Recently updated to the latest Backlight, v4.0.2, and started getting XSS vulnerability errors from SiteLock on my BlueHost hosted site. It most likely means I’ve done something foolish, but not sure where to start trouble shooting. Any suggestions would be helpful. Is this something I even need to worry about?
Hi @jherman, I can’t see how those links with a, c, m and p1 by themselves can be considered proof of an XSS vulnerability. Did the report provide any more information?
It looks like the link to the masthead always uses the non-clean URL. This would only be seen if users were peering into the page source code or web inspector and doesn’t represent a vulnerability.
SiteLock doesn’t provide additional details on their dashboard and I spoke with them and they declined to provide more specifics as to why the alert was triggered, but are happy to fix the problem for an additional fee.
I tend to agree with your thoughts that neither of these reported XSS vulnerabilities seem significant and do not see how they should trigger an alert. .
Not sure how I am getting the link to my masthead via a non-clean URL. It must be coming from my page template, I do not use custom css or phplugins, but if that were the case would it not produce an error with every page, album set and album that uses this page as a source? Could it be a relic from days past? I have been using TTG since at least CE2 and have updated with each new release.
Hi Jim, the link for the masthead is like that because of the way I’ve coded it. I can’t recall whether there was a reason for leaving it like that. One possible reason would be if our code can’t tell whether rewrite is working at the time that the link is created. Links with parameters are a safe fallback in that case. I’ll be looking further into it.
No impact on site, https://jamesherman.net/. I’ve never managed to implement the SiteLock seal in the footer. Project for another day.
Overnight, I now have four site lock vulnerabilities, all with similar findings. Assuming with no others with BlueHost hosting and included SiteLock services that have noted a problem it is something I have done. I have disabled phplugins and custom css in my page template - Nothing changed on my site performance and possibly removes a source of error introduced on my part.
I’ve been out of pocket for several days. New message from site lock, “Due to an unaddressed security issue on your website, your SiteLock Trust Seal has been deactivated.”
It still lists the previous 4 file problems. They also list some 80 pages which have no problem.
Not sure if this even matters. Anyone else with SiteLock services independently or through your hosting service? I have for more than 10 years used bluehost.
Finally bit the bullet and purchased an upgraded version of SiteLock on my BlueHost hosting service. They indicate the problem has been repaired. My site seems to be working fine post repair.
Hope this helps anyone else bothered by this or similar messages. I can make a copy of the SiteLock patched file available if needed.
The following is a quote from their email:
Details About Your Vulnerability Fix
We have filtered the following variables:
‘a’,‘c’,‘m’,‘p1’,‘p2’
During this process, we have added the filter code to the below file:
/public_html/backlight/modules/module-framework/FrameworkConfig.php // from line number 05 to 13
The XSS (Cross Site Scripting) Vulnerability present in your website have been patched without affecting the functionality of the site.
Please note it can take up to 24 hours to show in your SiteLock Dashboard as resolved.