For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.
The recent Magento vulnerability that made a lot of news was submitted together with a proper proof of concept. That means that we are able to actually test for the vulnerability, instead of just looking at the installed version of Magento. This minimizes false positives and creates a much more accurate report.
WordPress wp-google-maps SQL Injection
Reported to us as a 0day at the same time as they noticed the developers of the plugin. The plugin vendor acted quickly and the patch for the plugin was released two days ago as can be seen in the changelog. Big thank you to the Crowdsource researcher Thomas Chauchefoin that found and reported the vulnerability.
Google Maps Unrestricted API Key Exposure
Google Maps provide an API for site owners that want to embed a map on their website. The API-key can be configured in several different ways, and if a specific domain is not specified when setting it up it would be possible for other websites to embed a map using your API-key. This is a paying API, meaning it could drastically increase your bill to Google, or prevent it from functioning on your own site.
Git Daemon Exposure
Not only does it happen that people accidentally expose configuration files that have to do with Git, some people also accidentally expose a Git Daemon itself. When this happens it could be possible for an attacker to connect to it and download the source code of a git project.
Questions or comments on our latest security updates? Let us know in the section below.
Already have an account? Log in to check your assets.
Detectify is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!