WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Hacker Hits Blog (15 posts)

  1. DJ Rg
    Member
    Posted 9 years ago #

    someone posted some code in a post and caused defacing of blog. I have open posting where guest can post a topic also. here's what the post..
    I wanted to see how EASY it would be to post a comment <ins datetime="2004-10-21T11:1:19-6:00">a + b = c
    <p onclick="javascript:alert('test')>Click it></ins>

    for now i took out the java stuff and it cleared up the defacing which was merely underlining of static text thru out the blog.
    My Questions: what were they trying to do with their java test? how can i prevent something like this besides not allowing open posting? that is can i ban java and other malicious code from being included in the post?
    the blog is the Blogosphere Zoo
    http://www.splashhall.org/blog/
    thank you

  2. Joni
    Member
    Posted 9 years ago #

    Hackers have gotten so sophisticated. You're lucky that's all that happened to your site. Shelley at Burningbird.net has some interesting observations about WP security. Check those out. I don't know enough about PHP to be able to really discuss security issues. I'm more a danger with my lack of knowledge, I suppose. I rely on others to write safe and secure code, and for the most part, I believe WP is. At least I certainly hope so! I'll be interested to see who else weighs in here with help on this topic.
    Take care!
    Joni

  3. DJ Rg
    Member
    Posted 9 years ago #

    thx joni ..yea i am lucky that is all most do is deface.. ya would think with some of the talent hackers have they would put it to constructive use..

  4. NuclearMoose
    Member
    Posted 9 years ago #

    That's quite an old post. Many things have changed since then, and as well, some potential issues have been sewn up that were common to applications like WP. I have no more or no less concern using WP online than anything else. As long as you are online, you are at risk of something happening, whether it is spamming or google-bombing or what have you.
    Want to be secure? Stay local, and disconnect your internet feed.

  5. DJ Rg
    Member
    Posted 9 years ago #

    thx moose ..the post was posted yesterday ..the date within what the dude posted has nothing to do when it was posted.
    as for security, yes the internet if filled with risk ..but i was asking if there was a way to disallow java in post, as it was the java part that defaced. at the sametime i was bringing to the makers of WP a security issue. feedback. i would think you want feedback from ur loyal users, yes?
    perhaps having an option on the next version where html can be disallowed in the same manner as messages boards do, and only allowing BB code, which is a bit safer. or like only certain tags are allowed in comments, perhaps the same option for post?
    thx again..

  6. RobotHero
    Member
    Posted 9 years ago #

    I would be surprised if nobody has written a plugin that filters out html tags. I tried looking, but didn't turn one up.

  7. DJ Rg
    Member
    Posted 9 years ago #

    thx robot hero ..spose there isnt one yet

  8. Ryan Boren
    WordPress Dev
    Posted 9 years ago #

    Look in kses.php. wp_filter_kses is run against the comment author and comment text. You can alter the allowedtags array in kses or create your own allowedtags array in a plugin or in my-hacks.php.

  9. DJ Rg
    Member
    Posted 9 years ago #

    thank you rboren.. i get this back when i try to access the kses...
    Editing wp_filter_kses.php � this is a WordPress file, be careful when editing it!
    Oops, no such file exists! Double check the name and try again, merci.

  10. TechGnome
    Moderator
    Posted 9 years ago #

    The javascript (not Java, that's different) didn't do anything.... the tags did. Based on what I can see... the ins tag underlines text until it finds the /ins tag.... BUT, right after the closing /p tag, there's a >... and I think that's causing it to miss the closing ins tag that immediatly follows. And/Or, if they left a blank line between the opening ins and the opening p tag, then WP is going to break off the first part and put it into it's own p tag set. The ins tags then becomes unbalanced and technically never closes. It's a strange set of circumstances, but the javascript code they insertes is harmless. All that happened was that there was an ins tag that got lose and never closed.
    Tg

  11. RobotHero
    Member
    Posted 9 years ago #

    CafeRg, the file name is just kses.php.
    I made a simple plugin that can be used to remove html tags from posts. (Tested only in 1.2)
    If you use this in conjunction with the BBcode plugin, it will limit the number of things that can go wrong.
    It will still be possible to post though, so you might want to do something further to prevent that.

  12. DJ Rg
    Member
    Posted 9 years ago #

    and thx to TechGnome too

  13. RobotHero
    Member
    Posted 9 years ago #

    It opens a message window that says "test", which is pretty harmless in itself.
    Those plugins will prevent problems caused by people who forget to close their tags.
    It would still be possible to include JavaScript, though its placement is a little more restricted.

  14. adamrick
    Member
    Posted 9 years ago #

    I have open posting where guest can post a topic also.

    How do you have open posting set up? A specific user with the login displayed? Is there a setting for this that I've missed?

    Thanks!

  15. Mark (podz)
    Support Maven
    Posted 9 years ago #

    I have some blogs set up for testing things - go look:
    http://www.tamba2.org.uk/wordpress

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.