2014-3668, CVE-2014-3669 and CVE-2014-3670. All PHP 5.6 users are encouraged to upgrade to this version. For source downloads of PHP 5.6.2 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: news, PHP

PHP 5.4.34 Released

php.net - Thu, 2014-10-16 00:00
The PHP development team announces the immediate availability of PHP 5.4.34. 6 security-related bugs were fixed in this release, including fixes for CVE-2014-3668, CVE-2014-3669 and CVE-2014-3670. Also, a fix for OpenSSL which produced regressions was reverted. All PHP 5.4 users are encouraged to upgrade to this version. For source downloads of PHP 5.4.34 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: news, PHP

PHP 5.5.18 is available

php.net - Thu, 2014-10-16 00:00
The PHP development team announces the immediate availability of PHP 5.5.18. Several bugs were fixed in this release. A regression in OpenSSL introduced in PHP 5.5.17 has also been addressed in this release. PHP 5.5.18 also fixes 4 CVEs in different components. All PHP 5.5 users are encouraged to upgrade to this version. For source downloads of PHP 5.5.18 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: news, PHP

Closures in PHP Who Knew?

PHPBuilder.com - Wed, 2014-10-15 12:40
Closures (also known as anonymous functions or lambda functions) are just that - Anonymous or closed. They don't follow the standard function declaration, and can be created inline. If you've used any modern JavaScript library, you've already done this.
Categories: PHP

Bring your local business online -- no website required!

Google Webmaster Central Blog - Mon, 2014-10-06 13:00
Webmaster Level: Beginner

“Hey, how do I get my business on the web?” Having worked at Google for nine years, if I had a penny for every time someone asked me that question… :) To answer, today we’re releasing a short video series (30 minutes total!), sharing the same advice we’d give to our friends and family. It’s the advice I’d give to my sister, Marnie, who owns a jewelry store, or my cousin, Scott, who works as a realtor. Video spoiler alert: You won’t need to make a website, but you definitely need a way for your local business to reach potential customers using their mobile phones, tablets, or desktop computers.

Video series to help local business owners of all technical levels to get their business found on the web. It focuses on the benefits of creating a Yelp business page, Facebook page, Google+ page, etc.
The great thing about video is that you can pause at any time and work at your own pace. Next time you hear the question: “How do I get my business on Google?”, please share the link and let's get more local businesses online!

Series: Build an online presence for your local business

Video #1: Introduction and hot topics (3:22) Meet my sister, Marnie, who owns a jewelry store and my cousin, Scott, who works as a realtor. Follow them as we talk about the big changes in the last decade, such as making sure your business can reach customers at work, home, or on-the-go using their mobile phones.Video #2: Determine your business’ value-add and online goal (4:08) With the example of Scott, the realtor, you’ll learn about the marketing funnel, setting an online goal, and highlighting what makes your business special.Video #3. Find potential customers (7:41) Marnie and Scott figure out their customers’ most common journeys to reach their business. We'll use their examples to brainstorm how you can reach customers on review sites, through search engines, maps apps, and social and professional networking sites.Video #4: Basic implementation and best practices (5:23) The fundamentals and best practices to take your business from offline to online!Video #5: Differentiate your business from the competition (5:09) With Scott’s business as a realtor, see how to demonstrate that your local business is the best choice for customers by adding photos, videos, and getting reviews.Video #6: Engage customers with a holistic online identity (4:51) We'll end the series by showing how Scott makes sure his online presence sends a cohesive message to customers and answers all their common questions. :)Written by Maile Ohye, Developer Programs Tech Lead
Categories: sysadmin

PHP 5.6.1 released

php.net - Thu, 2014-10-02 00:00
The PHP development team announces the immediate availability of PHP 5.6.1. Several bugs were fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version. For source downloads of PHP 5.6.1 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: news, PHP

TA14-268A: GNU Bourne-Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE 2014-6278)

US-CERT - Thu, 2014-09-25 12:56
Original release date: September 25, 2014 | Last revised: September 30, 2014
Systems Affected
  • GNU Bash through 4.3.
  • Linux and Mac OS X systems, on which Bash is part of the base operating system.
  • Any BSD or UNIX system on which GNU Bash has been installed as an add-on.
  • Any UNIX-like operating system on which the /bin/sh interface is implemented as GNU Bash.
Overview

A critical vulnerability has been reported in the GNU Bourne-Again Shell (Bash), the common command-line shell used in many Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system [1]. The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.

