WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Post and comment forms unsecure? (4 posts)

  1. baa912
    Member
    Posted 5 years ago #

    Hello:

    My site has been hacked. I'm not an expert on these things, so correct me if I am wrong... it seems that javascript code can be entered into posts and comments which would allow malicious code to be injected into php code on my host using the XSS (cross site scripting) method. This seems to be what happened to me. Anybody can test this by simply entering some code like
    <script>alert("this is a test")</script>

    Note: my blog is self hosted and all updates installed. Users must register before posting.

    If you put the javascript in a comment, that script is executed even though the comment has not been approved yet - and by that time it is too late. In posts, it seems to only execute after approval.

    Is there any way to fix this?

    Bill

  2. t31os
    Member
    Posted 5 years ago #

    Do you have any idea of the code being executed to perform the exploit.

    You, or your host should at least have logs, unless this is a known 'Wordpress exploit'.

    If that's the case, then i would hope that you hear something further from one of the team.

    I'd hope so at least... as i'd hate that **** happening to me...

  3. baa912
    Member
    Posted 5 years ago #

    Well... like I said, I'm not an expert on these things. The hack seemed to happen in Sept 08 and I just now am noticing it. I first noticed that my posts were no longer being indexed by google and started out to figure out why. Just by accident, I noticed when I pressed the back button, some strange site was trying to load that I did not recognize. Keep in mind that I never noticed anything strange going on on my blog to date. Upon further investigation, I found some encrypted code within several of the php files. Also some new php files altogether like a remv.php file in the wp-content/themes folder.

    I still do not know exactly what these hacks were doing, but google obviously recognized it. Don't know if the hack is still in one of the comments in my database or not.

    IMPORTANT UPDATE: I just tested putting javascript into a post or comment while logged on as a contributor and it did not work as it does when you are logged in as administrator. Seems like administrator allows javascript and contributor does not. Also under settings/discussion, there are moderation and blacklist filters that may be useful.

    So... in order to do the hack, the person would have to be logged in as administrator? Since it happened back in Sept 08, maybe I was using a more vulnerable version? Maybe one of my plugins or theme is hackable? Don't know!

  4. webmistressofthedark
    Member
    Posted 5 years ago #

    I was using 2.5 and had NO COMMENTS or even registration open and still found that file.

    I wonder how they got in?

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.