[IMPORTANT] XSS vulnerability in theme

  • Author
  • #125005

    [Edited while we verify – Mark]



    Rather than report it in the forum you should really be reporting this to :

    a. Staff. Use the feedback or support options to let them know.
    b. The theme’s creator. If it’s happening here, it will be happening to anybody that’s using the theme.

    For information, this is quite a common vulnerability, widely reported, especially at http://www.blogsecurity.net.

    Thanks for your efforts to help keep us secure!



    Trent, if you’re around, that up there needs to be deleted. Like publishing a social security number for all to see.

    That needs to be sent in via email to support at wordpress dot com. Please include the URL of where you tried this, the version of the blix theme if you know it (There’s about a dozen of them out there) and a copy of the script that you put into the search box. The original designer no longer supports the theme I believe.



    Thanks Mark!


    @ Cornell: I’ve already sent a message to the theme’s creator, but he hasn’t answered yet.
    I don’t know if your sentence “Thanks for your efforts to help keep us secure!” was ironic, but there are hundreds of blogs using that theme… so I just wanted to help WordPress before someone else would have exploited that bug.

    I think the support is not working in the weekend so the only place I knew where I could contact the staff was the forum.

    Message for the staff: I’m sure you’ll fix everything soon, but if you have problems I can tell you what code line of the theme should be modified.



    do you really think they ain’t aware that “$_SERVER[‘PHP_SELF’]” is an ugly hack?

    you’d better tell’em (I’m interested too): “why PHP [4] has succeeded in spite of its sucking?

    of course, it’s not a “low barrier to entry and the hacks and horrible scripts”, — my guess there must be some poetry magic quietly kept PHP behind ;-)



    Which theme creator did you send it to? Like I mentioned, it’s been spun off a few times.



    Digital Phoenix – no, it wasn’t meant to be ironic, it was a genuine “thanks”. :)



    << it’s been spun off a few times.

    doesn’t matter, half of them are vulnerable just the same way. because theme designers being “strongly influenced by the speed, security, and extensibility of the underlying code” just copy-pasting tainted parts of a script found somewhere as a “good” example how things should be done.

    “A low barrier to entry sounds like a good thing.”, — well-well…



    Actually it does matter which is why I asked. If the poster sent an email to only one of the fork “authors”, the rest of them should be made aware of it.

    And if the poster sent the email to the original theme designer who appears to be no longer working on or supporting the theme, it would probably just get dropped into the bit bucket.



    /me thinks tainted themes submitted to the themes.wp.net “should be checked for vulns and removed before WordCamp“. as it far more dangerous than ‘sponsored’ themes for wp community.

    edit: should be checked and approved before made it available for download for everyone from there.

    also, this allows to inform a theme makers.



    Automattic are not in the business of informing theme developers about bugs they’ve fixed, they say it’s up to the designers to come to them. Another shining example of that Open Source spirit WP is so famous for :)



    Where you find a disconnect is where a connect could be. It’s sad that in the information age and, in this particular community, connections that could be made aren’t being made and relationships that could flower and fruit aren’t well established. In the end attitude, relationships and a problem solving focus are of the utmost import when it comes to building community be it in IT or elsewhere.


    @ drmike: I’ve sent a message only to the original theme designer but as options said, the bug is also in other versions of the theme.



    The theme we use is fine, no cause for concern.


    suddenly the bug is disappeared… what happened? Was it all a dream? Was it just my immagination? Or maybe you have modified the code of the theme…
    I make a simple example: yesterday I opened a WordPress blog and there was the bug; then I’ve read your reply and I opened that blog again but… the bug is disappeared!

    Dear Mark, the original Blix theme is bugged… download the zip file of the theme in the site of the creator, extract it and open the search.php file. At the end there this code line:
    No Results for ‘<?php echo $s ?>’
    As you know “echo $s” shows the content of the variable s, that is the string we want to search; if in the variable s there is a script it will be put in the html code of the page and executed. This command is never used in other themes and should never be used.

    I’ve also the proof that the bug in Blix theme can be exploited in some blogs which are not hosted on WordPress servers.
    I don’t want to criticize, but if you have modified the code you should admit it.

    Maybe I am wrong, but I wait for your reply.



    If you would like to continue this conversation with Mark who has said: “The theme we use is fine, no cause for concern” then please send your email to support at this domain. Tx

The topic ‘[IMPORTANT] XSS vulnerability in theme’ is closed to new replies.