A nice article explaining the vulnerability in Worpdress themes (in fact anything using php :-) was published some days ago. Now, there’s even a vulnerability scanner available (done in Perl).
I ran it on several of the blogs I manage, and all of them were vulnerable to XSS (wp-scanner also tests other vulnerabilities) :-(
I followed the advices on blogsecurity’s website and modified all of the search functions I could find. Now wp-scanner doesn’t report any vulnerability (it doesn’t mean it is cracker-proof, but it’s a good start).
So if anybody else uses the Redoable theme like me, you should patch the header.php
file. Near the top of the file, find the "Search for"
string, and enclose the $s
string with the htmlspecialchars()
method:
Search for <?php echo htmlspecialchars($s); }
Do the same for the searchform.php
file:
searchform” action=”<?php echo htmlspecialchars($_SERVER[‘PHP_SELF’]);
An even better protection would be to use the mod_security module for Apache/Apache2, which can detect and block these kind of attacks. But this requires that you control your server.
To prevent web visitors from sending tags, you can add the following rule in your virtual host:
SecFilter “<(.|\n)+>”
Now, when someone requests < anything >, the visitor gets a 403 error, and in your audit log, you now have:
==36d82a37==============================
Request: www.gradstein.info 82.67.175.56 – – [11/Jun/2007:11:10:56 +0200] “GET /?s=%3Cwpscan%3E HTTP/1.1” 403 202 “-” “Mozilla/5.0” – “-”
—————————————-
GET /?s=%3Cwpscan%3E HTTP/1.1
mod_security-message: Access denied with code 403. Pattern match “<(.|\\n)+>” at REQUEST_URI [severity “EMERGENCY”]
mod_security-action: 403
HTTP/1.1 403 Forbidden
Content-Length: 202
Please note, that mod_security does not correct your application. Here if you only use mod_security, WordPress theme will still be vulnerable on the underlaying level. It is OK to use mod_security, but it is much much more advisable to correct the origin of the problem and not cover it.
Lior, I’m glad BlogSecurity could help.
Thanks, I developed a little more the mod_security part, adding an example of possible protection.
Hello, For me also security most importand thing. Because i am livin in middle east and here have many terror. More over every day can dies some body. And we are using the here many security protection and merarial.
This is exactly what i need:).Thanks for sahring.
Many thanks for this, just what i needed as well.