Support Center Visit Demo License manager Buy @ envato

Cross-Site Scripting/XSS in Betheme

sphanghksphanghk
in Other
Hi Author,

Last week we conduct a pentest on one of our site that using betheme version 10.7 and wordpress version 4.4.1. Found that betheme is vulnerable to XSS which may potentially allow attacker send undesirable content to user such as modified content and script.


And then to see the XSS error , do browse this URL using Internet Explorer 11:

http://devbrandinsider.asiaone.com/tiongaik?"><body/**/onload=eval(String.fromCharCode(97,108,101,114,116,40,39,77,97,108,105,99,105,111,117,115,32,67,111,100,101,32,69,120,101,99,117,116,101,100,39,41,59))></body>

htaccess Username: demo
htaccess Password: demo


When run above url, will see error message "Internet Explorer has modified this page to help prevent cross-site-scripting' prompted at the bottom of the browser. Refer screen shot of the error here: http://devbrandinsider.asiaone.com/wp-content/uploads/2015/01/Betheme-XSS.png


Please check and let us know the fixes soon as this is the major security flaw.

Thank you.

Comments

  • pingram3541pingram3541
    edited January 2016
    Thanks for the heads up and it's great that you want to help point this out but I'm still not convinced this is a theme vulnerability.  What specific element is the target of the injection?  Is there a web form that is storing this vulnerability in the database and what database table does it affect?  How would I, the "visiting" victim, be suspect to this attack?  Do you have an example?

    In cross-site XSS there is always 3 players, the website, the attacker and the victim.  The attacker must find a poorly written script within the website that allows injection to the database from a cleverly written url string or input field that also must present additional scripting in the DOM of a visitors browser to hijack data, cookies etc.  Much like a comment system (which btw is built into the core not the theme)  You've proven you can trick the browser into thinking there is cross-site scripting but don't really point out where the vulnerability is, if any.  The url itself containing "onload" is likely to be flagged by the browser regardless of the domain so it isn't proof of a vulnerability...yet.

    Please PM me at [email protected] if you have more info but just didn't feel like making it public in these forums for security reasons.

    p.s. I am not part of betheme or muffingroup, I simply have a lot of customers using this theme and have a vested interest in keeping it secure.  Thanks.
  • AlbertAlbert
    @sphanghk Like @pingram wrote, this has nothing to theme and for sure it's not a vulnerability to XSS like you wrote. It's just how your browser render it. So basically, there is nothing to be fixed. You can be sure that your site is safe and for sure won't be hacked because of the theme.
    Learn more: Video Tutorials | How To | FAQ Vote on what comes next
Sign In or Register to comment.
This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

Neccessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Analytics & Performance

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

Cookies are small text files that can be used by websites to make a user's experience more efficient.

The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This means that cookies which are categorized as necessary, are processed based on GDPR Art. 6 (1) (f). All other cookies, meaning those from the categories preferences and marketing, are processed based on GDPR Art. 6 (1) (a) GDPR.

This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.

You can at any time change or withdraw your consent from the Cookie Declaration on our website.

Learn more about who we are, how you can contact us and how we process personal data in our Privacy Policy.

Please state your consent ID and date when you contact us regarding your consent.