Lightning Base

Get Started Now

  • Home
  • Tour
  • Pricing
  • Contact
  • About

Security Notice: 0-Day XSS Vulnerability – Sites at Lightning Base Are Safe

Monday, April 27th, 2015 / Posted In :Security /  By :Chris Piepho / Comments Off on Security Notice: 0-Day XSS Vulnerability – Sites at Lightning Base Are Safe

Update (2:00 PM 4/27/15): Patched versions of WordPress have been released to address this vulnerability, and automatic updates are rolling out at this moment.

klikki.fi posted an announcement yesterday regarding a 0 day vulnerability in WordPress.

This vulnerability should already be mitigated on our systems, but we’re posting this so everyone knows that, and anyone that sees it can make sure sites hosted elsewhere are protected.

The Problem

This is a serious issue with comments, whereby very long comments will be automatically truncated when stored in the database, which may allow scripts to be inserted onto your site, potentially compromising visitors or even your site itself if that code runs when you are logged in.

Simply having someone send a comment will not compromise your site – it is when this comment is viewed that it is a problem.

Our Fix

We are automatically blocking very long comments at our webapp firewall, before it even touches your site, and this is working based on tests with sample attacks exploiting this vulnerability.

Other Options

If you’re hosted at Lightning Base this shouldn’t be a concern. But if you have sites hosted elsewhere, there are a few options:

– Completely turning off comments on your blog will stop this exploit. This plugin can help you do that until this is patched in core:  https://wordpress.org/plugins/disable-comments/

– I have heard rumors that Akismet is automatically sending these to the spam bin. This is not something we have contacted Aksimet about, if you plan to rely on it I would consider getting in touch with them.

– This code should be able to block large comments:  https://gist.github.com/kovshenin/2393e3da32ac3ba379fa   – thanks to the code’s author and the Advanced WordPress Group on Facebook for making this available.



Author : Chris Piepho

Chris is the founder of Lightning Base. You'll find him all over around here - writing on this blog, providing customer service, and handling whatever else needs to be done. You can reach him easily by filling out our contact form and addressing your message to Chris.

WordPress 4.2 Released
Patched – Genericons XSS Vulnerability

Menu

  • Home
  • Tour
  • Pricing
  • Contact
  • About

Archives

  • December 2018
  • June 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • September 2015
  • August 2015
  • July 2015
  • May 2015
  • April 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • May 2014
  • April 2014
  • September 2013
  • June 2013
  • April 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • May 2012
  • March 2012
  • February 2012
  • January 2012

WP Host

Lightning Base: Making WordPress faster, easier, better. Take the tour or get started today.

From the Blog

  • WordPress 5.0

    WordPress 5.0 will be released tomorrow, December 6th. This is one of the largest updates WordPress has seen in a long t...

  • WordPress 4.5.3 Security Update Released

    WordPress 4.5.3 was released today, as announced on WordPress.org. The Update This is a security update, it is important...

  • Public Beta Invite: HTTP/2, HTTPS Caching

    We've been working on changes that enable HTTP/2 and built-in caching for HTTPS sites/pages for several months now. At t...

  • Beta: Free SSL via Let's Encrypt

    We have seen an increasing number of clients interested in SSL (https) for their WordPress sites in the past year or so,...

Menu

  • Home
  • Tour
  • Pricing
  • Contact
  • About
  • Affiliates
  • Client Login

© 2020 Lightning Base LLC. All rights reserved. | Privacy Policy | Terms of Use