Description

GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. [2, 3]

Critical instances where the vulnerability may be exposed include: [4, 5]

  • Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn GNU Bash subshells, or on any system where the /bin/sh interface is implemented using GNU Bash.
  • Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities. This data path is vulnerable on systems where the /bin/sh interface is implemented using GNU Bash.
  • Allow arbitrary commands to run on a DHCP client machine.
Impact

This vulnerability is classified by industry standards as “High” impact with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes little skill to perform. This flaw allows attackers who can provide specially crafted environment variables containing arbitrary commands to execute on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways.

Solution

Initial solutions for Shellshock do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278. Red Hat has provided a support article [6] with updated information.

Many UNIX-like operating systems, including Linux distributions and Apple Mac OS X include Bash and are likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743 [7].

US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summaries for CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278 to mitigate damage caused by the exploit.

References Revision History
  • September 25, 2014 - Initial Release
  • September 26, 2014 - Minor Revisions
  • September 30, 2014 - Update to include additional CVE information

This product is provided subject to this Notification and this Privacy & Use policy.


Categories: news, security

Most Important Features in PHP 5

PHPBuilder.com - Wed, 2014-09-24 18:01
PHP 5 introduced a set of new features and functionalities to improve performance, efficiency and more. There are three major areas in which the improvement is significant. This article will discuss the most important features introduced in PHP 5.
Categories: PHP

PHP 5.4.33 Released

php.net - Thu, 2014-09-18 00:00
The PHP development team announces the immediate availability of PHP 5.4.33. 10 bugs were fixed in this release. All PHP 5.4 users are encouraged to upgrade to this version. This release is the last planned release that contains regular bugfixes. All the consequent releases will contain only security-relevant fixes, for the term of one year. PHP 5.4 users that need further bugfixes are encouraged to upgrade to PHP 5.6 or PHP 5.5. For source downloads of PHP 5.4.33 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: news, PHP

PHP 5.5.17 is available

php.net - Thu, 2014-09-18 00:00
The PHP development team announces the immediate availability of PHP 5.5.17. Several bugs were fixed in this release. All PHP 5.5 users are encouraged to upgrade to this version. For source downloads of PHP 5.5.17 please visit our downloads page, Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.
Categories: news, PHP

[Honeypot Alert] New Bot Malware (BoSSaBoTv2) Attacking Web Servers Discovered

Web Security Blog - Mon, 2014-09-15 09:00

Our web honeypots picked up some interesting attack traffic.  The initial web application attack vector (PHP-CGI vulnerability) is not new, the malware payload is.  We wanted to get this information out to the community quickly due to the following combined threat elements -

  • Active exploit attempts to upload/install the malware
  • The overall low detection rates among AV vendors
  • The malware is actively being sold in underground forums 

Update - Another security researcher has also seen similar activity in his ModSecurity honeypots back on August 26.  Some of the tactics have changed but the core of the attack seems the same.

We have already discussed the initial PHP-CGI vuln attack/exploit vector in a previous blog post.  What is interesting in these attacks are the actual tools installed if the attack is successful.  Here is the initial screen shot of the attack payloads taken from the ModSecurity audit log file on the honeypot:

We cross referenced this attack with our own IDS alerts from Trustwave MSS team and have seen a definite increase in scanning activity for the inital web application attack vector (PHP-CGI) within the last month:

Keep in mind that exploit vectors and payloads are separate ecosystems.  They are often interchanged with each other.  For example, we often see new PHP command injection vectors used within botnet code that execute or install the same backend malware code.  The initial URL encoded data in the QUERY_STRING decodes to:

The final "auto_prepend_file=php://input -a" data tells php to take the info from the POST payload and append it to any existing code and execute it.  If we look at the complete PHP code in the request body, we see that there are actually 2 different variables that contain base64 encoded data.  

This data is then later decoded and places into temp files and then executed.

What are these files?  If we base64 decode the variable data, we can see that they are in fact ELF binaries that are packed with UPX -

Here is some quick static analysis -

The files are essentially the same, however one is 32-bit and one is 64-bit.  The attacker isn't even bothering with checking the web server OS version... they are just trying to execute both to see which one might work.  Checking this file over on VirusTotal shows that only 4 AV vendor currently detects this file as malicious:


 Note - We have internally verified that Trustwave AV does detect this file as malicious.

 The file contains many clear text URLs that have been associated with Botnet C&C activity:

  • srv5050.co

  • ka3ek.com

  • ircqfrum.com

  • 8rb.su 

Once we see the IRC botnet code, we get a clearer idea of what we are dealing with here:

There are many IRC commands here.  IRC botnet code installs are nothing earth-shatteringly new however most of the variants we capture are written in Perl, PHP, etc...  This one is binary C code.  One interesting tactical note - the destination IRC port on these C&C servers is 53.  This is a smart move from the attacker's perspective as DMZ network firewalls may allow web servers to initiate outbound DNS queries.   

Additionally, we see the highlighted section of code which seems to identify this code as: BoSSaBoTv2.  After some searching, we were able to find that this code is actively being sold on underground forums.  Here are some example screenshots:

Notice some of these features including bundling a Bitcoin Miner program.  This is interesting as this shows another aspect how an attacker is looking to abuse their access to a compromised web server.  They can siphon off local system resources such as CPU and RAM in attempts to create Bitcoins.  Here are some of the commands for downloading and running the Bitcoin miner -

 

We also see on the hacker forum that this malware is for sale at affordable prices:

 

Conclusion

We wanted to get this information out to the community quickly due to the following combined threat elements -

  • Active exploit attempts to upload/install the malware
  • The overall low detection rates among AV vendors
  • The malware is actively being sold in underground forums 

Here are a few defensive steps:

Update Network Firewall Egress Rules

All too often, we see weak or non-existent egress firewall rules.  As an example of why you need them - during our research, we saw the IRC botnet master send down commands to have the malware update itself by downloading a new version -

If you can block outbound connections from your web servers to 3rd party hosts, you can significantly help to reduce an attacker's ability to expand their breach.

Deploy a WAF

Our honeypots picked this up due to alerts from our ModSecurity WAF rules.  The Trustwave WAF also detects these attacks.  Not only will this give you some base protections, but it also provides better logging vs. standard web server log files.  Speaking of web server log files....

Check Your Logs

Review your web server log files to see if you have been receiving these initial PHP-CCI attacks.

Pay close attention to the HTTP Response Status Codes. Anything other than a 404 - Not Found could indicate trouble. 

Categories: web server

An improved search box within the search results

Google Webmaster Central Blog - Fri, 2014-09-12 10:19
Webmaster level: All
Today you’ll see a new and improved sitelinks search box. When shown, it will make it easier for users to reach specific content on your site, directly through your own site-search pages.
What’s this search box and when does it appear for my site?When users search for a company by name—for example, [Megadodo Publications] or [Dunder Mifflin]—they may actually be looking for something specific on that website. In the past, when our algorithms recognized this, they'd display a larger set of sitelinks and an additional search box below that search result, which let users do site: searches over the site straight from the results, for example [site:example.com hitchhiker guides].
This search box is now more prominent (above the sitelinks), supports Autocomplete, and—if you use the right markup—will send the user directly to your website's own search pages.
How can I mark up my site?You need to have a working site-specific search engine for your site. If you already have one, you can let us know by marking up your homepage as a schema.org/WebSite entity with the potentialAction property of the schema.org/SearchAction markup. You can use JSON-LD, microdata, or RDFa to do this; check out the full implementation details on our developer site.
If you implement the markup on your site, users will have the ability to jump directly from the sitelinks search box to your site’s search results page. If we don’t find any markup, we’ll show them a Google search results page for the corresponding site: query, as we’ve done until now.
As always, if you have questions, feel free to ask in our Webmaster Help forum.

Update (16:30h CET, September 12th): We're noticing an enthusiastic uptick in the markup implementation after the initial announcement last week! Here are the two main issues we've observed so far, and what you need to do to fix them:

  1. Make sure that when you replace the curly braces and all that's inside of it with a search term it leads to a valid URL on your site.
    For example: if your "target" value is "http://www.example.com/search?q={searchTerm}", ensure that "http://www.example.com/search?q=foo" and "http://www.example.com/search?q=bar" both lead to search result pages about "foo" and "bar".
  2. Make sure that the "query-input" field points to the same string that's inside the curly braces in the "target" field.
    For example: if your "target" value is "http://www.example.com/search?q={searchTerm}", you must use "searchTerm" as the "name" within "query-input".
Posted by Mariya Moeva, Webmaster Trends Analyst, and Kaylin Spitz, Software Engineer
Categories: sysadmin

An update to the Webmaster Tools API

Google Webmaster Central Blog - Fri, 2014-09-12 08:42

Webmaster level: advanced

Over the summer the Webmaster Tools team has been cooking up an update to the Webmaster Tools API. The new API is consistent with other Google APIs, makes it easier to authenticate for apps or web-services, and provides access to some of the main features of Webmaster Tools.

If you've used other Google APIs, getting started with the new Webmaster Tools API will be easy! We have examples for Python, Java, as well as OACurl (for fans of command lines).

This API allows you to:

  • list, add, or remove sites from your account (you can currently have up to 500 sites in your account)
  • list, add, or remove sitemaps for your websites
  • get warning, error, and indexed counts for individual sitemaps
  • get a time-series of all kinds of crawl errors for your site
  • list crawl error samples for specific types of errors
  • mark individual crawl errors as "fixed" (this doesn't change how they're processed, but can help simplify the UI for you)

We'd love to see what you're building with our APIs! Feel free to link to your projects in the comments below. Should you have any questions about the usage of the API, feel free to post in our help forum as well.


