It's About Security
2007-2008 XSS NEWS



XSS News Blog

 

The content below is from the site's 2007-2008 archived pages as well as from more recent outside sources.

 

~~~~~

Boy, have there been changes on the web since 2007. But almost fifteen years later WordPress sites still have issues. Cross-site scripting (XSS) remain a major attack vector in the web security sphere. And year after year these attacks still make headlines. Just take a look at the headlines for some recent cross-site scripting attacks in the news:
Gitlab patches critical RCE bug in latest security release
by Jessica Haworth 01 July 2022 at 13:26 UTC
Australia’s Monash University launches public bug bounty program
by James Walker 04 July 2022 at 14:28 UTC
Business email platform Zimbra patches memcached injection flaw that imperils user credentials
by Adam Bannister 16 June 2022 at 11:04 UTC
Researcher goes public with WordPress CSP bypass hack
by John Leyden 01 June 2022 at 16:40 UTC

As of 2017 the Five Common WordPress Security Issues

  • Brute Force Attacks. ...
  • File Inclusion Exploits. ...
  • SQL Injections. ...
  • Cross-Site Scripting (XSS) ...
  • Malware. ...
  • Weak Passwords. ...
  • Not Updating WordPress, Plugins or Themes. ...
  • Using Plugins and Themes from Untrustworthy Sources.

Nevertheless many sites still use WordPress. Although WordPress is very popular, most site owners need extra help from webmasters who are proficient in WordPress to help them with plug ins and other issues. I have a friend who recently created a website for his cast iron housewares product line. He considered a Wordpress platform but eventually went with Shopify. His reasoning was that Shopify is cheaper overall. Although Shopify has plans that range from $29/month – $299/month, they include everything one needs. WordPress is free to use, but then one has to pay separately for the hosting, themes, and plugins. Shopify is better for his sales-focused cast iron cookware business. He needed/wanted an easy-to-use, full-featured and relatively automated e-commerce solution and Shopify satisfied that need. So far he is happy with choosing Shopify. He hasn't had any security issues or Cross-Site Scripting (XSS).

Another friend who was helping a Connecticut store set up their first website had Cross-Site Scripting (XSS) issues with their Wordpress site. In hind sight it was obvious that WordPress still needed to work on security and it still has issues! The new site immediately was hit with inappropriate attempts to login from unknown ips, and eventually the site was hacked and had to be reinstalled. Wondering if there were a legal remedy for this security issue, he called on his lawyer friend who pointed out the disclaimer he had agreed to when downloading the free software. Apparently Wordpress is immune from any kind of legal liability when you use their product, even though there are definitely some security issues with it. Even a decade later some things never change or perhaps have to keep changing which is what that store recognized. They decided to go with a custom CMS built site. It allowed them more flexibility in showcasing their vast number of products from all the top brands as well as create a separate section that focused on some custom products. They have so far never been hacked.

 



2007 POSTS

I plan to post here a bunch of web security news (mostly XSS).
Hopefully somebody will find this blog interesting :)

Posted by admin on 6 June 2007

 

2007 POSTS

Wordpress default theme XSS

There is an XSS in the default theme from Wordpress. However, it only works if the admin is logged in.
Filename functions.php

PHP Show Plain Code]:
  1.  

  2.  
  3.  
  4.  

$_SERVER[’REQUEST_URI’] is directly echoed to the user.

http://www.example.com/wp-admin/themes.php?page=functions.php&zmx”>

Sample exploit URL

 

Posted by admin on 8 June 2007

 

+++

XSS in Wordpress themes

BlogSecurity posted some information about common vulnerabilities found in WordPress themes.
Basically they are using insecurely $_SERVER variables such as $_SERVER[’PHP_SELF’].

Here is an example from my theme AndyBlue, which was also vulnerable.
Filename searchform.php

PHP [Show Plain Code]:
  1.  
  2.  

http://www.example.com/index.php/“>

Sample exploit URL

However, PHP_SELF is just one of the variables that should be considered. There are others.
Here is a list. There may be others, these are the ones I know about. These variables should be used with caution.

  • PHP_SELF
  • REQUEST_URI
  • SCRIPT_URL
  • SCRIPT_URI

Here is an example from another extension, Vistered-Little. This time, they are not using PHP_SELF, but REQUEST_URI.

