[theme-reviewers] Why Rigorous Review of Theme Functional Files is Important

Thu Jan 30 13:05:51 UTC 2014

Also, if you're working on a ticket and discovered one or more
vulnerability, it's best to e-mail the author directly and not post
the details publicly (including a public mailing list like this one),
*especially* if the theme has been previously approved and is live. If
you've stumbled upon an insecure theme that is live, please e-mail
security at wordpress.org.

On Thu, Jan 30, 2014 at 5:00 PM, Chip Bennett <chip at chipbennett.net> wrote:
> Good morning, all,
>
> Just as a reminder why it is imperative that our reviews are thorough and
> complete, including a review of the Theme code and not merely a
> Theme-Check/front-end review, I woke up this morning to several emails
> reporting various Theme security vulnerabilities. Here's a sampling:
>
> To reproduce:
>
> 1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php
> 2. Activate the theme, navigate to Theme Options, add an image logo
> 3. In General Options - Logo Text, enter (as is, with quotes): "
> onclick="javascript:alert(1);"
> 4. Visit the homepage, click on the logo, boom.
>
> 5. In Slider Options, add a slider image and use the following for the
> slider text: Foo bar <script>alert('baz');</script>
> 6. Visit the home page, boom.
>
>
> To reproduce:
>
> 1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php
> 2. Activate the theme, go to Appearance - Theme Settings
> 3. In More Text enter: <script>alert('xss');</script>
> 4. Visit the home page.
>
> (you will have to have at least one post with a <!--more--> tag
>
> To reproduce:
>
> 1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php
> 2. Activate the Theme, navigate to Appearance - Theme
> Options - Social Netowrks Configuration
> 3. In Twitter URL enter: http://twitter.com/kovshenin' onclick='alert(1);'
> 4. Visit the home page and click the Twitter icon on the top right,
> ouch. Other URL fields affected too.
>
> 5. In Layout Settings - Footer enter: <script>alert(123)</script>
> 6. Visit the front page, ouch
>
> 7. In Advertise Settings, Header Banner Alternative: ' onclick='alert(1)'
> 8. Visit the front page and click the header banner, ouch
>
> 9. In Advertise Settings, Header Banner Link: http://foo.com'
> onclick='alert("bar")
> 10. Visit the front page and click the banner
>
> To reproduce:
>
> 11. In Theme Options - Integration
> 12. For header code: <script>alert('wow');</script>
> 13. Body code: <script>alert('seriously?')</script>
> 14. Visit the front page
>
> To reproduce:
>
> 15. in Theme Options - Colors, go to your browser JS console and
> enter: jQuery('#cwp_templates_topbar_colorid_color').val('blue;"
> onclick="javascript:alert(123);')
> 16. Hit save changes, visit the front page
> 17. The top bar is blue, try and click it. Probably all the color
> fields in this theme are vulnerable to this.
>
>
> That these issues are appearing is approved/live Themes is exactly the
> reason that it takes so long to get through the approved-Theme queue. We
> have to audit for these things, and the audits are turning into complete
> re-reviews in several cases.
>
> If you are uncomfortable with performing this level of review - first: don't
> worry. We've all been there. But the important thing is to ask for help. We
> have a team of 100 people, most/all of whom would be more than happy to lend
> a hand. We've all learned from each other. Post a comment in-ticket, or post
> to the mail-list, and ask for guidance. Especially when it comes to Theme
> options, Theme code can get quite complex and often difficult to follow.
> Understanding how the Settings API works sometimes seems like it requires a
> master's degree. And developers all have different coding styles. It's
> completely understandable if someone needs a second pair of eyes when
> reviewing a given Theme. So please: ask for help if you need it when
> reviewing.
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>

-- 
Konstantin