Cross-Site Scripting/XSS in Betheme

sphanghk

Hi Author,

Last week we conduct a pentest on one of our site that using betheme version 10.7 and wordpress version 4.4.1. Found that betheme is vulnerable to XSS which may potentially allow attacker send undesirable content to user such as modified content and script.

You can tested it by browse through this URL first: http://devbrandinsider.asiaone.com/tiongaik?hash=323b71091e30222a9b37d9367feb83d5

And then to see the XSS error , do browse this URL using Internet Explorer 11:

http://devbrandinsider.asiaone.com/tiongaik?"><body/**/onload=eval(String.fromCharCode(97,108,101,114,116,40,39,77,97,108,105,99,105,111,117,115,32,67,111,100,101,32,69,120,101,99,117,116,101,100,39,41,59))></body>

htaccess Username: demo

htaccess Password: demo

When run above url, will see error message "Internet Explorer has modified this page to help prevent cross-site-scripting' prompted at the bottom of the browser. Refer screen shot of the error here: http://devbrandinsider.asiaone.com/wp-content/uploads/2015/01/Betheme-XSS.png

Please check and let us know the fixes soon as this is the major security flaw.

Thank you.

pingram3541

Thanks for the heads up and it's great that you want to help point this out but I'm still not convinced this is a theme vulnerability.  What specific element is the target of the injection?  Is there a web form that is storing this vulnerability in the database and what database table does it affect?  How would I, the "visiting" victim, be suspect to this attack?  Do you have an example?

In cross-site XSS there is always 3 players, the website, the attacker and the victim.  The attacker must find a poorly written script within the website that allows injection to the database from a cleverly written url string or input field that also must present additional scripting in the DOM of a visitors browser to hijack data, cookies etc.  Much like a comment system (which btw is built into the core not the theme)  You've proven you can trick the browser into thinking there is cross-site scripting but don't really point out where the vulnerability is, if any.  The url itself containing "onload" is likely to be flagged by the browser regardless of the domain so it isn't proof of a vulnerability...yet.

Please PM me at [email protected] if you have more info but just didn't feel like making it public in these forums for security reasons.

p.s. I am not part of betheme or muffingroup, I simply have a lot of customers using this theme and have a vested interest in keeping it secure.  Thanks.

Albert

@sphanghk Like @pingram wrote, this has nothing to theme and for sure it's not a vulnerability to XSS like you wrote. It's just how your browser render it. So basically, there is nothing to be fixed. You can be sure that your site is safe and for sure won't be hacked because of the theme.

Learn more: Video Tutorials | How To | FAQ Vote on what comes next