The problem is in the file 404.php

PHP [Show Plain Code]:
  1. function selfURL() { $s = empty($_SERVER["HTTPS"]) ? ” : ($_SERVER["HTTPS"] == "on") ? "s" : ""; $protocol = strleft(strtolower($_SERVER["SERVER_PROTOCOL"]), "/").$s; $port = ($_SERVER["SERVER_PORT"] == "80") ? "" : (":".$_SERVER["SERVER_PORT"]);
     return$protocol."://".$_SERVER[‘HTTP_HOST’].$port.$_SERVER[‘REQUEST_URI’]; } function strleft($s1, $s2) { return substr($s1, 0, 
    strpos($s1, $s2)); }print(selfURL());

http://www.example.com/index.php?error=404&

Sample exploit URL

Because the problem is in 404.php, we need to call the 404 error page and then inject the script in the URL.
So, the same problem, just a different variation. $_SERVER variables cannot be trusted.

These XSS vulnerabilities from Wordpress allow PHP code execution if you manage to get a administrator to click your link. So, after that it’s game over.

These are just two examples, a lot of Wordpress themes are vulnerable to this type of issue.

 

Posted by admin on 7 June 2007 

 

+++

cordobo-green-park theme

Another XSS in cordobo-green-park theme.
Filename blogroll.php

PHP [Show Plain Code]:
  1.  
  2.  

http://www.example.com/wp-content/themes/
cordobo-green-park/blogroll.php/”>

Sample exploit URL

 

Posted by admin on 7 June 2007 Filed in

 

+++

PHP Abstract Episode 1 - PHP Security Tips

The Zend guys have started a PHP podcast. The first episode is related with PHP security.
They have invited Eli White (the PHP guru from digg). Eli is talking about XSS (cross site scripting) and CSRF (cross site request forgery). Interesting episode.

 

Posted by admin on 6 June 2007

 

 

++++++++

2008 POSTS

kisview 0.2

March 30th, 2008

Implemented a few more stuff into kisview (some fixes, parse Windows anouncement packets, silently resolve IP addresses, …).

Tags: kisview
Posted

BlackHat Europe 2008

March 30th, 2008

Black Hat Europe 2008 Media Archives are online. Worth checking out.

Posted

Wordpress 2.5 - nice security improvements

March 30th, 2008

Wordpress 2.5 was released and it has a bunch of important security improvements.
Quoting from the release post:

Salted passwords — we now use the phpass library to stretch and salt all passwords stored in the database, which makes brute-forcing them impractical. If you use something like mod_auth_mysql we’ve created a plugin that will allow you to use legacy MD5 hashing. (The hashing is completely pluggable.) Users will automatically switch to the more secure passwords next time they log in.

Secure cookies — cookies are now encrypted based on the protocol described in this PDF paper. which is something like user name|expiration time|HMAC( user name|expiration time, k) where k = HMAC(user name|expiration time, sk) and where sk is a secret key, which you can define in your config.

// Change SECRET_KEY to a unique phrase.  You won’t have to remember it later,
// so make it long and complicated.  You can visit https://www.grc.com/passwords.htm
// to get a phrase generated for you, or just make something up.
define(’SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase.

You need to set your SECRET_KEY from wp-config.php

$wpdb->prepare() — now almost all of the SQL in WordPress is prepared first, and the same functions are available to your plugins. This should prevent elementary SQL escaping issues.

That should solve a few problems. Nice work:)


On related news, there is a wordpress 2.3.3 zero-day currently being exploited. It seems to be an automated attack. It creates the directory /wp-content/1. The current exploit counter is 23,000 and still growing.

 

Posted

Diary of A New Mailer

March 24th, 2008

Here is an interesting read: some guys are starting in the mailing/spamming business and they are telling their story step by step. Found this thread on the wickedfire forums. don’t want to refer the article directly, just go to wickedfire.

Here are a few excerpts from their “experience”:

okay, this thread will be about my journey into email marketing.

We bought
–5 user license from STEDB
–2 C-Blocks,3 servers, two mailers and 1 database server from Big Sky - we are colocating with them as well.
–a boatload of data from Eclipse
–500 domain names from Moniker (com’s and net’s)

SYSTEM UPDATE: our servers are up, we have gone through our initial training on STEDB, loaded our names, and started building out campaigns. We will be mailing campaigns starting tomorrow. In my next post, I will talk about our testing strategy (and hopefully get some feedback if it makes any sense!)

Our strategy is to send 250k emails out over a 5 day period to twenty different offers to begin our process of sorting winners that we will then mail out to our entire list. So, each day we are going to send 50K to each. In the next week, we will take the most profitable (top five probably) and get them mailed out to the entire list. One of the first challenges we have ran into is how to make sure that we do not over mail any one address. We have 11mm unique emails we are starting with, but there is a concern that we may not be getting the best distribution across our entire list.

