Just recently, WordPress released 2.8.6 with a critical security update that patches a cross-site scripting vulnerability found by Benjamin Flesch. That’s right, the same kid who discovered a way to patch your WordPress blog by exploiting a similar XSS vulnerability has found another.
When I started working more with web application security, I was amazed at the amount of web developers who are unaware of all the possible entry points the applications they develop have. Of these vulnerabilities, cross-site scripting (or XSS) still leads the pack according to WhiteHat Security.
A cross-site scripting vulnerability takes place when an attacker injects a client-side script into a web page. This attack can be used to bypass access controls, steal cookies, and hijack an active session to steal sensitive information.
What does this have to do with WordPress
So you have been running a pretty successful blog for the past couple of years. You don’t store credit card data or social security numbers, so what’s the big deal right? After all, no one is going to try to break into your database to read your posts right? If only it were that easy.
Exploiting an XSS vulnerability, an attacker can upload a link containing malicious content in a comment on your blog. When an unsuspecting user clicks on this link, the attacker is able to collect data from the unsuspecting visitor who clicked on the link. Your blog serving as the springboard to the attack.
What can you do about it?
Of course, upgrading your WordPress blog to 2.8.6 will address the immediate problem found in this vulnerability. However, this isn’t the last XSS vulnerability that will be found on WordPress, or any other popular web-based application.
To better protect your blog, a few simple steps can be taken:
- Always keep your WordPress software up-to-date. Most of the time, critical updates are released to address security issues such as XSS vulnerabilities.
- Make sure that any plug-ins or widgets you install are free of XSS vulnerabilities. Third-party add-ons can be full of vulnerabilities if the developer has not taken care to ensure that all input is validated and escaped (http://www.w3.org/TR/charmod/#sec-Escaping).
- Take care to make sure any themes you use for your blog are not vulnerable to XSS exploits. Themes, like plug-ins and widgets, that have been created be people who may not even know that a vulnerability exists. You can check themes for these exploits by accessing http://<blog-URL>/index.php/index.php/”><script>alert()</script> . If an alert window opens, the theme is vulnerable. You can find more about this check from The H Security.