Wednesday, November 14, 2012

New blog created

I really don't like Blogger that much. It is nice and free, but it basically requires login to Google+, which could mean some unwanted information tracking.

Here is my latest temporary blog: Janne's security log

Saturday, November 3, 2012

Kriesi Wordpress theme XSS update

My previous blog post covered the reflected Cross-site Scripting (XSS) vulnerability in 14 premium Wordpress themes by Kriesi.

I have contacted some 20+ web-sites using one of the vulnerable themes hoping the customers would ask for updates. I cannot do that: the official support forum requires item purchase code.

Some corrective actions have been taken based on this forum discussion: - in fact, test results based on theme live preview indicates that all reported issues may have been fixed. Quote from the changelog of the Choices-theme on ThemeForest:
2012 30 09 – Version 1.6.0
- improved security by filtering search parameters
Test results of three randomly selected sites are worrying:
Choices theme - website XSS

Shoutbox theme - website XSS

Abundance theme - website XSS

ThemeForest support has a clear policy: submitting fixes and informing customers must be done by the theme developer. Envato provides ThemeForest as a marketplace, or platform, for authors to sell their digital creations. It is the author who owns the product and therefore should be responsible for support and maintenance.

I don't know how the theme developers inform existing customers about security fixes. Perhaps the customers receive all updates automatically. Perhaps there is an e-mail notification or just one line in the changelog.

In this case the number of potentially affected sites is over 16,000. I have checked the developer site, support forum, blog, ThemeForest entries and I have not found any clear security update alert to the affected customers. If the theme developer does not actively inform customers about available fixes, it could be easy for hackers to locate the vulnerable sites.

Please help to distribute this information. I simply cannot locate and contact 16,000 sites.