Well, day 1 was complete. We send out only 1mm messages as we wanted to test out some various ads to see which one we would go with. (see previous post about our testing method). On first thought, I believe our sample size is too low. We went with 50K messages to the same offer over 5 days. Well, the clicks off 50K messages are so small that it is really to hard to make any true decisions on the sales side. So, we are going to up that to 500K per offer, test less offers.

Out of the gate we ran into some problems with our mail servers, which STEDB quickly fixed. It was exciting to see mail go out the door.

Our hard bounce rate wasn’t so bad, about 13%, which on review and discussion with others is great. Anything below 20% on a first mailing and you are clear.

the Soft bounce rate was a higher than we expected and all over the map. sometimes we would have 40K+ delivered in a 50K sample, other times we would only get 10K in (delivered can also mean junk folder).

The data we are going to look at tonight to prune the list is the ratio of opens, unsubs from our list, and click throughs. I will give a more detailed update at the end of the week.

Day 3, fun and games continue! We changed our strategy today, sending out 1M email to 4 offers. Tommorrow, we will send out 2M emails to 4 offers, and friday, we are going to try and push 2M email to one offer. So far, here is an example of what we are doing

(this one launched 12 hours ago)

To Send = 269000
Delivered = 155000
Defered =100000
Bounced = 14000
Opens = 662
Clicks = 167
Unsubs = 58
Sales = 2

These are general internet mailings, with using approved creative and sub lines from the affiliates (working with recos from azoogle, neverblue, copeac)

Now, the clicks are split 60/40 between the actual offer and the offer unsub link, in this case we only have about 96 folks who really looked at the deal.

I was really suprised at the total number of unsubs (ours + the offers) relative to the clicks. I thought it would be high, but in reality it is equal if not greater.

Obviously alot of those Delivered are getting in the junk folder instead. I am estimating in this case maybe only 20,000 of the the ToSend are actually in the inbox (going of an number of expecting 15 clicks per thousand delivered in the inbox).

So, we pushed out 1.7M emails today to one offer to get a sense for what larger numbers would produce. We pulled out comcast, att, rr, etc. so we where left with only small ISP and true general interent (so we thought).

I excluded rr.com in my email domains. Of course, road runner ends in that, but the whole domain is something very different! I did not think to ask about wild cards until that very moment! (STEDB does have wild cards, to exclude all rr.com ‘%rr.com’ will do it). Get your mistakes out of the way early!

We have finished setting up all the FBLs we can find, and will start pushing out Yahoo, AOL, etc. next week in LOW volume at first (around 500-1000 mails per ip / per ISP / per domain) around 220K to each one of them.

Our total click through is still not great. On the mailing this morning it looked like this:

to send = 1.77M
deffered = 600K (almost all road runner)
bounced ~170k (first mailing against this list segment, so happy with this)
delivered ~ 1M
Opened - 5300
clicked - 614 (split 50/50 between the offer and the offer unsub)
Unsub - 65

We got an email in our notprocess folder the past two days from a company that has blacklisted us. the message starts with

“Remain calm! Please read all of this message before acting.

We have received mail from your site that our system thinks is junk
mail, because it was sent to a `spambait’ address. We have therefore
made an entry for you in our blacklist for the offending system’s IP…”

Of course, they have whacked with the header so we cannot tell which email address is was. Fun! What investigative process do you use to find folks like this?

 

Posted

Interesting attacks using XSS

March 18th, 2008

There were some interesting attacks in the past days. All of them are exploiting XSS (cross site scripting) vulnerabilities.
I’ve been discussing my colleagues about them and here is what I think is happening:

1. Some hacker(s) finds a bunch of vulnerable websites (that’s easy, there are a lot of vulnerable websites or if you are lazy just take them from here).

2. Prepare a list of URLs with XSSes included in the URL. Something like
http://www.somewebsite.com/vulnerablescript.php?q=some+popular+words+and+iframe+src=hackersite strong=""

3. Prepare a page with browser exploits or just old tricks (like a neverending popup storm - A common use will never figure out how to excape from it and at some point will get tired on clicking No/Cancel and just click Open)

4. Post the XSS URLs on a bunch of blogs (think Blogspot = Google) and wait for google to index them.

5. Profit (When users will search for your popular words, the indexed XSSes will appear in the search results). /iframe+src=hackersite

Pretty interesting usage of XSS.

 



 

More Background on XSSNews.com

XSSNews.com is a specialized website focused on web application security, with a particular emphasis on cross-site scripting (XSS) vulnerabilities. Since its inception in the late 2000s, the site has served as a resource for security professionals, developers, and enthusiasts seeking timely news, technical analysis, and insights about XSS and related web security topics. This article provides a detailed exploration of XSSNews.com, including its history, ownership, audience, content, reputation, and its broader significance within the cybersecurity landscape.


