It was brought to my attention a couple days ago that Unwakeable 1.2 contains a cross-site scripting (XSS) vulnerability in the search piece. To test to see if you’re vulnerable, search for this on your Unwakeable site:

If you see a javascript popup after searching, you’re vulnerable to attack and should follow the steps below to fix the vulnerability in Unwakeable 1.2. I’ve already taken steps to fix this vulnerability in Unwakeable 2.0, which will be released shortly.

To fix your installation of Unwakeable 1.2 you need to edit three files: serchform.php, theloop.php, and header.php.

1. searchform.php

First, open searchform.php and change this piece on line 8:

to this:

2. theloop.php

Next, open theloop.php and change this piece on line 42:

printf(__('Search Results for \'%s\'','k2_domain'), $s);

to this:

printf(__('Search Results for \'%s\'','k2_domain'), htmlspecialchars($s));

3. header.php

Finally, open header.php and change this code on line 6:

Search for 
to this:
Search for 
That's it, once you've made those three changes you should no longer be vulnerable to this cross-site scripting attack.  To make sure, just perform the search I mentioned above.  It should no longer produce a javascript pop-up.
You can find out more about this vulnerability at blogsecurity.net.  They have a tool called WordPress Scanner that will scan your WordPress installations for security problems.
Let me know if this fix doesn't work for any of you.
 
    0  
 
😃+
Share with your colleagues!
Click to share on Hacker News (Opens in new window)
Click to share on Twitter (Opens in new window)
Click to share on Reddit (Opens in new window)
Click to share on Google+ (Opens in new window)
Click to share on LinkedIn (Opens in new window)
Click to share on Facebook (Opens in new window)
Like this:
Like Loading...


	
Related
				

			Posted in Internet, Noteworthy, Personal, PHP, Security, Unwakeable, WordPressTagged Internet, Noteworthy, Personal, PHP, Security, Unwakeable, WordPress, wordpress-theme