MicrostockGroup Sponsors


Author Topic: Cross-Site Scripting Vulnerability  (Read 3389 times)

0 Members and 1 Guest are viewing this topic.

« on: July 19, 2013, 11:21 »
+1
Can I have the views of the panel please.

When I set up my JustHost account, I added in Sitelock for security (I though that with it being WP, a belt and braces approach to security was wise).

I ended up going for the middle ground package (costs ~90USD) and a scan last night picked up this --

Quote from: From Sitelock's Email
For the newest issue that you have having with the XSS (Cross Site Scripting) vulnerability. That is caused by a weakness in the code of the Wordpress in itself. On your site you have the search bar on the top right. The code weakness is in there. Cross site scripting vulnerabilities is a quite serious issue as that is where hackers can steal anything they want from your visitors. Even though you might not be asking for customers information on your website, they can trick them into getting whatever information they want. This is where phishing attacks start as well.

The solutions to get this fixed are:
-If you are good at coding, you can get into the code and try to fix the code weakness
-We can fix it with a one time solution.
-You can get a web application firewall that won't fix the coding issue but will block people from being access it.

I've emailed Sitelock back to ask if this would affect the whole raison d'etre of Symbiostock, namely the ability to search across sites/the Network.

Also, I suspect the "fix with a one time solution" option would incur yet more outlay of shekels.

What are the panel's thoughts?

Ta

Russell

ETA: I have the Wordfence plugin installed which includes a firewall but will this be enough?


« Reply #1 on: July 19, 2013, 11:32 »
0
Aha! I was right! They will charge 299USD to do their own fix.

Need your input please, guys...

« Reply #2 on: July 19, 2013, 12:24 »
0
Look at BulletProof Security?   XSS is one of the things they say they cover but it looks a little complicated and capable of locking you out of your own site as you have to do things that get around that.  Having previously been locked out of my own forum I will let others look at that first

« Reply #3 on: July 19, 2013, 12:24 »
0
...and their charge for their Firewall is 500USD.


« Reply #4 on: July 19, 2013, 12:44 »
0
Actually, there are quite a few well-regarded WP plugins that deal with this sort of issue by the look of it.

I'll go down that route and see what happens.

Just off to backup my site...

« Reply #5 on: July 19, 2013, 14:44 »
+1
for more about XSS
http://blog.sucuri.net/2012/10/wordpress-themes-xss-vulnerabilities-and-secure-coding-practices.html
http://wp.tutsplus.com/tutorials/security/cross-site-scripting-in-wordpress-what-is-xss/
http://wp.tutsplus.com/tutorials/security/cross-site-scripting-in-wordpress-practical-tips-for-securing-your-site/

otoh, my global search at symbiosearch.com and I think, ajt's symbiostock.info collect all data, then run searches on a single database, not relying on the individual sites, so there's no contact with wordpress

« Reply #6 on: July 19, 2013, 15:01 »
0
Thanks. I've gone with Tinny's suggestion of the BulletProof plugin, pasting some code in .htaccess and reconfiguring WP Super Cache.

I did a dummy user registration 15 minutes ago but still haven't received the site-generated password email nor have I received the "new user" email sent to my Admin account - I hope this plugin doesn't stuff up my site registration and emails just after I've got them sorted...

« Reply #7 on: July 19, 2013, 15:09 »
+1
Hi Russell - I was going to try and register on your site but unable to (can't find login form for one) and when I click on a picture to get to it that way it tells me, I don't think you have a contact form either ?

Content Encoding Error
     
                  The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.
       
  Please contact the website owners to inform them of this problem
.


PS - seeing one of your hobbies - have you tried cheese and ham or chocolate and raspberry ?  I made both today, we have lots of raspberries so thought I would try something new with them :)
« Last Edit: July 19, 2013, 15:12 by Tinny »

« Reply #8 on: July 19, 2013, 16:23 »
0
Hi Russell - I was going to try and register on your site but unable to (can't find login form for one) and when I click on a picture to get to it that way it tells me, I don't think you have a contact form either ?

Content Encoding Error
     
                  The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.
       
  Please contact the website owners to inform them of this problem
.


PS - seeing one of your hobbies - have you tried cheese and ham or chocolate and raspberry ?  I made both today, we have lots of raspberries so thought I would try something new with them :)

That's odd. Using my wife's laptop, everything seems OK. The Login/Register link and the Contact link are both above the search box (but they were under the Cookie warning banner initially) at top right of the browser window.

And clicking an image takes me to the correct image purchase page.

Oh, but hold on. Here we go again. I can't access my site from the Symbiostock Network Directory Page. I'm now on there but there are errors on every link including my profile pic.

And I only started appearing on the network page yesterday. *Invokes Khaaaaaaan meme*

As to bread, I'm vegan so cheese and ham are out. I've tried all manner of dried fruits along with the usual grainy/nutty/seedy additions but I've not yet tried a sweet fruit like raspberry. I'm going to give that a go.

BTW, you're a registered user on my site already Tinny - you kindly tested it out when I initially set it up.




Leo Blanchette

« Reply #9 on: July 19, 2013, 16:29 »
+1
Being a little strapped for time I just wanted to make a quick reply -

Just a few things are needed in a basic setup. I'm using Akismet and "Bad Behavior" (this one needs a little tweaking sometimes) and that should be plenty.

Between SEO consultant sites and security stuff, there's a lot of things meant to scare you into paying for stuff you don't need.

If I missed addressing your prob properly just ignore :D

« Reply #10 on: July 19, 2013, 17:00 »
0
Yeah, I'm slowly realising that Leo. But I am where I am.

AFAICT, the fact that my pages have stopped loading is down to an Error 330 and the cause is HTTP request headers claiming that the content is gzip encoded, but it isn't.

