Posts Tagged “Theme”

The Team around BlogSecurity plans to launch something like an award or recognition system for blogs, themes and/or plugins which are secure. In my eyes this seems to be a real good idea. As if this would be widely spread out you can go out and look for plugins or themes which are secure, and prefer them for unproofen and even unsecure one. Who of us wants his blog cracked into? It would take so much work to gain access again and redo everything(Depending on what the attacker did).

In the current step they’re collecting at first opinions and as well as ideas you have directed to it. I would let my components approve, to grant you that these are secure and you can use them without any strange feeling within your stomach, As these Plugins don’t only interact with wordpress as well they do it with phpbb and Joomla, it seems even more important to show security.

As of the current level of this thought, nothing big is done currently. So there’s currently nothing about if it will cost something and how it will be done available, but if the wordpress community shows real desire for such a service it will come as well as we will see soon deeper informations on this theme. So watch this blog!

Tags: none

Tags: Award, Plugin, Security, Theme, Wordpress

Comments 1 Comment »

As I just read over at heise.de Security(german), a good collection for Security News, a Cross Site Scripting(XSS) hole exist in many templates for WordPress. Affected templates are such popular ones as k2 as well as the classic one.

The problem occurs for many templates which use custom 404 Error pages. Most of these templates which use Error pages, don’t check the variable $_SERVER['PHP_SELF'] for html special chars. Therefore you can perform XSS attacks.
To see if your template is also affected visit this URL

http://www.example.com/index.php/”><script>alert(document.cookie)</script>

If you see an Javascript Popup (activated Javascript assumed) your Template is affected.
Check searchform.php and sidebar.php for:

action=”< ?php echo $_SERVER['PHP_SELF']; >”

Replace it with:

action=”< ?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>”

The original Bug report was posted at Bugtraq

Tags: none
Tags: Template, Theme, Wordpress, XSS

Comments No Comments »

Bad Behavior has blocked 1253 access attempts in the last 7 days.