WordPress 搜索跨站脚本攻击(XSS)漏洞修复方法(感谢 360,让我发现此漏洞)

文章目录[隐藏]

缘起

近些日子,发现了 360 网站安全检测这个玩意儿,兴致勃勃地填入自己的网站开始了检测之旅。

悲剧的是,360 居然告诉我,我的网站有漏洞。知名的 WordPress 开源程序居然有漏洞?令我有所疑惑,仔细一查,原来这个漏洞不是 WordPress 弄出来的,而是我们自己的失误而造成的。

漏洞的详细信息是这样的:

360SXSS 300x220

为了防止有人看不清楚,我把文字也发上来:

 漏洞上线时间:2011-07-02

漏洞名称:跨站脚本攻击漏洞

漏洞类型:跨站脚本攻击(XSS)

所属服务器类型:通用

漏洞风险:

  1. 存在 “网站用户资料泄露” 风险
  2. 安全性降低40%
  3. 全国 32% 网站有此漏洞, 520个站长进行了讨论

检测时间:2014-02-04 01:31:27

漏洞证据:<script>alert(42873)</script>

漏洞地址:https://www.nikbobo.net/

解决方案:

方案一:避免XSS的方法之一主要是将用户所提供的内容输入输出进行过滤,许多语言都有提供对HTML的过滤:

可以利用下面这些函数对出现xss漏洞的参数进行过滤

PHP的 htmlentities() 或是 htmlspecialchars()

Python的 cgi.escape()

ASP的 Server.HTMLEncode()

ASP.NET的 Server.HtmlEncode() 或功能更强的 Microsoft Anti-Cross Site Scripting Library

Java的 xssprotect(Open Source Library)。

Node.js的 node-validator。

方案二:使用开源的漏洞修复插件。( 需要站长懂得编程并且能够修改服务器代码 )

分析

其实这个问题在于我们制作主题的时候,忘记了做一件事——对搜索参数进行过滤。

大家可以查一查自己的主题,看看是否有类似 echo $_GET['s']; 这样的语句(多在 header.php 或 searchform.php),这多么危险啊,如果恶意对这个参数进行注入,危害可不是一点点。

解决

傻瓜化的解决方法是对它加一个过滤,即修改成 echo esc_attr($_GET['s']); 如果你不放心,还可以修改成 echo esc_attr(esc_html($_GET['s'])); 这是最保险的过滤方法了。

如果你实在找不到类似语句,理论上你也可以在 functions.php 加上(没试过,你也可以试试):

<?php
if (isset($_GET['s'])) {
    // $_GET['s'] = esc_attr($_GET['s']);
    $_GET['s'] = esc_attr(esc_html($_GET['s']));
}
?>

那么,WordPress 有没有想到这一点,翻翻 WordPress Codex,其实富有远见的 WordPress 早就为我们想到了这一点,本来人家就没有让我们用 echo $_GET['s']; 那样简单的方法去显示搜索的内容。其实是有那么一个函数来显示搜索内容的,WordPress 提供了两个函数来让我们获取搜索内容,一个是 the_search_query() 一个是 get_search_query()

the_search_query() 主要是让我们直接显示搜索内容,并且已经帮我们过滤好了;get_search_query() 是获取搜索内容,并且可以选择是否过滤(get_search_query(true) 或者 get_search_query(false)),所以,最好的解决方案是改用 the_search_query()get_search_query() 来获取和显示搜索内容。

修复好的童鞋们,360 应该 100 分了吧?

此文章是由nikbobo发表在WordPress分类目录的。将固定链接加入收藏夹。

关于 nikbobo

Nikbobo,本名刘永强,记忆空间站长,男,1998 年出生于广东茂名,至今(2020 年)21 岁,目前(2020 年)就读于广州大学华软软件学院,常以“nikbobo”这个网名混迹互联网。如无特殊注明,Nikbobo 在本站发表的文章,遵循 知识共享 署名-非商业性使用-相同方式共享 4.0 国际 许可协议。详情请参阅关于页面的作者介绍。

WordPress 搜索跨站脚本攻击(XSS)漏洞修复方法(感谢 360,让我发现此漏洞)》上有27个想法

  1. I’m not sure exactly why but this weblog is loading extremely slow for me.
    Is anyone else having this problem or is it a issue on my end?
    I’ll check back later on and see if the problem still exists.
    0mniartist asmr

  2. Good way of describing, and nice paragraph to obtain information on the topic of my presentation subject matter, which i am going
    to deliver in institution of higher education. 0mniartist asmr

  3. Wonderful blog! I found it while browsing on Yahoo
    News. Do you have any suggestions on how to
    get listed in Yahoo News? I’ve been trying for a while but I never seem to get there!

    Many thanks 0mniartist asmr

  4. You really make it appear really easy with your presentation however
    I in finding this topic to be really one thing which I think I might
    by no means understand. It kind of feels too complicated and very wide for me.
    I am having a look forward in your next post, I’ll try to get the dangle of it!

  5. Good day! I could have sworn I’ve visited your
    blog before but after going through a few of
    the articles I realized it’s new to me. Anyways, I’m certainly pleased I found it and I’ll be bookmarking it and
    checking back often!

  6. Hi all, here every one is sharing these kinds of knowledge, therefore it’s fastidious to
    read this blog, and I used to go to see this website every day.

  7. For most up-to-date information you have to pay a quick visit the web and
    on world-wide-web I found this web page as a best web site for most
    recent updates.

  8. I enjoy what you guys are usually up too. Such clever
    work and exposure! Keep up the terrific works guys I’ve added you guys to our
    blogroll.

  9. scoliosis
    When I initially commented I clicked the “Notify me when new comments are added”
    checkbox and now each time a comment is added I get three e-mails with the same
    comment. Is there any way you can remove people from that service?
    Bless you! scoliosis

  10. Hi there! I realize this is sort of off-topic however I had to ask.
    Does operating a well-established blog such as yours require a large amount of work?
    I am completely new to running a blog but I do write in my journal everyday.

    I’d like to start a blog so I can easily share my experience and feelings online.

    Please let me know if you have any kind of ideas or tips for new aspiring bloggers.
    Thankyou!

  11. You are so cool! I don’t suppose I have read a single thing like this
    before. So nice to find somebody with a few genuine thoughts on this subject matter.
    Seriously.. many thanks for starting this up. This web site
    is one thing that is needed on the internet, someone with a little originality!

  12. Wow that was strange. I just wrote an incredibly long
    comment but after I clicked submit my comment didn’t appear.
    Grrrr… well I’m not writing all that over again. Anyhow, just wanted to say wonderful
    blog!

  13. Link exchange is nothing else however it is simply placing the other person’s webpage link on your page at suitable place and other person will also do same in favor of you.

发表评论

邮箱地址不会被公开。 必填项已用*标注