XSS Vulnerability in Allure

clementsm · #1 03-10-2010, 11:29 PM

I was checking the site I was implementing using the Allure them for the search XSS vulnerability, and it appears to be vulnerable...

You can verify this as follows:

Code:

 http://mydomain.com/?s="</title><script language="javscript" type="text/javascript">alert('This Should Not Happen!!!!');</script>"

I have tested against the Default theme to eliminate a wordpress bug (2.9.2) and after checking out the Studiopress code it seems that the function sp_breadcrumb defined in breadcrumbs.php does not use html_entities to sanitize the value of $output (ok, I looked at it really briefly, so that may not be the root cause)

Ok, and a follow up: Simple to fix:

The issue is in breadcrumbs.php, which is in the tools folder (Joost's plugin)

Just add the following line:

Code:

$output = htmlentities($output, ENT_QUOTES, get_bloginfo('charset'));

at the end of the file just prior to the following section:

Code:

if ($display) {
                echo $prefix.$output.$suffix;
        } else {
                return $prefix.$output.$suffix;
        }
}

?>

And that fixes it. Given that the error is in this file, I would guess that some of the other Studiopress themes are vulnerable to this same thing, but I did not check all the themes.

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Switch to Hybrid Mode Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Allure	amythall	General Discussion	3	08-12-2010 12:00 PM
Cross Site Scripting (XSS) Vulnerability	safinc	General Discussion	25	04-17-2010 11:27 PM
In Allure where is this please	Lynnhawks	General Discussion	3	02-03-2010 03:09 PM
Allure Mod	Debra	General Discussion	2	05-11-2009 07:10 PM