Support » Themes and Templates » XSS Vulnerability

  • The featured theme jQ has an XSS (cross site scripting) vulnerability in headers.php on line 8. When it displays the search results page, it echoes out the search string verbatim, rather than properly escaping it using htmlentities (see http://www.php.net/manual/en/function.htmlentities.php).

    For example, visiting the URL
    devolux.org/?s=</title><script language="javscript" type="text/javascript">alert('This javascript could do anything!');</script> would cause a javascript popup window to be displayed. This example is harmless, but a malicious person could use this vulnerability, combined with getting an admin user to click a specially crafted link, to spam the blog or do other nasty things!

    The fix I would recommend is to change line 8 to read
    <?php if ( is_search() ) { ?><?php echo htmlentities($s,ENT_QUOTES,get_bloginfo('charset')); ?> - <?php bloginfo('name'); ?><?php } ?>

Viewing 9 replies - 1 through 9 (of 9 total)
  • Thread Starter johnpeeb

    (@johnpeeb)

    Edited post to fix issue forum was having with formatting.

    The alert is not actioned on either of my current or previous releases of WordPress. Which release are you seeing the box activated on?

    You should report security concerns to security@wordpress.org

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    It’s a theme issue not a WordPress issue. Any theme should sanitize the input before displaying the text.

    Johnpeeb, might help if you provide the theme URL and filename you are proposing the change in.

    Thread Starter johnpeeb

    (@johnpeeb)

    In the jQ theme, the file with the issue is header.php. (Above, it says headers.php, which is a typo.) header.php resides in the top level director for the theme, so the path to the file, if you have the theme installed, is <wordpress root directory>/wp-content/themes/jq/header.php. As mentioned above, changing line 8 to read <?php if ( is_search() ) { ?><?php echo htmlentities($s,ENT_QUOTES,get_bloginfo('charset')); ?> - <?php bloginfo('name'); ?><?php } ?> should fix the problem. The URL for the theme is http://wordpress.org/extend/themes/jq.

    I’ve suspended the theme and contacted the theme author about this.

    @johnpeeb: Thanks for posting the problem and also going to the trouble of posting a fix. I have a blog update almost ready to move using JQ and the last thing I want is any kind of security vulnerability.

    The theme author’s website shows nothing but blank pages as of January 2, 2010.

    If you are considering using this theme, review the code carefully and be prepared to support it your self, or through the forums. It may be a little early, but the author may no longer answer questions or provide updates.

    The site will be back soon and the error officially fixed. I’m sorry for this but I currently don’t have time to work on it in any way.

    I fixed the problem and uploaded the theme again. Thanks a lot for the help here.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘XSS Vulnerability’ is closed to new replies.