I really don't like Blogger that much. It is nice and free, but it basically requires login to Google+, which could mean some unwanted information tracking.
Here is my latest temporary blog: Janne's security log
Janne's corner
Wednesday, November 14, 2012
Saturday, November 3, 2012
Kriesi Wordpress theme XSS update
My previous blog post covered the reflected Cross-site Scripting (XSS) vulnerability in 14 premium Wordpress themes by Kriesi.
I have contacted some 20+ web-sites using one of the vulnerable themes hoping the customers would ask for updates. I cannot do that: the official support forum requires item purchase code.
Some corrective actions have been taken based on this forum discussion: http://www.kriesi.at/support/topic/xss - in fact, test results based on theme live preview indicates that all reported issues may have been fixed. Quote from the changelog of the Choices-theme on ThemeForest:
ThemeForest support has a clear policy: submitting fixes and informing customers must be done by the theme developer. Envato provides ThemeForest as a marketplace, or platform, for authors to sell their digital creations. It is the author who owns the product and therefore should be responsible for support and maintenance.
I don't know how the theme developers inform existing customers about security fixes. Perhaps the customers receive all updates automatically. Perhaps there is an e-mail notification or just one line in the changelog.
In this case the number of potentially affected sites is over 16,000. I have checked the developer site, support forum, blog, ThemeForest entries and I have not found any clear security update alert to the affected customers. If the theme developer does not actively inform customers about available fixes, it could be easy for hackers to locate the vulnerable sites.
Please help to distribute this information. I simply cannot locate and contact 16,000 sites.
I have contacted some 20+ web-sites using one of the vulnerable themes hoping the customers would ask for updates. I cannot do that: the official support forum requires item purchase code.
Some corrective actions have been taken based on this forum discussion: http://www.kriesi.at/support/topic/xss - in fact, test results based on theme live preview indicates that all reported issues may have been fixed. Quote from the changelog of the Choices-theme on ThemeForest:
2012 30 09 – Version 1.6.0
Test results of three randomly selected sites are worrying:- improved security by filtering search parameters
Choices theme - website XSS |
Shoutbox theme - website XSS |
Abundance theme - website XSS |
ThemeForest support has a clear policy: submitting fixes and informing customers must be done by the theme developer. Envato provides ThemeForest as a marketplace, or platform, for authors to sell their digital creations. It is the author who owns the product and therefore should be responsible for support and maintenance.
I don't know how the theme developers inform existing customers about security fixes. Perhaps the customers receive all updates automatically. Perhaps there is an e-mail notification or just one line in the changelog.
In this case the number of potentially affected sites is over 16,000. I have checked the developer site, support forum, blog, ThemeForest entries and I have not found any clear security update alert to the affected customers. If the theme developer does not actively inform customers about available fixes, it could be easy for hackers to locate the vulnerable sites.
Please help to distribute this information. I simply cannot locate and contact 16,000 sites.
Monday, October 29, 2012
XSS vulnerability in Wordpress themes by Kriesi
According to my tests, the following premium Wordpress themes by Kriesi are affected by a reflected Cross-site Scripting (XSS) vulnerability:
Developer status: notified initially on 5th of October
Latest developer response (24-Oct) : rolling out fixes in the near future.
Developer home page: http://www.kriesi.at/
Official support forum: http://www.kriesi.at/support/
Examples
Broadscope theme: injecting a fake login form using the iframe-tag (note: potential attacker would most likely mimic the target site layout and style):
Choices theme: external Javascript that displays the browser cookie:
Further reading:
Analysis of 15 million cyber attacks - posted on 22-Oct on Help Net Security. According to the article, XSS is now the most common attack type.
Update 30-Oct:
- The Open Source Vulnerability Database entries can be found from here
- My post on Themeforest forum was removed without explanation
- Propulsion and Sentence themes added
- Abundance - 1,952 sales
- Eunoia - 378 sales
- Choices - 1,248 sales
- Brightbox - 892 sales
- Broadscope - 1,039 sales
- Corona - 1,712 sales
- Flashlight - 2,956 sales
- Coalition - 1,079 sales
- Shoutbox - 988 sales
- Velvet - 600 sales
- Upscale - 346 sales
- Expose - 473 sales
- Propulsion - 2,133 sales (added 30-Oct)
- Sentence - 712 sales (added 30-Oct)
Developer status: notified initially on 5th of October
Latest developer response (24-Oct) : rolling out fixes in the near future.
Developer home page: http://www.kriesi.at/
Official support forum: http://www.kriesi.at/support/
Examples
Broadscope theme: injecting a fake login form using the iframe-tag (note: potential attacker would most likely mimic the target site layout and style):
Choices theme: external Javascript that displays the browser cookie:
Further reading:
Analysis of 15 million cyber attacks - posted on 22-Oct on Help Net Security. According to the article, XSS is now the most common attack type.
