Resultados 1 a 1 de 1
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    [EN] How To Protect your WordPress Site from the Genericons Example.html XSS vulnerab

    On May 7th, 2015, WordPress 4.2.2 was released, which patches this issue. If you installed or updated to the latest version of WordPress on or after this date, your installation should be secured.

    Explanation of the Vulnerability

    The actual vulnerability is present in a font package called "Genericons" and not the core WordPress installation. Unfortunately, this font package is used by "TwentyFifteen", the theme installed and enabled in WordPress by default. The vulnerability also affected a popular WordPress customization and enhancement plugin called "JetPack", which has over one million active installations, and possibly plugins and themes as well.

    The vulnerability exists in a single file called example.html which is included in the Genericon package. This is a non-essential file which was included to showcase the font. However, it includes a jQuery snippet that introduces a vulnerability potentially allowing DOM-based cross-site scripting exploits. Any themes or plugins that used the more modern versions of the "Genericons" package without removing this file were vulnerable.

    A DOM-based cross-site scripting attack works by altering the DOM environment as interpreted by a user's browser, causing the scripted actions to execute in a way contrary to their original design. In order to exploit the vulnerability, a user must be enticed to click a specially crafted link while logged into a WordPress installation. If an application has this type of vulnerability, the server cannot easily prevent unwanted behavior because the actions occur within the browser itself. Fortunately, removing the vulnerability is trivial in this case.
    Does My Server Have this Vulnerability?

    How to Patch your Installation

    Orientações aqui:
    Última edição por 5ms; 07-05-2015 às 19:01.

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens