I ran it on several of the blogs I manage, and all of them were vulnerable to XSS (wp-scanner also tests other vulnerabilities) :-(
I followed the advices on blogsecurity’s website and modified all of the search functions I could find. Now wp-scanner doesn’t report any vulnerability (it doesn’t mean it is cracker-proof, but it’s a good start).
So if anybody else uses the Redoable theme like me, you should patch the
header.php file. Near the top of the file, find the
"Search for" string, and enclose the
$s string with the
Search for <?php echo htmlspecialchars($s); }
Do the same for the
searchform” action=”<?php echo htmlspecialchars($_SERVER[‘PHP_SELF’]);
An even better protection would be to use the mod_security module for Apache/Apache2, which can detect and block these kind of attacks. But this requires that you control your server.
To prevent web visitors from sending tags, you can add the following rule in your virtual host:
Now, when someone requests < anything >, the visitor gets a 403 error, and in your audit log, you now have:
Request: www.gradstein.info 18.104.22.168 – – [11/Jun/2007:11:10:56 +0200] “GET /?s=%3Cwpscan%3E HTTP/1.1” 403 202 “-” “Mozilla/5.0” – “-”
GET /?s=%3Cwpscan%3E HTTP/1.1
mod_security-message: Access denied with code 403. Pattern match “<(.|\\n)+>” at REQUEST_URI [severity “EMERGENCY”]
HTTP/1.1 403 Forbidden
Please note, that mod_security does not correct your application. Here if you only use mod_security, WordPress theme will still be vulnerable on the underlaying level. It is OK to use mod_security, but it is much much more advisable to correct the origin of the problem and not cover it.