Cross-site Scripting (XSS) Attack related to /members/wp-content/plugins

Tips and Tricks HQ Forum » WP eStore Forum

Cross-site Scripting (XSS) Attack related to /members/wp-content/plugins

(10 posts) (3 voices)

Started 1 year ago by bellah
Latest reply from amin007
Possible Solutions (Related Topics):
1. eStore cart across multiple pages?
2. Clicking back button from PayPal site adds additional item to cart

Tags:

bellah
Member

Cross-site Scripting (XSS) Attack related to /members/wp-content/plugins/wp-cartfor-digital-products/lib/jquery.cookie.js

Hi,

The site is http://transcriptionriches.com/members/
We are using Wishlist Member

Twice yesterday we were unable to access the site.
Our hosting support freed it up both times and sent us the message below.
Currently the plugin is disabled, however we do want iy to work as we are integrating it with your affiliate plugin and with WLMember.

What next? Let us know whether you need further info from us or our hosting. Also if you need to ftp access.

Thanks,

George (for Patsy Bellah)

_______________________________
Hi,

Please provide your developer with the following logs and they should be able to make modifications to their code to satisfy our mod security rules.

ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "transcriptionriches.com"] [uri "/members/wp-content/plugins/wp-cart-for-digital-products/lib/jquery.cookie.js"] [unique_id "TMgx@wyEwTYAAHNefTAAAAAK"]

_____________________________

Posted 1 year ago #
bellah
Member

From an answer you gave to a similair query a month ago...
Will your solution work for us?

It seems the problem is caused by an apche module (mod_security), which possibly makes a conflict with a Javascript library (jquery.cookie.js), included by eStore. Some hosting companies seem to have slightly inappropriate configuration for the apache mod_security.

Anyway, lets disable the JavaScript library in question and see how it goes.

Can you please open the "wp_eStore1.php" file and search for the following:

wp_enqueue_script('jquery.cookie',WP_ESTORE_LIB_URL.'/jquery.cookie.js');

once you find it please delete that line and it won't include the jquery cookie library. Let me know how it goes.

POSTED 1 MONTH AGO

Posted 1 year ago #
amin007
Key Master

Yes this solution will work. Give it a try and let me know if you have any difficulty.

Posted 1 year ago #
bellah
Member

Thanks Amin...

It does seem to have done the trick.

Posted 1 year ago #
bellah
Member

Hi Amin,

We have had many difficulties since we thought it was fixed.

Here is what we received from the server support just now after a series of emails with them.

Hello,

This is caused because of the plugin wp-cart-for-digital-products, which is a potential vulnerable script and it can cause Cross-site Scripting (XSS) Attack. The below listed is the server logs for the same.

[Tue Nov 23 14:01:18 2010] [error] [client 98.154.125.221] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d ..." at REQUEST_FILENAME. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "117"] [id "950004"] [msg "Cross-site Scripting (XSS) Attack"] [data ".cookie"] [severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "transcriptionriches.com"] [uri "/members/wp-content/plugins/wp-cart-for-digital-products/lib/jquery.cookie.js"] [unique_id "TOwdjgyEwTYAAEvfG8EAAAAI"]

It looks likes the same problem as above three weeks ago.
And we have had many back and forth mails with the serving whenever the site has gotten blocked.

What is to be done?

_______________________________________________________________________________

Just double checked your instructions above, and it seems that wp_eStore1.php had the line

wp_enqueue_script('jquery.cookie',WP_ESTORE_LIB_URL.'/jquery.cookie.js');

even though I had eliminated it.

I have eliminated it once again

Probably upgraded the plugin after doing that and the line returned with upgrade?

Is that possible?

Is ther anytthing else we can do?

Thanks

Posted 1 year ago #
wzp
Moderator

Whenever you upgrade the plugin, you must "redo" any edits you make. Whenever I modify the plugin, I track the changes I make and then make sure the changes get reinserted into the upgraded files.

If you are good with the Unix "sed" command, you can write a shell script to automate the re-editing.

Posted 1 year ago #
bellah
Member

Thanks wzp

Posted 1 year ago #
amin007
Key Master

I have also put a workaround in the plugin for this so you shouldn't need to edit anything in the future.

Posted 1 year ago #
bellah
Member

Thanks Amin.
Would that apply to version 4.7.4 ?

Posted 1 year ago #
amin007
Key Master

Yeah.

Posted 1 year ago #

RSS feed for this topic

Reply

You must log in to post.