heise.de security recently released an advisory regarding a common vulnerability they have found in a number of WordPress themes. BlogSecurity can verify this as it has been working on a similiar project and will release the latest version of wp-scanner later this week which includes some additional theme vulnerability checks as well as some bug fixes.
PHP_SELF is defined as follows:
The filename of the currently executing script, relative to the document root. For instance, $_SERVER[’PHP_SELF’] in a script at the address http://example.com/test.php/foo.bar would be /test.php/foo.bar. The __FILE__ constant contains the full path and filename of the current (i.e. included) file. - php.net
The vulnerability lies in using PHP_SELF without pre-pending htmlspecialchars. Let us look at an example:
Finding the vulnerability
form id="searchform" method="get" action= "<?php echo $_SERVER['PHP_SELF']" ?>"
We can see PHP_SELF being used here to get the current URL location of the user; unfortunately, no checks are done to ensure that PHP_SELF is clean from HTML elements.
Secure Version:
form id="searchform" method="get" action= "<?php echo htmlspecialchars($_SERVER['PHP_SELF'])" ?>"
These vulnerabilities often appear in one of these:
- Search Facility
- Custom 404 Pages
- Theme Header.php (i.e. CSS, META Data)
Proof of Concept
You can test your blog by using the following proof of concept code, obviously it requires you to change the www.example.com for your site URL; the new version of wp-scanner includes this check, it will be released later this week:
http://www.example.com/index.php/"><script>alert(1)</script>
If you receive a JavaScript popup your template is vulnerable to this attack.
In summary, look through your template for PHP_SELF and ensure that the appropriate fix is applied. Alternatively submit your site to us for inspection; all correspondence will be treated with strict confidence.
References:
Comments
There is a mistake in your post.
To check if you blog is vulnerable you should use:
http://www.example.com/index.php/“>alert(1)
Your URL is missing a before script tag.
Damn, my comment was mutilated by your filters :)
http://www.example.com/index.php/“][script]alert(1)[/script]
Anyway, you got the point.
[…] BlogSecurity nous annonce ce matin qu’une faille de sécurité dans certains thèmes a été trouvée par Heise.de. […]
zamolx3: corrected thanks.
[…] new release includes an XSS vulnerability check for WordPress templates, as well as a number of bug […]
[…] v1.1 Released - XWordPress Template XSS Check - Bug fixes especially in other XSS […]
[…] nice article explaining the vulnerability in Worpdress themes (in fact anything using php :-) was […]
Blogistan Panoptikum Woche 26 2k7…
WordPress Tools, neue Themes und philosophische Betrachtungen zum Longtail: das zweite Quartal 2007 endet mit hohen Temperaturen und ebensolcher Postingfrequenz.
……
There’s a ” too much.
The secure version must be:
form id="searchform" method="get" action= (delete the _)
""
[…] June we wrote an article on common WordPress template flaws and thought we’d follow up on […]
[…] la vulnerabilidad más común en nuestros themes suelen estar relacionadas con el buscador, ya que es una de las formas en las […]
WP 2.2.2 and Theme Vulnerabilities…
As you may have noticed, the fine folks at WordPress have released WP v2.2.2 into the (deuces) wild. I have taken the unusual step of upgrading RMFO-Blogs users first, rather than RMFO-Pro users. Why? Simply put, RMFO-Blogs has been getting hammered…
Are there any other holes theme developers need to be looking for, or is this the only one? I develop all my themes locally so I can’t use the scanner plugin to check them, even if I was happy with the idea of allowing a random third-party script access to my install.
that girl again, yes potentially there are loads of programming errors to watch out for, however, these are some of the more obvious ones. We will definately look at writing more articles to help educate users a little more in this area.
[…] você utiliza algum destes temas saiba como corrigir este problema. Caso utilize outro tema baixe agora mesmo o wp-scanner e faça o teste em seu blog. Escreva um […]
[…] Common Wordpress theme vulnerabilities: http://blogsecurity.net/wordpress/article-070607/ […]
[…] them down, but it’s worth a go. If you’re scouting for excuses, there’s a handy security hole which is Kubrick-derived so should be in more themes than […]
[…] BlogSecurity: Common WP Theme Vulnerabilities […]
[…] מידע נוסף על הפרצה אפשר לקרוא כאן. […]
[…] theme is not a problem to me as long it’s fair and safe. So I ask you guys, how safe your theme, did you check your theme? Remember, even the wordpress.org have a problem to all sponsored theme submitted to them. Some […]
-
Search site:
-
Additional WP Resources
