A nice article explaining the vulnerability in Worpdress themes (in fact anything using php :-) was published some days ago. Now, there’s even a vulnerability scanner available (done in Perl).

I ran it on several of the blogs I manage, and all of them were vulnerable to XSS (wp-scanner also tests other vulnerabilities) :-(
I followed the advices on blogsecurity’s website and modified all of the search functions I could find. Now wp-scanner doesn’t report any vulnerability (it doesn’t mean it is cracker-proof, but it’s a good start).

So if anybody else uses the Redoable theme like me, you should patch the

file. Near the top of the file, find the

string, and enclose the

string with the

method:

Search for <?php echo htmlspecialchars($s); }

Do the same for the

file:

searchform” action=”<?php echo htmlspecialchars($_SERVER['PHP_SELF']);

An even better protection would be to use the mod_security module for Apache/Apache2, which can detect and block these kind of attacks. But this requires that you control your server.
To prevent web visitors from sending tags, you can add the following rule in your virtual host:

SecFilter “<(.|\n)+>”

Now, when someone requests < anything >, the visitor gets a 403 error, and in your audit log, you now have:

==36d82a37==============================
Request: www.gradstein.info 82.67.175.56 - - [11/Jun/2007:11:10:56 +0200] “GET /?s=%3Cwpscan%3E HTTP/1.1″ 403 202 “-” “Mozilla/5.0″ - “-”
—————————————-
GET /?s=%3Cwpscan%3E HTTP/1.1
mod_security-message: Access denied with code 403. Pattern match “<(.|\\n)+>” at REQUEST_URI [severity "EMERGENCY"]
mod_security-action: 403
HTTP/1.1 403 Forbidden
Content-Length: 202

Please note, that mod_security does not correct your application. Here if you only use mod_security, Wordpress theme will still be vulnerable on the underlaying level. It is OK to use mod_security, but it is much much more advisable to correct the origin of the problem and not cover it.