[theme-reviewers] Why Rigorous Review of Theme Functional Files is Important

Chip Bennett chip at chipbennett.net
Thu Jan 30 16:01:22 UTC 2014


It's example code, to show that an arbitrary script can be executed. You
didn't really expect me to put actually dangerous code there, did you? :)


On Thu, Jan 30, 2014 at 10:58 AM, Rohit Tripathi <rohitink at live.com> wrote:

> I am not sure, if asking this is lame. But, why is the entering
> *alert('text')* in the header/footer codes area, being considered as an
> issue?
>
> Regards
>
> ------------------------------
> Date: Thu, 30 Jan 2014 10:40:22 -0500
> From: chip at chipbennett.net
> To: theme-reviewers at lists.wordpress.org
> Subject: Re: [theme-reviewers] Why Rigorous Review of Theme Functional
> Files is Important
>
>
> In many cases, the issue is the lack of inherent sanitization when using
> the Theme Mods API with the Theme Customizer:
>
> http://make.wordpress.org/themes/2014/01/30/using-the-theme-customizer-with-the-theme-mods-api/
>
>
> On Thu, Jan 30, 2014 at 10:21 AM, Justin Tadlock <justin at justintadlock.com
> > wrote:
>
>  if ( !current_user_can( 'unfiltered_html' ) ) {
>     /* Sanitize. */
> }
>
> All theme reviewers should be intimately familiar with this page:
> http://codex.wordpress.org/Data_Validation
>
>
> On 1/30/2014 7:00 AM, Chip Bennett wrote:
>
> Good morning, all,
>
>  Just as a reminder why it is imperative that our reviews are thorough
> and complete, including a review of the Theme code and not merely a
> Theme-Check/front-end review, I woke up this morning to several emails
> reporting various Theme security vulnerabilities. Here's a sampling:
>
>   To reproduce:
>
>   1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php
>  2. Activate the theme, navigate to Theme Options, add an image logo
>  3. In General Options - Logo Text, enter (as is, with quotes): "
>  onclick="javascript:alert(1);"
>  4. Visit the homepage, click on the logo, boom.
>
>   5. In Slider Options, add a slider image and use the following for the
>  slider text: Foo bar <script>alert('baz');</script>
>  6. Visit the home page, boom.
>
>
>   To reproduce:
>
>   1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php
>  2. Activate the theme, go to Appearance - Theme Settings
>  3. In More Text enter: <script>alert('xss');</script>
>  4. Visit the home page.
>
>   (you will have to have at least one post with a <!--more--> tag
>
>   To reproduce:
>
>   1. Add define( 'DISALLOW_UNFILTERED_HTML', true ); to wp-config.php
>  2. Activate the Theme, navigate to Appearance - Theme
>  Options - Social Netowrks Configuration
>  3. In Twitter URL enter: http://twitter.com/kovshenin'
> onclick='alert(1);'
>  4. Visit the home page and click the Twitter icon on the top right,
>  ouch. Other URL fields affected too.
>
>   5. In Layout Settings - Footer enter: <script>alert(123)</script>
>  6. Visit the front page, ouch
>
>   7. In Advertise Settings, Header Banner Alternative: '
> onclick='alert(1)'
>  8. Visit the front page and click the header banner, ouch
>
>   9. In Advertise Settings, Header Banner Link: http://foo.com'
>  onclick='alert("bar")
>  10. Visit the front page and click the banner
>
>   To reproduce:
>
>   11. In Theme Options - Integration
>  12. For header code: <script>alert('wow');</script>
>  13. Body code: <script>alert('seriously?')</script>
>  14. Visit the front page
>
>   To reproduce:
>
>   15. in Theme Options - Colors, go to your browser JS console and
>  enter: jQuery('#cwp_templates_topbar_colorid_color').val('blue;"
>  onclick="javascript:alert(123);')
>  16. Hit save changes, visit the front page
>  17. The top bar is blue, try and click it. Probably all the color
>  fields in this theme are vulnerable to this.
>
>
>  That these issues are appearing is approved/live Themes is exactly the
> reason that it takes so long to get through the approved-Theme queue. We
> have to audit for these things, and the audits are turning into complete
> re-reviews in several cases.
>
>  If you are uncomfortable with performing this level of review - first:
> don't worry. We've all been there. *But the important thing is to ask for
> help.* We have a team of 100 people, most/all of whom would be more than
> happy to lend a hand. We've all learned from each other. Post a comment
> in-ticket, or post to the mail-list, and ask for guidance. Especially when
> it comes to Theme options, Theme code can get quite complex and often
> difficult to follow. Understanding how the Settings API works sometimes
> seems like it requires a master's degree. And developers all have different
> coding styles. It's completely understandable if someone needs a second
> pair of eyes when reviewing a given Theme. So please: ask for help if you
> need it when reviewing.
>
>
> _______________________________________________
> theme-reviewers mailing listtheme-reviewers at lists.wordpress.orghttp://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
>
> _______________________________________________ theme-reviewers mailing
> list theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wordpress.org/pipermail/theme-reviewers/attachments/20140130/7b876be8/attachment.html>


More information about the theme-reviewers mailing list