Google+ Cross-site scripting XSS Vulnerability Invades Websites

Revamped Vulnerabilty Envades Most All Dynamic Websites

Do you own or manage a website? If so, the Cross-site Scripting (XSS) Vulnerability may rear it’s ugly head, again…

In the last two weeks there was a major security breach (flaw) that hackers are busy exploiting. The cross-site scripting (XSS) vulnerability, potentially affects most all dynamic sites. In particular, sites that use WAMP (Windows, Apache, MySQL, PHP) or MAMP (Mac, Apache, MySQL, PHP) servers are at high risk.

NOTE: If you only have static html pages, stop here, you are not at risk.

Those of you who do have dynamic sites, which use server side requests to serve up your pages, oh snap, continue on! In less technical terms, if you use WordPress, Drupal, or Joomla’s, Content Management Systems (CMS) or similar systems, it’s likely you are affected.

What does this really mean?

What are hackers doing with this vulnerability? They are typically looking for private information that could include, bank records, medical records, and credit card numbers. Basically, they are on a treasure hunt for anything stored on servers they can exploit and sell on the black market. As an example, if you are using the WordFence plugin for WordPress, you may have noticed an increase in attempts to login into your site via the “Admin” username.

WordFence founder and CEO, Mark Maunder, sent a mass email to all WF subscribers asking them to update to WordPress 4.2.1. stating “they have noticed a significant amount of WP sites that are still vulnerable”.

Other CMS core providers, plug-in, and theme developers continue to rollout patches in response to this critical breach.

Watch out… for free themes & non-premium theme developers. Since they provide services for free, they are least likely to quickly respond or not respond at all to these necessary updates and security breaches. Thus, leaving your site exposed to the threat.

If you have been in the game for some time (you are a web developer), then you will note that this type of attack is not new. The add_query_arg() and remove_query_arg(), “open door” has been around for some time and was exposed back in 2013. Many programmers wrongfully leave off the esc_url function that sanitizes the URL and prevents the malicious JavaScript injection.

What can I do?  

  • Are you a Fusion4 client? Yes? Then, rest easy!
    • We already applied all necessary updates when our security expert Justin D. Luke first advised us of the exploitation.
  • If not and the instructions are within your wheelhouse:
    • Update all themes, plug-ins, patches, etc.; most all CMS providers have core updates that will remedy the issue.
    • Check your analytics; you may notice an increase in foreign activity which could mean overseas hackers are busy using your site to conduct their mischief!
    • If you are using WordPress, turn off automatic comments and trash any/all suspicious comments to blog posts.
    • If you are using any of the below listed plug-ins, either temporality deactivate them or update them immediately. There are over 400+ that have the vulnerability, but this is a good start:
      • Jetpack
      • WordPress SEO
      • Google Analytics
      • All In one SEO
      • Gravity forms

If you simply don’t speak “geek” or if any of this falls outside your wheelhouse: Contact us at fusion-4.com and we can help you remedy the situation.

Given the long list of variables that can leave the door open for attackers, lean on industry folks, like us, as we continue to work towards slamming the door shut on exploitations.

 

Contributing editors; Danny J Johnson (web application design and developer) and Justin D. Luke (cyber security, SQL, programmer) for Fusion-4.

6 Comments. Leave new

Thank you guys so much for this post. I was getting all these email updates about my site and simply ignored them thinking they were just spam or some kid of gimmick to sell me something. After reading your article I logged into my site and found all the things you mentioned to be true. Plugins needing updating, WordPress critical updates and over 200 comments most of which were not even readable, so I deleted them like you advised. I think I have it all under control si there a way I can make sure? Please let me know.

Jan

Reply
dannyjjohnson
April 28, 2015 5:25 pm

Jan, contact us directly and we can scan your sites code to make sure it is secure and also inspect your entire site to make sure you are safe. Also, I strongly advise avoiding most of the websites that have emerged with free tools to scan your site. Just call me paranoid, but we have not had a chance to validate the vast majority of these online tools to make sure they are legit. It is common for sites to emerge early in the game dangling carrots only to further identify potential vulnerabilities to exploit. Beware, anything free always comes with a caveat, usually at our expense unfortunately. Thankfully there is a strong community behind securing the core builds for all the CMS systems and because of their popularity, the remedy’s propagate very quickly.

Danny

Reply

Great post, really cleared up a lot of issues for me. I followed your advice and after updating, everything is running smoothly.

Reply

Ok I told you so. This was just sent to out from WP and WF/

WordPress 4.2.2 has just been released which contains several important security fixes. We recommend you update immediately if you haven’t already been automatically updated, update all plugins, themes, and core WP.

The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. This was reported by Robert Abela of Netsparker.

WordPress versions <4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. Reported separately by Rice Adu and Tong Shi.

The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.

Reply

I think I have been hacked, my site is somehow emailing people I don’t even know and I’m getting all kinds of calls about it. I’m not sure what to do.

Reply

George, that certainly sounds like an XSS infection, assuming that your site is a WordPress site. A couple of weeks ago we restored a WordPress site that was behaving the same way and was infected with the Cross-Site Scripting vulnerability we have been discussing in this thread. The site was running an older version of WordPress and some of the plug-ins were also out of date. We can certainly help you as well. Go to our contact page and contact us with your details and we will get back to you promptly. ~Danny

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *