We’ve got emails from several people complaining that after their card had been stolen, someone did a fraudulent transaction on it — without knowing the PIN. In some cases the victim had never used the card in a retail transaction and didn’t know the PIN.
An article in yesterday’s Daily Mail hints at how. In technical language, you read the card, which gives you everything except the MAC key. You now write this data to a fresh card, for which you know the PIN. If this clone card is used in an offline terminal, the transaction will go through and the log will show the PIN was correctly entered. The moral, I suppose, is that customers in dispute with their banks should demand that the banks disclose the MAC key and show that the MAC on the transaction log was correct. Whether their systems support this is of course another story.
Users are strongly urged to upgrade their version of WordPress to 2.0.3 (as you will see that we have already!) This release fixes two XSS vulnerabilities that I reported to WordPress on 14 Apr 2006 and 4 May 2006, although they are not mentioned in the release announcement. These are exploitable in the default installation and can readily lead to arbitrary PHP code execution.
I think there a number of interesting lessons to learn from these vulnerabilities, so I plan to post more details in 10 days time (thereby giving users a chance to upgrade). The nature of the problem can probably be deduced from the code changes, so there is limited value in waiting much longer.
I will also discuss a refinement of the ‘cache’ shell injection bug reported by rgodm, which is also fixed by WordPress 2.0.3. The new attack variant I discovered no longer relies on a guessable database password, but only applies when the Subscribe To Comments plugin is also activated. The latest version of the plugin (2.0.4) mitigates this attack, but upgrading WordPress is still recommended.