WordPress.org

Support

Support » Plugins and Hacks » Schreikasten » XSS Exploit. Weakness in Schreikasten

XSS Exploit. Weakness in Schreikasten

  • My entire wordpress site was taken down a few moths ago via an XSS exploit that attacked a weakness in Schreikasten. I googled it at the time and evidence supported my theory. Sure enough deactivating this plugin allowed me to start to recover my site. Months later and after some updates to this plugin I stupidly reinstalled it. Within 24hrs I was taken by an XSS attack (or attempted attack). Somone posted random pictures in the chat box along with the tags…

    <script>alert('xss')</script>

    Can you explain what’s going on?

    A search for alert(‘xss’) brings up a number of discussions. I would have thought this would have been fixed by now.

    http://wordpress.org/extend/plugins/schreikasten/

Viewing 13 replies - 1 through 13 (of 13 total)
  • esmi

    @esmi

    Forum Moderator

    Have you tried contacting the plugin author directly about this?

    Screen shot of the spam/attack

    http://postimage.org/image/80y1zotqt/

    Their site appears to be in Spanish (Can’t navigate it). Do developers not check their WP plugin pages? Sorry not used to having this kind of problem.

    I found their contact form and left them a note.

    esmi

    @esmi

    Forum Moderator

    Most do, yes. and on checking that plugin, I can see that some security issues have been addressed in version 0.14.14 and 0.14.15

    If you still feel that this plugin does have security holes, please contact plugins [at] wordpress.org with the full details – including any hard evidence that these issues are present in the latest version of the plugin.

    Plugin Author sebaxtian

    @sebaxtian

    Hi square_eyes.

    Looking at your image I can see SK is working fine. The system deleted the script tag and only uses the text inside the tag as a string, disabling any ‘script attack’.

    It looks like your nemesis is trying to use the old bug to attack your site again, but as you can see the door is locked.

    Declare this user as a spammer to try to block his messages.

    About the images, the first release that solved the ‘script attack’ deleted any image in the comments but some users required it, so i have to enable images again.

    If you required it, I can add a setting to disable images inside the comments.

    Sorry about the first attack to your site.

    square_eyes

    @square_eyes

    Well I took your advice and left the plugin up. About once a week the hacker would post an image and some XSS. I rejected and banned the user from each comment as it happened.

    Today I come to my site and get the below where schreikasten was in the side bar.

    View post on imgur.com

    A short while later my site was cut over to a bogus index.html, removing even the modified content. Thank god all I had to do was delete that and restore a backed up index.php. But now I don’t know if any of my other site content or files have been compromised.

    Some assistance would be appreciated. I’m feeling pretty bad about taking your advice right now.

    esmi

    @esmi

    Forum Moderator

    square_eyes

    @square_eyes

    Thanks I have looked at these before. Any you’re right. But both times the exploit has been through schreikasten. The developer of this plugin should be addressing it.

    esmi

    @esmi

    Forum Moderator

    Although the original attack may have been the result of an issue in the plugin, if you didn’t clean the site out properly, the hacker may now be gaining entry via a back door that he left on the site. The plugin may not have anything to do with it anymore.

    square_eyes

    @square_eyes

    Well I have recovered, and it was horrible. I lost a week of web development.

    While I have no conclusive proof it was this plugin, I was getting XSS ‘probed’ in the form of Shoutbox posts almost daily towards the end. As if they were testing for weaknesses.

    I only have one other form on my site and that is my contact form by http://contactform7.com/. I received 3 XSS type emails through there, but have used this plugin for two years without issue.

    Since restoring from backup two weeks ago, and disabling schreikasten I have been left alone. I still have contact form running.

    Plugin Author sebaxtian

    @sebaxtian

    Hi square_eyes.

    I know I’m late, sorry.

    SK uses the same security functions WP uses, and the only difference is SK allows images.

    In this thread you suggested that your site has been attacked using a png image. Can you confirm other attacks using images?

    I suggested time ago I can add a way to ‘select if you want to allow images’ in settings. I will do that, but I can’t ask you to test SK again because it is too dangerous for your site.

    Just answer me those two questions and thanks for you support.

    I’m sorry if this plugin gives you a headache. I’ll try to find where the problem is.

    bitnumus

    @bitnumus

    Is this plugin still vulnerable to XSS or what?

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘XSS Exploit. Weakness in Schreikasten’ is closed to new replies.
Skip to toolbar