XSS vulnerability

[chearry]

Hi,

we have found a XSS vulnerability on your Plugin version 1.4.4. The XSS can be exploited by calling the following URL: http://<domain>/?s=>'>">p<img src=y onerror=prompt(/xss/)> (replace domain accordingly) The link will create a popup when opened within a browser.

Thanx

[RavanH]

Hi, thanks for reporting. I cannot reproduce though... Do you have a live site running where this can be reproduced?

[chearry]

Hi, we disabled the plugin for security reasons. I can give some screenshots from our test-system where it is still running.

[RavanH]

OK that might help me reproduce this... What is the actual title or the post/page found there?

[RavanH]

And can you send me a screenprint of the source code part where var hlst_query is defined after such a search? It's the script snippet in the footer... Thanks !

[chearry]

Hi. No pages were found via this search term.

Here´s the screenprint:

[RavanH]

Hmmm, in that case it must be that your theme's search template outputs the search string as title... What does the search results page title look like when you do the same search without Highlight Search Terms activated? Or maybe better: can you send me the theme template search.php at ravanhagen at gmail dot com?

[RayBernard]

When I execute http://www.my-domain.com/?s=>'>">p in the address bar, my Wordfence plugin stops the execution. See the attached screenshot. Also see attached WordPress system info.

Is there any information I can provide from my system that would help you with this?

I am using the I am using the Highlight-Serach-Terms plugin on three websites.

System Info at test time 2017-05-19-A.txt

[RavanH]

@RayBernard I don't think this an issue related to this plugin. The problem is that the theme prints out the search term. At least, it does in the case of @chearry as you can see on his first screen print https://cloud.githubusercontent.com/assets/27208358/25121519/4343a50e-2422-11e7-8f1a-204d024a2b67.png (next to the magnifying glass icon)

Wordfence is blocking suspicious search requests exactly for such cases. If you disable the highlight plugin, it should still block the request. If you then disable Wordfence too, the request should pass but not cause an issue (if your theme does not echo the search parameters or at least not unfiltered) but if it does cause a alert popup, then you know the theme is the problem.

If you then enable the Highlight Search Terms again, there should still be no javascript alert popup after the search request. Or at least, I've never been able to reproduce this on any of my (test) sites. But if you do get the alert popup, please let me know!

[RayBernard]

RavannH,

As you suggested I disabled the Highlight Search Terms plugin, Wordfence still blocked the request.

I disabled Wordfence, and I did not get a alert popup. Instead, a page from Com.com was displayed in IE, which looked like a fake search page whose purpose was to download malware. When I ran the test from Chrome, I got a series of redirects, which finally left me at a fake “your computer is infected” page.

It does not look like the problem is with the plugin. I can’t tell what happened when Wordfence was turned off, but I suspect that caching was involved somehow to get me to those different pages. Multiple test results the same for IE and Chrome. Sure glad that I have Wordfence on all my sites.

[RavanH]

Hmmm, the code suggested by @chearry is a relatively simple test code to see if it is possible to use a request to make a site create a javascript alert popup. If successful, it should cause the normal search page to load and then throw a little popup window with that text "xxs" in it and a close/ignore button.

If that happens, it means there is a potential security issue. If there is no popup, then there is no problem. But if something else happens, like you describe in your case redirecting you to fake web pages, it surely sounds like either your operating system or your site is (already) infected with malware...