WordPress: Vulnerabilitate XSS (Cross Site Scripting)

Atentie!

Site-urile construite in WordPress sunt expuse la atacuri XSS (Cross Site Scripting).

Folosirea improprie a functiilor

add_query_arg

remove_query_arg

in unele plugin-uri expune site-urile care le folosesc unor brese de securitate la atacuri gen Cross Site Scripting. Acveste functii foarte cunoscute si utilizate in WordPress modifica si adauga siruri de interogare in URL in WordPress .

Functiile amintite nefiind foarte clar documentate, se folosesc cu ideea ca ele aplica escape intrarilor userilor din formulare. Dar nu este asa. Inputul userilor trebuie sa fie supus functiilor de escape: esc_url() (sau esc_url_raw()). 

Cele doua functii remove_query_arg si add_query_arg nu efectueaza acest escape pentru noi.

Plugin-urile afectate de aceasta eroare sunt:

• Jetpack
• WordPress SEO
• Google Analytics by Yoast
• All In one SEO
• Gravity Forms
• Multiple Plugins from Easy Digital Downloads
• UpdraftPlus
• WP-E-Commerce
• WPTouch
• Download Monitor
• Related Posts for WordPress
• My Calendar
• P3 Profiler
• Give
• Multiple iThemes products including Builder and Exchange
• Broken-Link-Checker
• Ninja Forms

Ce trebuie facut:

Nu trebuie intrat in panica, dar: trebuie facut update-ul la ultima versiune a fiecarui plugin instalat din aceasta lista.

De pe sucuri.com, avem urmatoarele sfaturi:

Here are some tips and tricks to remember to help reduce your overall threat risk, helping to improve your individual security posture:

1. Patch. Keep your sites updated.
2. Restrict. Restrictive access control. Restrict your wp-admin directory to only white listed IP Addresses. Only give admin access to users that really need it. Do not log in as admin unless you are really doing admin work. These are some examples of restrictive access control policies that can minimize the impact of vulnerabilities in your site.
3. Monitor. Monitor your logs. They may give you clues to what is happening on your site.
4. Reduce your scope. Only use the plugins (or themes) that your site really needs to function.
5. Detect. Prevention may fail, so we recommend scan your site for indicators of compromise or outdated software. Our plugin and Sitecheck can do that for free for you.
6. Defense in Depth. If you have an Intrusion Prevention System (IPS) or Web Application Firewall (WAF), they can help block most common forms of XSS exploits. You can even try our own CloudProxy to help you with that. If you like the open source route, you can try OSSEC, Snort and ModSecurity to help you achieve that.

These principles are commonly applied to most secure networks (or on any business that needs to be PCI compliant), but not many website owners think of them for their own site / environment.

These are but a few high level recommendations; we recommend going through our blog for more ideas on how to keep your sites safe and ahead of the threats.

Referinte:

• https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
• http://wptavern.com/xss-vulnerability-affects-more-than-a-dozen-popular-wordpress-plugins
• https://poststatus.com/coordinated-plugin-updates-to-address-security-vulnerability-in-many-popular-wordpress-plugins/