So do I once more go burrowing in my files to edit code and change some settings?
« Last Edit: July 20, 2013, 04:07 by Imagenomad »

« Reply #11 on: July 20, 2013, 04:06 »
0

Please insert swear words of your choice.

It looks like a combination of WP Super Cache and BulletProof have rewritten my .htaccess files so that I, or rather you, can't get at my content. I did fiddle a bit with the code to change compression and mod-rewrite parameters and this got rid of the 330 Error that I was getting.

Instead, I'm giving you a HTTP 403 Forbidden error.

But here's the thing. The BulletProof plugin rewrites its own .htaccess files and doesn't allow Options to be set as +Indexes which is why I am serving you up 403 Forbidden errors. The BulletProof .htaccess comments say, "Using the setting <<Options +Indexes>> will break your WordPress site". Insert more swear words here.

So, I've temporarily disabled BulletProof and you can now get at my site through the Symbiostock Network Directory Page, albeit getting my homepage rather than my Author page. The Contact link seems to be working though.

The upshot is that I'm uninstalling BulletProof and will have a rethink about how I deal with the Sitelock's advice to spend money with them, especially in light of Cascoly's helpful links and comments above. It's been a useful learning exercise though, even if I have been up all night.

Never mind, I should get some good Editorial stock today, out and about in town when an Arts festival is on.


PS to Leo - I've disabled Akismet and am using Disqus for comments and I installed "Bad Behavior" at the start.
« Last Edit: July 20, 2013, 04:09 by Imagenomad »

« Reply #12 on: July 20, 2013, 04:19 »
+1
As mentioned above I did not like the look of the text on BulletProof that said you could be locked out of your site, having experienced this with another site I ran, so am relieved I let someone else try it first <insert evil grin>  . 

There were specific instructions on uninstalling BulletProof not just the normal method - hope you have found that.  Good luck on getting it sorted and sorry I mentioned it in the first place.  Hope you get some good pictures today


« Reply #13 on: July 20, 2013, 06:05 »
0
As mentioned above I did not like the look of the text on BulletProof that said you could be locked out of your site, having experienced this with another site I ran, so am relieved I let someone else try it first <insert evil grin>  . 

There were specific instructions on uninstalling BulletProof not just the normal method - hope you have found that.  Good luck on getting it sorted and sorry I mentioned it in the first place.  Hope you get some good pictures today

Thanks Tinny - yes I found the mildly convoluted uninstall process for BulletProof. They certainly live up to their name. Their motto should be "Protect your site by allowing no-one at all to browse it!"

I've installed a different plugin that'll hopefully keep the nag messages from Sitelock at bay.

And you can wipe that evil grin off your face now. Squeaky bum time has been and gone...   ;)

Ron

« Reply #14 on: July 20, 2013, 07:11 »
+1
I have sitelock, never got that message.

« Reply #15 on: July 20, 2013, 08:37 »
+1
Just a side note, you really need to get rid (or change the appearance) of that cookie banner on top. It hurts the design and functionality and it's hard to recognize since it has the same color as the browser bar.

« Reply #16 on: July 20, 2013, 09:18 »
0
Just a side note, you really need to get rid (or change the appearance) of that cookie banner on top. It hurts the design and functionality and it's hard to recognize since it has the same color as the browser bar.

It goes as soon as you click on it to agree to cookies

« Reply #17 on: July 20, 2013, 10:36 »
0
Just a side note, you really need to get rid (or change the appearance) of that cookie banner on top. It hurts the design and functionality and it's hard to recognize since it has the same color as the browser bar.

It goes as soon as you click on it to agree to cookies

It probably does but you can hardly see the request to click and not many people are used to "accept" something before they can browse a website.

« Reply #18 on: July 20, 2013, 11:39 »
0
They are in Europe - we have to have  the cookie acceptance especially if selling something, so it needs to be visible

« Reply #19 on: July 20, 2013, 12:21 »
0
Just a side note, you really need to get rid (or change the appearance) of that cookie banner on top. It hurts the design and functionality and it's hard to recognize since it has the same color as the browser bar.

Thanks Redneck. As Tinny says, it's a European legal requirement to warn users of a website's use of cookies so it has to be there. Once the use of cookies is accepted, the bar goes and only reappears if the visitor clears their cookies.

But I take your point about its colo(u)rs and will make the text more visible. I'll also move it to the bottom of the browser window.

Thanks for the useful feedback.

Russell

« Reply #20 on: July 20, 2013, 12:28 »
0
I have sitelock, never got that message.

Do you have the package with the XSS scan enabled Ron?

I initially bought the basic package with limited security scanning - Malware and one or two other things but no XSS scans, I think. It was on offer when I bought the hosting package so I thought, "Why not?".

But then I let myself be talked into upgrading to a more comprehensive package (but obviously wish I hadn't now).

I might see if I can downgrade as it's causing me nothing but hassle for what seem to be largely hypothetical vulnerabilities, or at least vulnerabilities that don't apply to the Symbio setup or to the most current WP installations.

Thanks for the feedback.

Russell
« Last Edit: July 21, 2013, 01:18 by Imagenomad »


 

Related Topics

  Subject / Started by Replies Last post
14 Replies
4884 Views
Last post June 27, 2007, 19:34
by hospitalera
15 Replies
4917 Views
Last post September 20, 2008, 03:24
by fotografer
18 Replies
5068 Views
Last post December 18, 2008, 15:24
by WarrenPrice
6 Replies
4054 Views
Last post February 06, 2014, 01:07
by ArenaCreative
67 Replies
14850 Views
Last post September 09, 2016, 09:36
by Zero Talent

Sponsors

Mega Bundle of 5,900+ Professional Lightroom Presets

Microstock Poll Results

Sponsors

3100 Posing Cards Bundle