History and Background

XSSNews.com emerged during a period of increased awareness and concern about web application security. The early 2000s saw a dramatic rise in the discovery and exploitation of XSS vulnerabilities, which quickly became one of the most prevalent and damaging types of web application flaws. The site was created to document, analyze, and discuss developments in XSS, catering to a growing audience of security professionals and developers who needed up-to-date information and technical guidance.

Over the years, XSSNews.com has evolved into a recognized resource within the web security community. Its archives from the late 2000s are still referenced in technical literature and security research, reflecting its longstanding presence and influence in the field.


Ownership and Location

There is limited publicly available information regarding the ownership and organizational structure of XSSNews.com. The site appears to be independently operated, likely by one or more individuals with a strong interest and expertise in web application security. There is no indication of corporate backing or a large editorial team, which is typical for many specialized security resources. The site’s content and approach suggest a global perspective, addressing issues relevant to the international security community.


Content and Features

News and Analysis

XSSNews.com is known for its timely updates on newly discovered vulnerabilities, security incidents, and trends in web application security. Its posts often include:

  • Technical breakdowns of XSS vulnerabilities

  • Real-world attack examples and exploit techniques

  • Discussions of mitigation strategies and best practices

Technical Resources

The site provides in-depth technical articles, including code samples, explanations of common pitfalls, and guidance on secure coding practices. These resources are valuable for both novice and experienced developers seeking to understand and prevent XSS vulnerabilities in their applications.

Community Engagement

XSSNews.com fosters discussion and knowledge sharing within the security community. Readers often engage through comments, sharing their own experiences, solutions, and insights related to XSS and web security.


Audience and Popularity

XSSNews.com’s primary audience consists of:

  • Security professionals and researchers

  • Web developers and engineers

  • IT administrators

  • Students and educators in cybersecurity

The site is frequently referenced in academic papers, technical blogs, and online forums, highlighting its reputation as a trusted source of information on XSS. Its popularity is driven by the quality and relevance of its content, as well as its focus on a critical area of web security.


Reputation and Reviews

Within the cybersecurity community, XSSNews.com is regarded as a reliable and authoritative resource. It is often cited in discussions about XSS vulnerabilities, both for its technical depth and its practical advice. Users appreciate the site’s clear explanations, real-world examples, and commitment to staying current with emerging threats and solutions.


Press and Media Coverage

XSSNews.com has been mentioned in various security blogs, technical articles, and industry reports. Its coverage of significant XSS incidents and trends has contributed to broader awareness and understanding of web application security issues. The site’s technical analyses are sometimes referenced by journalists and researchers reporting on major security events.


Cultural and Social Significance

The site plays an important role in the web security ecosystem by:

  • Raising awareness about the risks and impact of XSS vulnerabilities

  • Promoting secure coding practices and responsible disclosure

  • Supporting the professional development of security practitioners and developers

XSSNews.com’s focus on technical accuracy and practical advice has helped shape the conversation around XSS and web application security, influencing both industry practices and academic research.


Technical Details and Insights

XSSNews.com’s articles often delve into the specifics of XSS vulnerabilities, including:

  • How attackers exploit input validation and output encoding errors

  • The importance of secure development frameworks and libraries

  • Real-world case studies of XSS attacks and their consequences

The site also discusses related topics such as content security policies (CSP), browser security features, and the evolving landscape of web application threats.


Examples and Impact

Example 1: Developer Guidance

A developer seeking to secure a web application might consult XSSNews.com for best practices on input validation and output encoding, benefiting from the site’s clear explanations and sample code.

Example 2: Security Research

A security researcher investigating a new XSS vulnerability could reference XSSNews.com’s technical analyses to better understand attack vectors and mitigation strategies.


Comparison with Other Security Resources

Feature XSSNews.com General Security Blog Corporate Security Site
Focus XSS/web security Broad Broad
Technical Depth High Varies High
Community Engagement Moderate Varies Low
Independence Yes Varies No
Global Perspective Yes Varies Yes

XSSNews.com distinguishes itself through its specialized focus, technical rigor, and independent operation.


Customer Support and Community

While not a commercial service, XSSNews.com encourages community interaction through comments and discussion. The site’s maintainers are responsive to questions and feedback, fostering a collaborative learning environment.


 

XSSNews.com is a respected and valuable resource for anyone interested in web application security, particularly cross-site scripting. Its technical depth, timely coverage, and commitment to education have made it a go-to site for security professionals, developers, and researchers worldwide. By focusing on a critical area of web security, XSSNews.com continues to contribute to safer, more secure web applications and a more informed security community.

 



XSSNews.com