Link to a page where the issue can be seen: onfido.com/?utm_source=%22%3E%3Cimg%20src=x%20onerror=alert(String.fromCharCode(88,83,83));%3E%3Ca%20href=%22
I expected to see: no xss alert
Instead, I got: the alert which indicates reflected xss vulnerability exists (on language switcher - when parameters are allowed to pass - which we need for UTMs)
note: the vulnerability is that JS script and HTML tags can be coded in various parameters attached to language switcher so that they execute on the page, some sanitization of the parameters should be present to not allow <script> tags and html elements.
Hi Laura and team,
thank you for your quick response. Unfortunately after update to 4.6.8 (and clearing caches) this issue is still persisting for me here hidden link
Could you assist with this? Seems to me there were some updates, but in my case it doesn't seem to address the bug.
an update.. I do see that the utms are stripping script info on the links, but it is providing some strange behavior on the language switcher. Maybe this is intentional or just a behavior from adding cruft to the params, but it seems strange, perhaps one of your team can take a look.. Language switcher is on top menu as seen in pic.. Thanks again for your help
1) Can you please explain what do you mean by: "it is providing some strange behavior on the language switcher."
2) Does the issue happen with WP default theme and only using WPML plugins? You can use some example code for utm, to test. I am trying to confirm the issue is caused by some other plugin or custom code.
3) If the issue still happens, can you try to show us a simple example on the next test site? This way I can quickly check and escalate further.
- hidden link
Please share steps on how to check it on the test site, so we make sure we have understood the issue correctly.
Hello and thank you for your help
1) Strange behavior: it is adding empty images to the language switcher (where flags would be if I set it up that way) and still opening xss dialog which means <script> is still usable in the parameters
2) The issue happens with all themes even with other plugins turned off
3) On this test site you sent me there are no languages set up or language switchers. I can't set up a whole site from scratch to test this... I need something with a language switcher. We have a very small team with a huge workload. Could you set up a test site with a language switcher in the menu, or at least tell me what I'm supposed to do with an empty theme?
if you look at the page hidden link. the issue still persists, I even tried on a stripped down version of site, which did not have any different results.
the issue persists, and we are having to provide bonus's for vulnerability scavengers at this point..
Update: I stripped down to a new instance of wordpress, but our theme has code in it for a language switcher. The code is very straightfoward based on langauge switcher in WPML.
but I can't test our site with a dummy child theme, there is too much operating the pages.
Could you provide a test site with a language switcher I can test, and or would you like to look at our language swticher function? Thank you again for your help
For now I'm gong to turn the feature off for passing utms, there is some improvement, but I'm still able to exexcute scripts via parameters (such as above). I'll pass utms via a script that appends to domain instead and that will have a sanitization script associated with it.. I think the latest update did make some adjustments to the params sanitization, as results are different from last two versions, but still can execute scripts.. thank you all for your help.
I see you have added a custom language switcher to the sandbox test site. If the issue still happens, please share with me a step-by-step guide on how to check and see the issue.
- hidden link
If you need to add some custom code, you can add it via Theme editor option, but please try to keep it simple and minimal, as we can not support or debug custom code issues, but we will be glad to help with any suggestion or check further if it is WPML bug that happens on test site.
Let me know, please.
Thanks,
Drazen
The topic ‘[Closed] Language switcher: reflected XSS vulnerability when passing parameters’ is closed to new replies.
Manage Cookie Consent
We use cookies to optimize our website and services. Your consent allows us to process data such as browsing behavior. Not consenting may affect some features.
Functional
Always active
Required for our website to operate and communicate correctly.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
We use these to analyze the statistics of our site. Collected information is completely anonymous.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
These cookies track your browsing to provide ads relevant to you.
