Wednesday, November 14, 2012

New blog created

I really don't like Blogger that much. It is nice and free, but it basically requires login to Google+, which could mean some unwanted information tracking.

Here is my latest temporary blog: Janne's security log

Saturday, November 3, 2012

Kriesi Wordpress theme XSS update

My previous blog post covered the reflected Cross-site Scripting (XSS) vulnerability in 14 premium Wordpress themes by Kriesi.

I have contacted some 20+ web-sites using one of the vulnerable themes hoping the customers would ask for updates. I cannot do that: the official support forum requires item purchase code.

Some corrective actions have been taken based on this forum discussion: http://www.kriesi.at/support/topic/xss - in fact, test results based on theme live preview indicates that all reported issues may have been fixed. Quote from the changelog of the Choices-theme on ThemeForest:
2012 30 09 – Version 1.6.0
- improved security by filtering search parameters
Test results of three randomly selected sites are worrying:
Choices theme - website XSS

Shoutbox theme - website XSS

Abundance theme - website XSS

ThemeForest support has a clear policy: submitting fixes and informing customers must be done by the theme developer. Envato provides ThemeForest as a marketplace, or platform, for authors to sell their digital creations. It is the author who owns the product and therefore should be responsible for support and maintenance.

I don't know how the theme developers inform existing customers about security fixes. Perhaps the customers receive all updates automatically. Perhaps there is an e-mail notification or just one line in the changelog.

In this case the number of potentially affected sites is over 16,000. I have checked the developer site, support forum, blog, ThemeForest entries and I have not found any clear security update alert to the affected customers. If the theme developer does not actively inform customers about available fixes, it could be easy for hackers to locate the vulnerable sites.

Please help to distribute this information. I simply cannot locate and contact 16,000 sites.

Monday, October 29, 2012

XSS vulnerability in Wordpress themes by Kriesi

According to my tests, the following premium Wordpress themes by Kriesi are affected by a reflected Cross-site Scripting (XSS) vulnerability:

Sales figures are based on Themeforest statistics. Over 16,000 web sites could be affected.

Developer status: notified initially on 5th of October
Latest developer response (24-Oct) : rolling out fixes in the near future.
Developer home page: http://www.kriesi.at/
Official support forum: http://www.kriesi.at/support/

Examples

Broadscope theme: injecting a fake login form using the iframe-tag (note: potential attacker would most likely mimic the target site layout and style):


Choices theme: external Javascript that displays the browser cookie:


Further reading:

Analysis of 15 million cyber attacks - posted on 22-Oct on Help Net Security. According to the article, XSS is now the most common attack type.

Update 30-Oct:
- The Open Source Vulnerability Database entries can be found from here
- My post on Themeforest forum was removed without explanation
- Propulsion and Sentence themes added


Friday, October 12, 2012

XSS vulnerability in four premium WordPress themes

According to my tests, the following premium WordPress themes are affected by a reflected Cross-site Scripting (XSS) vulnerability:



Developer status: notified, no responses.

Based on the Themeforest purchase statistics, over 6,000 sites could be affected.

BigBang XSS test example - remote Javascript execution:

  

Convergence XSS test example - remote iframe injection:



Because the number of potentially affected sites is high, it would be important to spread this information.

Further reading:
WordPress Themes: XSS Vulnerabilities and Secure Coding Practices by Tony Perez


Monday, October 8, 2012

XSS vulnerability in Imediapixel premium WordPress themes

Back to WordPress theme testing.

According to my tests, the following premium WordPress themes by imediapixel are affected by a reflected Cross-site Scripting (XSS) vulnerability:
 Developer status: tried to contact vie e-mail and Themeforest forum - no responses.

Screen-shot of the ECOBIX theme basic XSS test - remote Javascript execution:


I have also tested some corporate sites using the ECOBIZ theme. They were all affected.

Based on the Themeforest purchase statistics, there could be over 4,000 affected websites.

Further reading:
WordPress Themes: XSS Vulnerabilities and Secure Coding Practices by Tony Perez

Saturday, October 6, 2012

XSS vulnerability in multiple D+M group sites

According to my tests, the following D+M Group web-sites are vulnerable to reflected Cross-site Scripting (XSS):
  • Denon - the following sites were tested:
    • denon.co.uk 
    • denon.de
    • denoneu.com  
    • denon.com.cn 
    • usa.denon.com
    • ca.denon.com
    • denon.fi
    • denon.ru
    • denon-online.ch
    • denon.jp
    • denon.fr
  • Marantz - the following sites were tested:
    • marantz.co.uk
    • marantzitaly.com  
    • marantz.com.hk 
  • allen-heath.com  
  • mcintoshlabs.com 
Vendor status: notified and reported on 30-Sep-2011 to Global CMS Architect of D+M Group

Vendor response: thank you (however, vendor has not fixed any of the sites. Retested on 6-Oct-2012)

 Screen-shots of basic tests:

1) Allen-heath.com remote Javascript


2) Mcintoshlabs.com simple iframe 'injection''

3) Denon.de "login" form created with Javascript. Note: this is a generic test case. Real attacker would most likely mimic the site layout, colors and fonts.


4) Marantz.co.uk remote Javascript execution


5) Denon.fi basic XSS test using latest Chrome browser. Although some browsers have "anti-XSS" - features, there are known workarounds and "hacks". Developers should not trust browser security alone.



XSS vulnerability in Southwest Airlines


Southwest Airlines suffers from a reflected Cross-site Scripting (XSS) vulnerability.

Update 30-Dec-2012: This issue has been fixed.


I have tried to contact Southwest using various channels: e-mails, contact forms, persons via LinkedIn etc. I have not received a single response in four months.


One channel I did not even try this time is US-CERT, because they have not responded to my earlier e-mails.

I hope companies would open a working channel for security researchers and pentesters. Simple e-mail address like security at company.com would be nice.


Responsible disclosure requires responsible vendors.