WordPress.org

Ready to get started?Download WordPress

Forums

Schreikasten
XSS Exploit. Weakness in Schreikasten (14 posts)

  1. square_eyes
    Member
    Posted 1 year ago #

    My entire wordpress site was taken down a few moths ago via an XSS exploit that attacked a weakness in Schreikasten. I googled it at the time and evidence supported my theory. Sure enough deactivating this plugin allowed me to start to recover my site. Months later and after some updates to this plugin I stupidly reinstalled it. Within 24hrs I was taken by an XSS attack (or attempted attack). Somone posted random pictures in the chat box along with the tags...

    <script>alert('xss')</script>

    Can you explain what's going on?

    A search for alert('xss') brings up a number of discussions. I would have thought this would have been fixed by now.

    http://wordpress.org/extend/plugins/schreikasten/

  2. esmi
    Forum Moderator
    Posted 1 year ago #

    Have you tried contacting the plugin author directly about this?

  3. square_eyes
    Member
    Posted 1 year ago #

    Screen shot of the spam/attack

    http://postimage.org/image/80y1zotqt/

  4. square_eyes
    Member
    Posted 1 year ago #

    Their site appears to be in Spanish (Can't navigate it). Do developers not check their WP plugin pages? Sorry not used to having this kind of problem.

  5. square_eyes
    Member
    Posted 1 year ago #

    I found their contact form and left them a note.

  6. esmi
    Forum Moderator
    Posted 1 year ago #

    Most do, yes. and on checking that plugin, I can see that some security issues have been addressed in version 0.14.14 and 0.14.15

    If you still feel that this plugin does have security holes, please contact plugins [at] wordpress.org with the full details - including any hard evidence that these issues are present in the latest version of the plugin.

  7. sebaxtian
    Member
    Plugin Author

    Posted 1 year ago #

    Hi square_eyes.

    Looking at your image I can see SK is working fine. The system deleted the script tag and only uses the text inside the tag as a string, disabling any 'script attack'.

    It looks like your nemesis is trying to use the old bug to attack your site again, but as you can see the door is locked.

    Declare this user as a spammer to try to block his messages.

    About the images, the first release that solved the 'script attack' deleted any image in the comments but some users required it, so i have to enable images again.

    If you required it, I can add a setting to disable images inside the comments.

    Sorry about the first attack to your site.

  8. square_eyes
    Member
    Posted 1 year ago #

    Well I took your advice and left the plugin up. About once a week the hacker would post an image and some XSS. I rejected and banned the user from each comment as it happened.

    Today I come to my site and get the below where schreikasten was in the side bar.

    http://i.imgur.com/ypmz5.png

    A short while later my site was cut over to a bogus index.html, removing even the modified content. Thank god all I had to do was delete that and restore a backed up index.php. But now I don't know if any of my other site content or files have been compromised.

    Some assistance would be appreciated. I'm feeling pretty bad about taking your advice right now.

  9. esmi
    Forum Moderator
    Posted 1 year ago #

  10. square_eyes
    Member
    Posted 1 year ago #

    Thanks I have looked at these before. Any you're right. But both times the exploit has been through schreikasten. The developer of this plugin should be addressing it.

  11. esmi
    Forum Moderator
    Posted 1 year ago #

    Although the original attack may have been the result of an issue in the plugin, if you didn't clean the site out properly, the hacker may now be gaining entry via a back door that he left on the site. The plugin may not have anything to do with it anymore.

  12. square_eyes
    Member
    Posted 1 year ago #

    Well I have recovered, and it was horrible. I lost a week of web development.

    While I have no conclusive proof it was this plugin, I was getting XSS 'probed' in the form of Shoutbox posts almost daily towards the end. As if they were testing for weaknesses.

    I only have one other form on my site and that is my contact form by http://contactform7.com/. I received 3 XSS type emails through there, but have used this plugin for two years without issue.

    Since restoring from backup two weeks ago, and disabling schreikasten I have been left alone. I still have contact form running.

  13. sebaxtian
    Member
    Plugin Author

    Posted 1 year ago #

    Hi square_eyes.

    I know I'm late, sorry.

    SK uses the same security functions WP uses, and the only difference is SK allows images.

    In this thread you suggested that your site has been attacked using a png image. Can you confirm other attacks using images?

    I suggested time ago I can add a way to 'select if you want to allow images' in settings. I will do that, but I can't ask you to test SK again because it is too dangerous for your site.

    Just answer me those two questions and thanks for you support.

    I'm sorry if this plugin gives you a headache. I'll try to find where the problem is.

  14. bitnumus
    Member
    Posted 1 year ago #

    Is this plugin still vulnerable to XSS or what?

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic