Tips and Tricks HQ Support Portal › Forums › WP eStore Forum › Cross-site Scripting (XSS) Attack related to /members/wp-content/plugins
- This topic has 9 replies, 3 voices, and was last updated 13 years, 10 months ago by amin007.
-
AuthorPosts
-
October 28, 2010 at 11:24 am #2124bellahMember
Cross-site Scripting (XSS) Attack related to /members/wp-content/plugins/wp-cartfor-digital-products/lib/jquery.cookie.js
Hi,
The site is http://transcriptionriches.com/members/
We are using Wishlist Member
Twice yesterday we were unable to access the site.
Our hosting support freed it up both times and sent us the message below.
Currently the plugin is disabled, however we do want iy to work as we are integrating it with your affiliate plugin and with WLMember.
What next? Let us know whether you need further info from us or our hosting. Also if you need to ftp access.
Thanks,
George (for Patsy Bellah)
_______________________________
Hi,
Please provide your developer with the following logs and they should be able to make modifications to their code to satisfy our mod security rules.
ModSecurity: Access denied with code 406 (phase 2). Pattern match “(?b(??:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(??:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d …” at REQUEST_FILENAME. [file “/usr/local/apache/conf/modsec2.user.conf”] [line “117”] [id “950004”] [msg “Cross-site Scripting (XSS) Attack”] [data “.cookie”] [severity “CRITICAL”] [tag “WEB_ATTACK/XSS”] [hostname “transcriptionriches.com”] [uri “/members/wp-content/plugins/wp-cart-for-digital-products/lib/jquery.cookie.js”] [unique_id “TMgx@wyEwTYAAHNefTAAAAAK”]
_____________________________
October 28, 2010 at 8:48 pm #25903bellahMemberFrom an answer you gave to a similair query a month ago…
Will your solution work for us?
It seems the problem is caused by an apche module (mod_security), which possibly makes a conflict with a Javascript library (jquery.cookie.js), included by eStore. Some hosting companies seem to have slightly inappropriate configuration for the apache mod_security.
Anyway, lets disable the JavaScript library in question and see how it goes.
Can you please open the “wp_eStore1.php” file and search for the following:
wp_enqueue_script(‘jquery.cookie’,WP_ESTORE_LIB_URL.’/jquery.cookie.js’);
once you find it please delete that line and it won’t include the jquery cookie library. Let me know how it goes.
POSTED 1 MONTH AGO
October 29, 2010 at 3:44 am #25904amin007ParticipantYes this solution will work. Give it a try and let me know if you have any difficulty.
October 29, 2010 at 1:26 pm #25905bellahMemberThanks Amin…
It does seem to have done the trick.
November 23, 2010 at 10:50 pm #25906bellahMemberHi Amin,
We have had many difficulties since we thought it was fixed.
Here is what we received from the server support just now after a series of emails with them.
Hello,
This is caused because of the plugin wp-cart-for-digital-products, which is a potential vulnerable script and it can cause Cross-site Scripting (XSS) Attack. The below listed is the server logs for the same.
[Tue Nov 23 14:01:18 2010] [error] [client 98.154.125.221] ModSecurity: Access denied with code 406 (phase 2). Pattern match “(?b(??:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(??:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d …” at REQUEST_FILENAME. [file “/usr/local/apache/conf/modsec2.user.conf”] [line “117”] [id “950004”] [msg “Cross-site Scripting (XSS) Attack”] [data “.cookie”] [severity “CRITICAL”] [tag “WEB_ATTACK/XSS”] [hostname “transcriptionriches.com”] [uri “/members/wp-content/plugins/wp-cart-for-digital-products/lib/jquery.cookie.js”] [unique_id “TOwdjgyEwTYAAEvfG8EAAAAI”]
It looks likes the same problem as above three weeks ago.
And we have had many back and forth mails with the serving whenever the site has gotten blocked.
What is to be done?
_______________________________________________________________________________
Just double checked your instructions above, and it seems that wp_eStore1.php had the line
wp_enqueue_script(‘jquery.cookie’,WP_ESTORE_LIB_URL.’/jquery.cookie.js’);
even though I had eliminated it.
I have eliminated it once again
Probably upgraded the plugin after doing that and the line returned with upgrade?
Is that possible?
Is ther anytthing else we can do?
Thanks
November 23, 2010 at 11:38 pm #25907wzpModeratorWhenever you upgrade the plugin, you must “redo” any edits you make. Whenever I modify the plugin, I track the changes I make and then make sure the changes get reinserted into the upgraded files.
If you are good with the Unix “sed” command, you can write a shell script to automate the re-editing.
November 29, 2010 at 11:41 pm #25908bellahMemberThanks wzp
November 30, 2010 at 12:21 am #25909amin007ParticipantI have also put a workaround in the plugin for this so you shouldn’t need to edit anything in the future.
December 6, 2010 at 3:16 pm #25910bellahMemberThanks Amin.
Would that apply to version 4.7.4 ?
December 7, 2010 at 12:47 am #25911amin007ParticipantYeah.
-
AuthorPosts
- You must be logged in to reply to this topic.