in security, wordpress

Security patching WordPress themes against Cross-Script Attacks (XSS)

WP ScannerA nice article explaining the vulnerability in Worpdress themes (in fact anything using php :-) was published some days ago. Now, there’s even a vulnerability scanner available (done in Perl).

I ran it on several of the blogs I manage, and all of them were vulnerable to XSS (wp-scanner also tests other vulnerabilities) :-(
I followed the advices on blogsecurity’s website and modified all of the search functions I could find. Now wp-scanner doesn’t report any vulnerability (it doesn’t mean it is cracker-proof, but it’s a good start).

So if anybody else uses the Redoable theme like me, you should patch the header.php file. Near the top of the file, find the "Search for" string, and enclose the $s string with the htmlspecialchars() method:

Search for <?php echo htmlspecialchars($s); }

Do the same for the searchform.php file:

searchform” action=”<?php echo htmlspecialchars($_SERVER[‘PHP_SELF’]);

An even better protection would be to use the mod_security module for Apache/Apache2, which can detect and block these kind of attacks. But this requires that you control your server.
To prevent web visitors from sending tags, you can add the following rule in your virtual host:

SecFilter “<(.|\n)+>”

Now, when someone requests < anything >, the visitor gets a 403 error, and in your audit log, you now have:

==36d82a37==============================
Request: www.gradstein.info 82.67.175.56 – – [11/Jun/2007:11:10:56 +0200] “GET /?s=%3Cwpscan%3E HTTP/1.1” 403 202 “-” “Mozilla/5.0” – “-”
—————————————-
GET /?s=%3Cwpscan%3E HTTP/1.1
mod_security-message: Access denied with code 403. Pattern match “<(.|\\n)+>” at REQUEST_URI [severity “EMERGENCY”]
mod_security-action: 403
HTTP/1.1 403 Forbidden
Content-Length: 202

Please note, that mod_security does not correct your application. Here if you only use mod_security, WordPress theme will still be vulnerable on the underlaying level. It is OK to use mod_security, but it is much much more advisable to correct the origin of the problem and not cover it.

Facebooktwittergoogle_plusredditpinterestlinkedinmailNo tags for this post.

Write a Comment

Comment

 
  1. Hello, For me also security most importand thing. Because i am livin in middle east and here have many terror. More over every day can dies some body. And we are using the here many security protection and merarial.

  2. Thanks for posting this. I will certainly check out the scanner link you posted and see what happens.