Tips and Tricks HQ Support

Support site for Tips and Tricks HQ premium products

Cross-site Scripting (XSS) Attack related to /members/wp-content/plugins

by

Tips and Tricks HQ Support Portal Forums WP eStore Forum Cross-site Scripting (XSS) Attack related to /members/wp-content/plugins

Tagged: , ,

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • October 28, 2010 at 11:24 am #2124
    bellah
    Member

    Cross-site Scripting (XSS) Attack related to /members/wp-content/plugins/wp-cartfor-digital-products/lib/jquery.cookie.js

    Hi,

    The site is http://transcriptionriches.com/members/

    We are using Wishlist Member

    Twice yesterday we were unable to access the site.

    Our hosting support freed it up both times and sent us the message below.

    Currently the plugin is disabled, however we do want iy to work as we are integrating it with your affiliate plugin and with WLMember.

    What next? Let us know whether you need further info from us or our hosting. Also if you need to ftp access.

    Thanks,

    George (for Patsy Bellah)

    _______________________________

    Hi,

    Please provide your developer with the following logs and they should be able to make modifications to their code to satisfy our mod security rules.

    ModSecurity: Access denied with code 406 (phase 2). Pattern match “(?:b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d …” at REQUEST_FILENAME. [file “/usr/local/apache/conf/modsec2.user.conf”] [line “117”] [id “950004”] [msg “Cross-site Scripting (XSS) Attack”] [data “.cookie”] [severity “CRITICAL”] [tag “WEB_ATTACK/XSS”] [hostname “transcriptionriches.com”] [uri “/members/wp-content/plugins/wp-cart-for-digital-products/lib/jquery.cookie.js”] [unique_id “TMgx@wyEwTYAAHNefTAAAAAK”]

    _____________________________

    October 28, 2010 at 8:48 pm #25903
    bellah
    Member

    From an answer you gave to a similair query a month ago…

    Will your solution work for us?

    It seems the problem is caused by an apche module (mod_security), which possibly makes a conflict with a Javascript library (jquery.cookie.js), included by eStore. Some hosting companies seem to have slightly inappropriate configuration for the apache mod_security.

    Anyway, lets disable the JavaScript library in question and see how it goes.

    Can you please open the “wp_eStore1.php” file and search for the following:

    wp_enqueue_script(‘jquery.cookie’,WP_ESTORE_LIB_URL.’/jquery.cookie.js’);

    once you find it please delete that line and it won’t include the jquery cookie library. Let me know how it goes.

    POSTED 1 MONTH AGO

    October 29, 2010 at 3:44 am #25904
    amin007
    Participant

    Yes this solution will work. Give it a try and let me know if you have any difficulty.

    October 29, 2010 at 1:26 pm #25905
    bellah
    Member

    Thanks Amin…

    It does seem to have done the trick.

    November 23, 2010 at 10:50 pm #25906
    bellah
    Member

    Hi Amin,

    We have had many difficulties since we thought it was fixed.

    Here is what we received from the server support just now after a series of emails with them.

    Hello,

    This is caused because of the plugin wp-cart-for-digital-products, which is a potential vulnerable script and it can cause Cross-site Scripting (XSS) Attack. The below listed is the server logs for the same.

    [Tue Nov 23 14:01:18 2010] [error] [client 98.154.125.221] ModSecurity: Access denied with code 406 (phase 2). Pattern match “(?:b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d …” at REQUEST_FILENAME. [file “/usr/local/apache/conf/modsec2.user.conf”] [line “117”] [id “950004”] [msg “Cross-site Scripting (XSS) Attack”] [data “.cookie”] [severity “CRITICAL”] [tag “WEB_ATTACK/XSS”] [hostname “transcriptionriches.com”] [uri “/members/wp-content/plugins/wp-cart-for-digital-products/lib/jquery.cookie.js”] [unique_id “TOwdjgyEwTYAAEvfG8EAAAAI”]

    It looks likes the same problem as above three weeks ago.

    And we have had many back and forth mails with the serving whenever the site has gotten blocked.

    What is to be done?

    _______________________________________________________________________________

    Just double checked your instructions above, and it seems that wp_eStore1.php had the line

    wp_enqueue_script(‘jquery.cookie’,WP_ESTORE_LIB_URL.’/jquery.cookie.js’);

    even though I had eliminated it.

    I have eliminated it once again

    Probably upgraded the plugin after doing that and the line returned with upgrade?

    Is that possible?

    Is ther anytthing else we can do?

    Thanks

    November 23, 2010 at 11:38 pm #25907
    wzp
    Moderator

    Whenever you upgrade the plugin, you must “redo” any edits you make. Whenever I modify the plugin, I track the changes I make and then make sure the changes get reinserted into the upgraded files.

    If you are good with the Unix “sed” command, you can write a shell script to automate the re-editing.

    November 29, 2010 at 11:41 pm #25908
    bellah
    Member

    Thanks wzp

    November 30, 2010 at 12:21 am #25909
    amin007
    Participant

    I have also put a workaround in the plugin for this so you shouldn’t need to edit anything in the future.

    December 6, 2010 at 3:16 pm #25910
    bellah
    Member

    Thanks Amin.

    Would that apply to version 4.7.4 ?

    December 7, 2010 at 12:47 am #25911
    amin007
    Participant

    Yeah.

  • Author
    Posts
Viewing 10 posts - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.