WordPress.org

Ready to get started?Download WordPress

Forums

XSS Vulnerability (10 posts)

  1. johnpeeb
    Member
    Posted 4 years ago #

    The featured theme jQ has an XSS (cross site scripting) vulnerability in headers.php on line 8. When it displays the search results page, it echoes out the search string verbatim, rather than properly escaping it using htmlentities (see http://www.php.net/manual/en/function.htmlentities.php).

    For example, visiting the URL
    devolux.org/?s=</title><script language="javscript" type="text/javascript">alert('This javascript could do anything!');</script> would cause a javascript popup window to be displayed. This example is harmless, but a malicious person could use this vulnerability, combined with getting an admin user to click a specially crafted link, to spam the blog or do other nasty things!

    The fix I would recommend is to change line 8 to read
    <?php if ( is_search() ) { ?><?php echo htmlentities($s,ENT_QUOTES,get_bloginfo('charset')); ?> - <?php bloginfo('name'); ?><?php } ?>

  2. johnpeeb
    Member
    Posted 4 years ago #

    Edited post to fix issue forum was having with formatting.

  3. mrmist
    Forum Janitor
    Posted 4 years ago #

    The alert is not actioned on either of my current or previous releases of WordPress. Which release are you seeing the box activated on?

    You should report security concerns to security@wordpress.org

  4. It's a theme issue not a WordPress issue. Any theme should sanitize the input before displaying the text.

    Johnpeeb, might help if you provide the theme URL and filename you are proposing the change in.

  5. johnpeeb
    Member
    Posted 4 years ago #

    In the jQ theme, the file with the issue is header.php. (Above, it says headers.php, which is a typo.) header.php resides in the top level director for the theme, so the path to the file, if you have the theme installed, is <wordpress root directory>/wp-content/themes/jq/header.php. As mentioned above, changing line 8 to read <?php if ( is_search() ) { ?><?php echo htmlentities($s,ENT_QUOTES,get_bloginfo('charset')); ?> - <?php bloginfo('name'); ?><?php } ?> should fix the problem. The URL for the theme is http://wordpress.org/extend/themes/jq.

  6. Joseph Scott
    Member
    Posted 4 years ago #

    I've suspended the theme and contacted the theme author about this.

  7. shawnmcf
    Member
    Posted 4 years ago #

    @johnpeeb: Thanks for posting the problem and also going to the trouble of posting a fix. I have a blog update almost ready to move using JQ and the last thing I want is any kind of security vulnerability.

  8. shawnmcf
    Member
    Posted 4 years ago #

    The theme author's website shows nothing but blank pages as of January 2, 2010.

    If you are considering using this theme, review the code carefully and be prepared to support it your self, or through the forums. It may be a little early, but the author may no longer answer questions or provide updates.

  9. Devolux
    Member
    Posted 4 years ago #

    The site will be back soon and the error officially fixed. I'm sorry for this but I currently don't have time to work on it in any way.

  10. Devolux
    Member
    Posted 4 years ago #

    I fixed the problem and uploaded the theme again. Thanks a lot for the help here.

Topic Closed

This topic has been closed to new replies.

About this Topic