(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Today, Wordpress4.0.1 was released, which addresses a critical XSS vulnerability (among other vulnerabilities). [1]

The XSS vulnerability deserves a bit more attention, as it is an all too common problem, and often underestimated. First of all, why is XSS Critical? It doesnt allow direct data access like SQL Injection, and it doesnt allow code execution on the server. Or does it?

XSS does allow an attacker to modify the HTML of the site. With that, the attacker can easily modify form tags (think about the login form, changing the URL it submits its data to) or the attacker could use XMLHTTPRequest to conduct CSRF without being limited by same origin policy. The attacker will know what you type, and will be able to change what you type, so in short: The attacker is in full control. This is why XSS is happening.

The particular issue here was that Wordpress allows some limited HTML tags in comments. This is always a very dangerous undertaking. The word press developers did attempt to implement the necessary safeguards. Only certain tags are allowed, and even for these tags, the code checked for unsafe attributes. Sadly, this check wasnt done quite right. Remember that browsers will also parse somewhat malformed HTML just fine.

A better solution would have probably been to use a standard library instead of trying to do this themselves. HTML Purifier is one such library for PHP. Many developer shy away from using it as it is pretty bulky. But it is bulky for a reason: it does try to cover a lot of ground. It not only normalizes HTML and eliminates malformed HTML, but it also provides a rather flexible configuration file. Many lightweight alternatives, like the solution Wordpress came up with, rely on regular expressions. Regular expressions are typically not the right tool to parse HTML. Too much can go wrong starting from new lines and ending somewhere around multi-bytecharacters. In short: Dont use regular expressions to parse HTML (or XML), in particular for security.

[1] https://wordpress.org/news/2014/11/wordpress-4-0-1/

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Google has released a Firing Range for assessing various web application scanners, with what looks like a real focus on Cross Site Scripting. The code was co-developed by Google and Politecnico di Milano

Targets include:

  • Address DOM XSS
  • Redirect XSS
  • Reflected XSS
  • Tag based XSS
  • Escaped XSS
  • Remote inclusion XSS
  • CORS related vulnerabilities
  • Flash Injection
  • Mixed content
  • Reverse ClickJacking

Source code is on github at https://github.com/google/firing-range

App Engine deploy is at http://public-firing-range.appspot.com/

Rob VandenBrink

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Drupal Core Session Hijacking and Denial of Service Vulnerabilities
Lsyncd 'default-rsyncssh.lua' Remote Command Injection Vulnerability
[SECURITY] [DSA 3075-1] drupal7 security update
Drupal CKEditor Module Cross Site Scripting Vulnerability
Huawei HiLink E3236 and E3276 Cross Site Request Forgery Vulnerability
MantisBT 'adm_config_report.php' Cross Site Scripting Vulnerability
MantisBT 'core/file_api.php' Security Bypass Vulnerability

Posted by InfoSec News on Nov 20


By Jack Moore
November 19, 2014

The federal government and companies that operate critical infrastructure,
such as power grids and the telecommunications system, need to move
quickly to address the potential risks posed by the coming explosion of
Internet-connected devices -- known as the Internet of Things.

That’s the...

Posted by InfoSec News on Nov 20


By Darren Pauli
The Register
19 Nov 2014

A Russian research team has found vulnerabilities in millions of the
world's SIM cards, and separate flaws in common 4G modem platforms.
Together, the bugs could allow attackers to send crafted SMS text messages
to gain access to critical systems and install malware on connected

[ MDVSA-2014:217 ] clamav
CVE-2014-8877 - Code Injection in Wordpress CM Download Manager plugin

Posted by InfoSec News on Nov 20


November 19, 2014

German government and business computers are coming under increasing cyber
attacks every day from other states' spy agencies, especially those of
Russia and China, Germany's domestic intelligence (BfV) chief said on
Tuesday, Nov 18, according to Reuters.

Addressing a cybersecurity conference in Berlin, Hans Georg Maassen said
that of an estimated 3,000...

Posted by InfoSec News on Nov 20


By Dan Goodin
Ars Technica
Nov 18 2014

Microsoft has released an unscheduled update to patch a critical security
hole that is being actively exploited to hack Windows-based servers.

A flaw in the Windows implementation of the Kerberos authentication
protocol allows attackers with credentials for low-level accounts to

Posted by InfoSec News on Nov 20


By Elizabeth Snell
Health IT Security
November 17, 2014

There is no question that the healthcare industry and its subsequent
health data security options have made great strides over the last several
years. However, with cyber thieves more interested than ever before in
medical information, it is essential for healthcare organizations to go
beyond the standard HIPAA...

Posted by InfoSec News on Nov 20


By Lucian Constantin
IDG News Service
20 November, 2014

An Android Trojan program that's behind one of the longest running
multipurpose mobile botnets has been updated to become stealthier and more

The botnet is mainly used for instant message spam and rogue ticket
purchases, but it could be used to launch...

Posted by InfoSec News on Nov 20


November 19, 2014

Hackers seized a digital database from the city of Detroit earlier this
year and then demanded they receive a ransom in bitcoin, Mayor Mike Duggan
said this week, but the city balked and ultimately the hijackers were
unsuccessful with their request.

Duggan, who was elected last year to lead the Motor City after a
headline-making bankruptcy filing, explained...
[ MDVSA-2014:216 ] php-ZendFramework
Geary CVE-2014-5444 Man in the Middle Security Bypass Vulnerability
Oracle Java SE CVE-2014-6503 Remote Security Vulnerability
Oracle Java SE CVE-2014-6515 Remote Security Vulnerability
Microsoft Internet Explorer CVE-2014-6348 Remote Memory Corruption Vulnerability
Microsoft Internet Explorer CVE-2014-6343 Remote Memory Corruption Vulnerability
Oracle Java SE CVE-2014-6456 Remote Security Vulnerability
Microsoft Internet Explorer CVE-2014-6347 Remote Memory Corruption Vulnerability
Oracle Java SE CVE-2014-6502 Remote Security Vulnerability
Internet Storm Center Infocon Status