Posted by John Mueller, fan of long command lines, Google Zürich
Categories: sysadmin

Webmaster Academy now available in 22 languages

Google Webmaster Central Blog - Mon, 2014-09-08 12:01
Webmaster level: Beginner

Today, the new Webmaster Academy goes live in 22 languages! New or beginner webmasters speaking a multitude of languages can now learn the fundamentals of making a great site, providing an enjoyable user experience, and ranking well in search results. And if you think you’re already familiar with these topics, take the quizzes at the end of each module to prove it :).

So give Webmaster Academy a read in your preferred language and let us know in the comments or help forum what you think. We’ve gotten such great and helpful feedback after the English version launched this past March so we hope this straightforward and easy-to-read guide can be helpful (and fun!) to everyone.

Let’s get great sites and searchable content up and running around the world.

Posted by Mary Chen, Webmaster Outreach
Categories: sysadmin

Optimizing for Bandwidth on Apache and Nginx

Google Webmaster Central Blog - Thu, 2014-09-04 11:27

Webmaster level: advanced

Everyone wants to use less bandwidth: hosts want lower bills, mobile users want to stay under their limits, and no one wants to wait for unnecessary bytes. The web is full of opportunities to save bandwidth: pages served without gzip, stylesheets and JavaScript served unminified, and unoptimized images, just to name a few.

So why isn't the web already optimized for bandwidth? If these savings are good for everyone then why haven't they been fixed yet? Mostly it's just been too much hassle. Web designers are encouraged to "save for web" when exporting their artwork, but they don't always remember.  JavaScript programmers don't like working with minified code because it makes debugging harder. You can set up a custom pipeline that makes sure each of these optimizations is applied to your site every time as part of your development or deployment process, but that's a lot of work.

An easy solution for web users is to use an optimizing proxy, like Chrome's. When users opt into this service their HTTP traffic goes via Google's proxy, which optimizes their page loads and cuts bandwidth usage by 50%.  While this is great for these users, it's limited to people using Chrome who turn the feature on and it can't optimize HTTPS traffic.

With Optimize for Bandwidth, the PageSpeed team is bringing this same technology to webmasters so that everyone can benefit: users of other browsers, secure sites, desktop users, and site owners who want to bring down their outbound traffic bills. Just install the PageSpeed module on your Apache or Nginx server [1], turn on Optimize for Bandwidth in your configuration, and PageSpeed will do the rest.

If you later decide you're interested in PageSpeed's more advanced optimizations, from cache extension and inlining to the more aggressive image lazyloading and defer JavaScript, it's just a matter of enabling them in your PageSpeed configuration.

Learn more about installing PageSpeed or enabling Optimize for Bandwidth.


Posted by Jeff Kaufman, Make the Web Fast


[1] If you're using a different web server, consider running PageSpeed on an Apache or Nginx proxy.  And it's all open source, with porting efforts underway for IIS, ATS, and others.
Categories: sysadmin

[Honeypot Alert] Active Probes for WordPress revslider_show_image Plugin Local File Inclusion Flaw

Web Security Blog - Wed, 2014-09-03 16:22

A local file inclusion vulnerability in the WordPress Slider Revolution Plugin has been released:

Apparently this vulnerability has been discussed on some underground forums for a couple months but it wasn't until these more main stream websites published data that we saw attackers start scanning for vulnerable sites.  Our web honeypots picked up increased scanning activity today.  Here is an example full audit log dump of the HTTP request from our ModSecurity WAF:

In this attack example, the attacker is trying to access the WordPress config file in the hopes of obtaining sensitive data such as database credentials.

Recommendations Update your WordPress Slider Revolution Plugin

Sucuri Security is seeing similar activity and it also reporting that the developer of this Plugin chose to silently patch this vulnerability.  This did a disservice to the Plugin userbase to be aware of the problem and to prompt updating.  A couple notes:

  • Updating this plugin may need to be done manually if your WP manager does not provide an interface for it.
  • Beware that "disabling' the Plugin may end up being superceded by the Theme and be re-enabled.  You may need to remove it altogether if you can not update it. 
Use WAF Protections

WAFs can be used to help prevent exploitation until you can get your systems updated.  Trustwave's WebDefend WAF would block this attack either through a generic "Directory Traversal Attack" signature or through an anomaly of the learned resource profile.  For ModSecurity WAF, we have added a new signature to our commercial rules feed:

Categories: web server

Pages