WordPress P2: Is This A Real Rival To Microsoft Teams And Slack?

 WordPress P2 aims to boost team communications

SOPA Images/LightRocket via Getty Images

WordPress.com has launched a new team collaboration service called P2, providing further competition in a space dominated by Microsoft Teams and Slack.

WordPress P2 is a more modest offering than either Teams or Slack. Perhaps best thought of as a WordPress-based intranet, it allows team members to post updates on projects etc, using a system that is very similar in design to a regular WordPress blog.

Users can embed images, video and audio in their posts, or use preset WordPress blocks to do things such as create polls, embed forms or share PDFs. Other users can comment on posts made in a P2, using the now conventional @ sign to mention other team members by name and bring them into the discussion.

What P2 doesn’t have is the real-time chat facility that you’ll find in either of its two bigger rivals. Neither is there any means of private messaging or talking by voice/video call. It’s more of a platform for making announcements or discussing documents, much like old-school company intranets.

It’s not a full-frontal attack on Teams or Slack, but an alternative that might better suit some users because of its sheer simplicity.

P2 is the internal communication tool used by WordPress.com owner, Automattic. The company has more than 1,200 employees spread around the globe, but no central office, and so it relies on tools such as P2 for team communication.

The company says the service isn’t pitched purely at businesses. “Whether you’re looking to connect with a newly remote work team, your homeschooling group, or long-distance friends and family, P2 can help you stay in sync,” the launch announcement claims. “Keep it private to your team, or open it up to an entire community.”

There is currently no premium tier of P2 like there is with the other services, and it’s completely ad-free. The only real restriction is that each P2 has a 3GB storage limit, although given the limited nature of what can be shared via the service, that’s unlikely to present too much of a problem in the near term.

Currently, all P2 instances have to be hosted by WordPress, but the company says it is planning to offer a self-hosting option and custom domains in the future.

To give users a flavor of how P2 works, WordPress has set up a public P2 to let users provide feedback on the project and report bugs.

WordPress File Manager plugin flaw causing website hijack exploited in the wild

 The developers of the WordPress File Manager plugin have patched an actively-exploited security issue permitting full website hijacking.  

According to the Sucuri WordPress security team, the vulnerability emerged in version 6.4 of the software, which is used as an alternative to FTP in managing file transfers, copying, deletion, and uploads. 

File Manager accounts for over 700,000 active installations. 

In version 6.4, released on May 5, a file was renamed in the plugin for development and testing purposes. However, rather than being kept as a local change, the renamed file was accidentally added to the project. 

See also: KingComposer patches XSS flaw impacting 100,000 WordPress websites

The file in question was pulled by third-party dependency elFinder and used as a code reference. An extension added to the file, the rename of connector-minimal.php-dist to connector-minimal.php, was a small tweak -- but was enough to trigger a critical vulnerability in the popular plugin. 

ElFinder's script, as a file manager, grants users elevated privileges for modifying, uploading, and deleting files. As the system is focused on ease of use, to set the elFinder file manager up, it takes nothing more than changing the file's extension from .php-dist to .php -- and so the avenue for attacks was opened. 

While using the file as a reference may have helped the team locally test features, the researchers say that leaving such a script -- intentionally designed to not check access permissions -- in a public build causes a "catastrophic vulnerability if this file is left as-is on the deployment."

"This change allowed any unauthenticated user to directly access this file and execute arbitrary commands to the library, including uploading and modifying files, ultimately leaving the website vulnerable to a complete takeover," Sucuri says. 

The solution, included in version 6.9, is simple enough: simply delete the file -- which was never part of the plugin's functionality anyway -- and other unused .php-dist files.

CNET: Appeals court finds NSA's bulk phone data collection was unlawful

However, a week before the file was removed, a Proof-of-Concept (PoC) code was released on code repository GitHub, leading to a wave of attacks against websites before version 6.9 was made available. 

Sucuri says the exploit rapidly gained traction. The first attack was spotted on August 31, a day before a fixed version of the file manager was released. This ramped up to roughly 1,500 attacks per hour, and a day later, this increased to an average of 2,5000 attacks every 60 minutes. By September 2, the team saw roughly 10,000 attacks per hour.

In total, Sucuri has tracked "hundreds of thousands of requests from malicious actors attempting to exploit it."

TechRepublic: Organizations facing nearly 1,200 phishing attacks each month

While the vulnerability has now been resolved, at the time of writing, only 6.8% of WordPress websites have updated to the new, patched version of the plugin, leaving many websites open to compromise. 