Update 30-Oct:
- The Open Source Vulnerability Database entries can be found from here
- My post on Themeforest forum was removed without explanation
- Propulsion and Sentence themes added
Friday, October 12, 2012
XSS vulnerability in four premium WordPress themes
According to my tests, the following premium WordPress themes are affected by a reflected Cross-site Scripting (XSS) vulnerability:
Developer status: notified, no responses.
Based on the Themeforest purchase statistics, over 6,000 sites could be affected.
BigBang XSS test example - remote Javascript execution:
Because the number of potentially affected sites is high, it would be important to spread this information.
Further reading:
WordPress Themes: XSS Vulnerabilities and Secure Coding Practices by Tony Perez
- BigBang (1,229 purchases), AirWP (946 purchases) and ZigZag (1,978 purchases) by Brankic1979
- Convergence (1,941 purchases) by Maximus
Developer status: notified, no responses.
Based on the Themeforest purchase statistics, over 6,000 sites could be affected.
BigBang XSS test example - remote Javascript execution:
Convergence XSS test example - remote iframe injection:
Because the number of potentially affected sites is high, it would be important to spread this information.
Further reading:
WordPress Themes: XSS Vulnerabilities and Secure Coding Practices by Tony Perez
Monday, October 8, 2012
XSS vulnerability in Imediapixel premium WordPress themes
Back to WordPress theme testing.
According to my tests, the following premium WordPress themes by imediapixel are affected by a reflected Cross-site Scripting (XSS) vulnerability:
Developer status: tried to contact vie e-mail and Themeforest forum - no responses.
Screen-shot of the ECOBIX theme basic XSS test - remote Javascript execution:
I have also tested some corporate sites using the ECOBIZ theme. They were all affected.
Based on the Themeforest purchase statistics, there could be over 4,000 affected websites.
Further reading:
WordPress Themes: XSS Vulnerabilities and Secure Coding Practices by Tony Perez
According to my tests, the following premium WordPress themes by imediapixel are affected by a reflected Cross-site Scripting (XSS) vulnerability:
Developer status: tried to contact vie e-mail and Themeforest forum - no responses.
Screen-shot of the ECOBIX theme basic XSS test - remote Javascript execution:
I have also tested some corporate sites using the ECOBIZ theme. They were all affected.
Based on the Themeforest purchase statistics, there could be over 4,000 affected websites.
Further reading:
WordPress Themes: XSS Vulnerabilities and Secure Coding Practices by Tony Perez
Saturday, October 6, 2012
XSS vulnerability in multiple D+M group sites
According to my tests, the following D+M Group web-sites are vulnerable to reflected Cross-site Scripting (XSS):
Vendor response: thank you (however, vendor has not fixed any of the sites. Retested on 6-Oct-2012)
Screen-shots of basic tests:
1) Allen-heath.com remote Javascript
2) Mcintoshlabs.com simple iframe 'injection''
3) Denon.de "login" form created with Javascript. Note: this is a generic test case. Real attacker would most likely mimic the site layout, colors and fonts.
4) Marantz.co.uk remote Javascript execution
5) Denon.fi basic XSS test using latest Chrome browser. Although some browsers have "anti-XSS" - features, there are known workarounds and "hacks". Developers should not trust browser security alone.
- Denon - the following sites were tested:
- denon.co.uk
- denon.de
- denoneu.com
- denon.com.cn
- usa.denon.com
- ca.denon.com
- denon.fi
- denon.ru
- denon-online.ch
- denon.jp
- denon.fr
- Marantz - the following sites were tested:
- marantz.co.uk
- marantzitaly.com
- marantz.com.hk
- allen-heath.com
- mcintoshlabs.com
Vendor response: thank you (however, vendor has not fixed any of the sites. Retested on 6-Oct-2012)
Screen-shots of basic tests:
1) Allen-heath.com remote Javascript
2) Mcintoshlabs.com simple iframe 'injection''
4) Marantz.co.uk remote Javascript execution
5) Denon.fi basic XSS test using latest Chrome browser. Although some browsers have "anti-XSS" - features, there are known workarounds and "hacks". Developers should not trust browser security alone.
XSS vulnerability in Southwest Airlines
Southwest Airlines suffers from a reflected Cross-site Scripting (XSS) vulnerability.
Update 30-Dec-2012: This issue has been fixed.
I have tried to contact Southwest using various channels: e-mails, contact forms, persons via LinkedIn etc. I have not received a single response in four months.
One channel I did not even try this time is US-CERT, because they have not responded to my earlier e-mails.
I hope companies would open a working channel for security researchers and pentesters. Simple e-mail address like security at company.com would be nice.
Responsible disclosure requires responsible vendors.
Subscribe to:
Posts (Atom)