Wednesday, November 14, 2012

New blog created

I really don't like Blogger that much. It is nice and free, but it basically requires login to Google+, which could mean some unwanted information tracking.

Here is my latest temporary blog: Janne's security log

Saturday, November 3, 2012

Kriesi Wordpress theme XSS update

My previous blog post covered the reflected Cross-site Scripting (XSS) vulnerability in 14 premium Wordpress themes by Kriesi.

I have contacted some 20+ web-sites using one of the vulnerable themes hoping the customers would ask for updates. I cannot do that: the official support forum requires item purchase code.

Some corrective actions have been taken based on this forum discussion: http://www.kriesi.at/support/topic/xss - in fact, test results based on theme live preview indicates that all reported issues may have been fixed. Quote from the changelog of the Choices-theme on ThemeForest:
2012 30 09 – Version 1.6.0
- improved security by filtering search parameters
Test results of three randomly selected sites are worrying:
Choices theme - website XSS

Shoutbox theme - website XSS

Abundance theme - website XSS

ThemeForest support has a clear policy: submitting fixes and informing customers must be done by the theme developer. Envato provides ThemeForest as a marketplace, or platform, for authors to sell their digital creations. It is the author who owns the product and therefore should be responsible for support and maintenance.

I don't know how the theme developers inform existing customers about security fixes. Perhaps the customers receive all updates automatically. Perhaps there is an e-mail notification or just one line in the changelog.

In this case the number of potentially affected sites is over 16,000. I have checked the developer site, support forum, blog, ThemeForest entries and I have not found any clear security update alert to the affected customers. If the theme developer does not actively inform customers about available fixes, it could be easy for hackers to locate the vulnerable sites.

Please help to distribute this information. I simply cannot locate and contact 16,000 sites.

Monday, October 29, 2012

XSS vulnerability in Wordpress themes by Kriesi

According to my tests, the following premium Wordpress themes by Kriesi are affected by a reflected Cross-site Scripting (XSS) vulnerability:

Sales figures are based on Themeforest statistics. Over 16,000 web sites could be affected.

Developer status: notified initially on 5th of October
Latest developer response (24-Oct) : rolling out fixes in the near future.
Developer home page: http://www.kriesi.at/
Official support forum: http://www.kriesi.at/support/

Examples

Broadscope theme: injecting a fake login form using the iframe-tag (note: potential attacker would most likely mimic the target site layout and style):


Choices theme: external Javascript that displays the browser cookie:


Further reading:

Analysis of 15 million cyber attacks - posted on 22-Oct on Help Net Security. According to the article, XSS is now the most common attack type.

Update 30-Oct:
- The Open Source Vulnerability Database entries can be found from here
- My post on Themeforest forum was removed without explanation
- Propulsion and Sentence themes added


Friday, October 12, 2012

XSS vulnerability in four premium WordPress themes

According to my tests, the following premium WordPress themes are affected by a reflected Cross-site Scripting (XSS) vulnerability:



Developer status: notified, no responses.

Based on the Themeforest purchase statistics, over 6,000 sites could be affected.

BigBang XSS test example - remote Javascript execution:

  

Convergence XSS test example - remote iframe injection:



Because the number of potentially affected sites is high, it would be important to spread this information.

Further reading:
WordPress Themes: XSS Vulnerabilities and Secure Coding Practices by Tony Perez


Monday, October 8, 2012

XSS vulnerability in Imediapixel premium WordPress themes

Back to WordPress theme testing.

According to my tests, the following premium WordPress themes by imediapixel are affected by a reflected Cross-site Scripting (XSS) vulnerability:
 Developer status: tried to contact vie e-mail and Themeforest forum - no responses.

Screen-shot of the ECOBIX theme basic XSS test - remote Javascript execution:


I have also tested some corporate sites using the ECOBIZ theme. They were all affected.

Based on the Themeforest purchase statistics, there could be over 4,000 affected websites.