In July, a reflected XSS vulnerability was patched in KingComposer, a WordPress plugin for drag-and-drop page creation. The bug, CVE-2020-15299, was caused by a dormant Ajax function that could be abused to deploy malicious payloads. 

Previous and related coverage

A Critical Flaw Is Affecting Thousands of WordPress Sites

 Hackers are actively exploiting a vulnerability that permits them to execute instructions and malicious scripts on web sites strolling File Manager, a WordPress plugin with extra than 700,000 energetic installations, researchers stated on Tuesday. Word of the assaults got here some hours after the safety flaw turned into patched.

ARS TECHNICA

This tale firstly seemed on Ars Technica, a depended on supply for generation news, tech coverage analysis, reviews, and extra. Ars is owned with the aid of using WIRED's figure company, Condé Nast.

Attackers are the usage of the make the most to add documents that comprise webshells which are hidden in an image. From there, they have got a handy interface that permits them to run instructions in plugins/wp-document-supervisor/lib/documents/, the listing wherein the File Manager plugin resides. While that limit prevents hackers from executing instructions on documents outdoor of the listing, hackers can be capable of specific extra harm with the aid of using importing scripts which could perform movements on different components of a susceptible webweb page.

NinTechNet, a internet site safety corporation in Bangkok, Thailand, turned into many of the first to document the in-the-wild assaults. The submit stated that a hacker turned into exploiting the vulnerability to add a script titled hardfork.Hypertext Preprocessor after which the usage of it to inject code into the WordPress scripts /wp-admin/admin-ajax.Hypertext Preprocessor and /wp-includes/person.Hypertext Preprocessor.

In email, NinTechNet CEO Jerome Bruandet wrote:

It's a piece too early to recognize the effect due to the fact while we stuck the assault, hackers have been simply looking to backdoor web sites. However, one exciting component we observed is that attackers have been injecting a few code to password-shield the get admission to to the susceptible document (connector.minimal.Hypertext Preprocessor) in order that different companies of hackers couldn't make the most the vulnerability at the webweb sites that have been already inflamed.

All instructions may be run withinside the /lib/documents folder (create folders, delete documents etc), however the maximum crucial problem is they can add PHP scripts into that folder too, after which run them and do something they need to the blog.

So far, they're importing "FilesMan", any other document supervisor frequently utilized by hackers. This one is closely obfuscated. In the following couple of hours and days we're going to see precisely what they may do, due to the fact in the event that they password-blanketed the susceptible document to save you different hackers to make the most the vulnerability it's far probably they're anticipating to return back again to go to the inflamed webweb sites.

Fellow internet site safety corporation Wordfence, meanwhile, stated in its personal submit that it had blocked extra than 450,000 make the most tries withinside the beyond few days. The submit stated that the attackers are looking to inject diverse documents. In a few cases, the ones documents have been empty, maximum probably in an try to explore for susceptible webweb sites and, if successful, inject a malicious document later. Files being uploaded had names together with hardfork.Hypertext Preprocessor, hardfind.Hypertext Preprocessor, and x.Hypertext Preprocessor.

"A document supervisor plugin like this will make it viable for an attacker to govern or add any documents in their selecting without delay from the WordPress dashboard, doubtlessly permitting them to strengthen privileges as soon as withinside the webweb page's admin location," Chloe Chamberland, a researcher with safety corporation Wordfence, wrote in Tuesday's submit. "For instance, an attacker may want to benefit get admission to to the admin location of the webweb page the usage of a compromised password, then get admission to this plugin and add a webshell to do similarly enumeration of the server and doubtlessly strengthen their assault the usage of any other make the most."

The File Manager plugin facilitates directors manipulate documents on webweb sites strolling the WordPress content material control system. The plugin incorporates an extra document supervisor called elFinder, an open supply library that offers the center capability withinside the plugin, at the side of a person interface for the usage of it. The vulnerability arises from the manner the plugin carried out elFinder.

"The center of the problem commenced with the File Manager plugin renaming the extension at the elFinder library's connector.minimal.Hypertext Preprocessor.dist document to .Hypertext Preprocessor so it can be completed without delay, despite the fact that the connector document turned into now no longer utilized by the File Manager itself," Chamberland explained. "Such libraries frequently consist of instance documents that aren't supposed to be used 'as is' with out including get admission to controls, and this document had no direct get admission to restrictions, that means the document can be accessed with the aid of using anyone. This document can be used to provoke an elFinder command and turned into hooked to the elFinderConnector.class.Hypertext Preprocessor document."

~{"total":0,"spelling":0,"grammar":0,"typographical":0,"data":[]}