Wednesday, September 24, 2014

Bad bash, no cookie

 There's a very nasty vulnerability that's been discovered in bash, a command processor (it can be compared to DOS in Windows) that's included in most Linux and Unix systems including Apple's OS X.  Ubuntu and other Debian-derived systems typically use Dash, and unless bash has been installed they are exempt from this vulnerability.

Bash is a command processor, allowing the user to type commands which cause actions on the server. As such, in the wrong hands it can be disastrous, which is why this particular vulnerability is very serious.

The NIST vulnerability database rates the flaw 10 out of 10 in terms of severity. Jim Reavis, chief exec of the Cloud Security Alliance, claims the hole is comparable in seriousness to the infamous password-leaking Heartbleed bug in the OpenSSL library that was uncovered earlier this year. This vulnerability also affects Apple's OS X – and is useful for privilege escalation.

The good news is, at least for Linux servers, is that a patch/update to bash was released earlier today, and it's a very simple fix. By "very simple" I mean it took less than 5 minutes to accomplish, so there is no reason for any hosting server admin to not apply this fix. OS X users  may have a harder time patching your system.

But if you're one of our hosting customers... we've got you covered.

Monday, September 15, 2014

Support system upgrade

The support, billing and ordering system is currently being upgraded. We'll be back momentarily... all shiny and stuff!

If you need help while the support system is being upgraded, we're available through Live Chat.

EDIT 11:13pm: Aaaaaand we're DONE! If you see images that look out of place, try a hard refresh (Control + F5) or clear your browser's cache. This was a major upgrade and we tested thoroughly after the upgrade, but if you find anything isn't working, feel free to let us know.

This is the first step of many planned upgrades to all areas of our website.... stay tuned for more!

WordPress Slider Revolution plugin critical vulnerability

Attention WordPress users! If you use a premium theme that has bundled with it the "Slider Revolution" plugin (one notable and extremely popular theme that includes this is Avada), then you need to upgrade your theme immediately.

There has been a critical security vulnerability found, as reported by the Sucuri security company, who specialize in WordPress security issues, and also WPTavern. The Sucuri article carries much more detailed information about what this exploit can do, but it might be a difficult read for some users.

Since there are WordPress vulnerabilities that are disclosed just about every day, you might wonder why this particular one rates a post in our status blog. Not only is this a particularly nasty exploit, but the fact that it involves a plugin that's included in premium themes, and therefore makes it more difficult for the average WordPress site owner to upgrade, or even receive a notification of the upgrade being available.

As Sarah Gooding states in the WPTavern article:
The Risk of Using Free or Commercial Extensions Without Update Notifications

If you are using a commercial plugin or theme that has no auto-update system or relies on email to notify you of updates, you need to be very proactive about keeping yourself informed. A critical security vulnerability, such as the one reported for Slider Revolution, can easily take down your site(s) if you neglect updates. Theme authors don’t always update their bundled plugins and their users cannot take advantage of the auto update system provided by the plugin author.
In addition, the Developers of the Slider Revolution plugin chose not to announce there was a security issue, nor notify users of the importance of this upgrade. It's possible a good number of WordPress owners have no idea there's a security issue, and when that involves a very popular WordPress theme, that can be a recipe for disaster.

 Envato (the marketplace that sells most WordPress premium themes) has releases a comprehensive list of the themes possibly affected by this vulnerability. I would urge you to check to see if your WordPress theme is on that list, and update accordingly.
To upgrade a premium theme such as Avada, you'll need to login to your account with the Envato marketplace. If you have trouble logging in I would recommend contacting Envato support.

We are already seeing scans for this vulnerability, so upgrading immediately is vital.

"GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

We've taken steps to block any requests for that URL in Mod_Security, this should be a temporary fix until all users can upgrade their affected themes.

We do all we can to assist our hosting users and keep your websites and data safe, but ultimately it's your responsibility for what software is installed and used on your website, and your responsibility to keep it updated (per our Terms of Service).

WordPress can be deceptively simple to use, but the back-end is very powerful. And with great power, comes great responsibility.If this is something that's beyond your ability to handle, hire a knowledgeable WordPress admin (like us!). The cost of having someone who knows what they're doing at the helm is far less than what it would cost, in time, money, and lost business reputation to deal with your WordPress site being hacked.

To stay updated and notified of available WordPress updates, you should have email notifications of updates enabled in your WordPress dashboard, or (if you're our hosting customer) through Installatron.

To be notified of general Internet and hosting security issues, please either subscribe to this blog, and/or follow us on Facebook, Tumblr, or Twitter.