Further reading:
WordPress Themes: XSS Vulnerabilities and Secure Coding Practices by Tony Perez

Saturday, October 6, 2012

XSS vulnerability in multiple D+M group sites

According to my tests, the following D+M Group web-sites are vulnerable to reflected Cross-site Scripting (XSS):
  • Denon - the following sites were tested:
    • denon.co.uk 
    • denon.de
    • denoneu.com  
    • denon.com.cn 
    • usa.denon.com
    • ca.denon.com
    • denon.fi
    • denon.ru
    • denon-online.ch
    • denon.jp
    • denon.fr
  • Marantz - the following sites were tested:
    • marantz.co.uk
    • marantzitaly.com  
    • marantz.com.hk 
  • allen-heath.com  
  • mcintoshlabs.com 
Vendor status: notified and reported on 30-Sep-2011 to Global CMS Architect of D+M Group

Vendor response: thank you (however, vendor has not fixed any of the sites. Retested on 6-Oct-2012)

 Screen-shots of basic tests:

1) Allen-heath.com remote Javascript


2) Mcintoshlabs.com simple iframe 'injection''

3) Denon.de "login" form created with Javascript. Note: this is a generic test case. Real attacker would most likely mimic the site layout, colors and fonts.


4) Marantz.co.uk remote Javascript execution


5) Denon.fi basic XSS test using latest Chrome browser. Although some browsers have "anti-XSS" - features, there are known workarounds and "hacks". Developers should not trust browser security alone.



XSS vulnerability in Southwest Airlines


Southwest Airlines suffers from a reflected Cross-site Scripting (XSS) vulnerability.

Update 30-Dec-2012: This issue has been fixed.


I have tried to contact Southwest using various channels: e-mails, contact forms, persons via LinkedIn etc. I have not received a single response in four months.


One channel I did not even try this time is US-CERT, because they have not responded to my earlier e-mails.

I hope companies would open a working channel for security researchers and pentesters. Simple e-mail address like security at company.com would be nice.


Responsible disclosure requires responsible vendors.



Tuesday, October 2, 2012

XSS vulnerability in Parallelus premium WordPress themes

According to my tests, at least the following premium WordPress themes by Parallelus are affected by a reflected Cross-site Scripting (XSS) vulnerability:
Developer status: contact attempt through a web-form, no response. I have also tried to contact two sites using the Unite-theme, but there has been no responses.

Update from the developer: all affected Parallelus themes are now corrected

Screen-shot of the Unite theme XSS vulnerability:

Screen-shot of a website using one of these themes - test case executes a remote Javascript:


Developer's Themeforest profile indicates over 18,000 completed sales, but not all the themes and templates are vulnerable. The number of potentially affected sites could still be high: there has been 4,816 purchases of the Unite-theme alone. Affected sites include personal blogs, but also corporate websites.

I have tested several premium WordPress themes during the last week. The number of found issues is alarming. These cases are challenging from pentesting perspective:
  • identifying potentially affected sites is a big task due to high volumes
  • contacting all affected sites would take too much time
  • many of the developers are difficult to reach and they might consider XSS as a minor issue
Therefore I'm trying to spread information through this blog and Twitter. Please help me if you think it is important to share information especially with the affected sites.

Update 6-Oct-2012 - online references:
F-Secure weblog posting
Threatpost news entry
PC Maganize Securitywatch
OSVDB entries

Monday, October 1, 2012

XSS vulnerability in BigFeature WordPress premium theme

BigFeature WordPress premium theme by Vfxdude is vulnerable to reflected Cross-site Scripting (XSS).

Developer status: notified. Developer response: issue has been fixed

Screen-shot of the XSS test:


Theme upgade is recommended. Theme developer has a support forum and online FAQ.

The number of affected sites is unknown. Themeforest statistics indicates that 4636 purchases have been completed. I tested nine different sites using this theme and they were all affected.

Further reading:
What's Cross-site Scripting -  MakeUseOf-article, July 2012
Why XSS is so serious business a blog post by Troy Hunt, August 2012
The Open Web Application Security Project (OWASP) TOP-10-A2

Saturday, September 29, 2012

XSS vulnerability in multiple premium WordPress themes

According to my tests, the following premium WordPress themes by Flow / Devatic are affeted by a reflected Cross-site Scripting (XSS) vulnerability:
  • Daisho
  • Konzept
  • TheAgency
  • Sparky
  • PictureFactory
  • Paramount
  • Essence
  • Explicit
  • Eunice
  • Blaze
  • Brisk
  • Shapeless
Developer status: notified. Developer response: considered as a minor issue.

Screen-shot of the Blaze theme XSS vulnerability:

 
According to developer's Themeforest profile, 5482 sales have been completed. Potential number of affected customers is however unknown. I tested 26 separate websites using Flow/Devatic themes. Most of the sites are using WordPress version 3.4.x and at least two are using the latest version. All tested sites were vulnerable to reflected Cross-site Scripting.