If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?

< and > are encoded as +ADw- and +AD4- in UTF-7. Now imagine the following:

  1. Someone sends +ADw-script+AD4-alert(+ACI-Hello+ACI-)+ADw-/script+AD4- as comment text. It will pass all sanitation unescaped.

  2. The database expects and treats all incoming data as UTF-8. Since all UTF-7 streams are valid UTF-8 too, this will never result in a SQL error, and mysql_real_escape or htmlspecialchars will not touch it.

  3. WordPress sends a header text/html;charset=utf-7.

  4. WordPress displays the comment, expecting escaped data. But since this is treated as UTF-7 by the browser the JavaScript will be executed.

So, yes, it is a security problem.

UTF-7 is not supported by all browsers, most will render the text as Windows-1252 (or whatever is the default encoding on their OS) or as UTF-8.
The main problem is: escaping will not work anymore.

Just changing the encoding value back is not a solution. A regular visitor can never change it, so you have to find the open door.

Related Posts:

  1. Verifying that I have fully removed a WordPress hack?
  2. Tips for finding SPAM links injected into the_content
  3. What should I do about hacked server?
  4. How can I find security hole in my wordpress site?
  5. How to prevent bot or someone to modify any file automatically?
  6. wp-config.php modified?
  7. Suspicious Files
  8. How to prevent wp-login brute force attack from thousand of different IP? [duplicate]
  9. Malware script in database post table only? [closed]
  10. Verifying that I have fully removed a WordPress hack?
  11. How can I safely hide the fact that my website runs on WordPress? [closed]
  12. My WordPress Websites are always under attack
  13. How to find exploited wordpress plugin [closed]
  14. Any known bugs that could cause disappearance of the wp_users table?
  15. On new server, site got hacked, permissions a bit strange? Please help
  16. How to distinguish between a hack and an encoding error?
  17. Replace domain in database
  18. Remove hacked code – out of ideas! [closed]
  19. WordPress Database Re-installed (Hacked)
  20. Verifying that I have fully removed a WordPress hack?
  21. Could a user account with a stolen password compromised entire WP site?
  22. how to find the way they hacked my WP site
  23. How to stop repeated hack on header.php of custom theme? [closed]
  24. Is my WP site being hacked?
  25. Should WordPress Add Options to Enhance Security or Leave it to plugin developers? [closed]
  26. WordPress Hacks/Defacing [closed]
  27. what is a auth_user_file.txt?
  28. How to view PHP on live site
  29. Is moving wp-config outside the web root really beneficial?
  30. Hide the fact a site is using WordPress?
  31. Best way to eliminate xmlrpc.php?
  32. Should I escape wordpress functions like the_title, the_excerpt, the_content
  33. Should I remove install.php and install-helper.php?
  34. When to use esc_html and when to use sanitize_text_field?
  35. Are Nonces Useless?
  36. What is the difference between esc_html filter vs attribute_escape filter?
  37. How do I technically prove that WordPress is secure?
  38. WordPress it’s cleaning a custom query_var to avoid sql injections?
  39. How do WordPress Nonces Work?
  40. How can I easily verify a core or plugin update has not broken anything?
  41. Vanilla WordPress install, what can/should I put in disable_functions?
  42. wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability
  43. Secure my “add_settings_field” translation?
  44. Is there a security risk giving someone temporary access to my blog’s code?
  45. WordPress Logout Only If User Click Logout or If User Delete Browser History
  46. How brute-forcer knows that the password is cracked for target username?
  47. wp_insert_post disable HTML filter
  48. Can someone (Support of my themeprovider) get access to my server If I send them my admin login?
  49. Completely remove the author url
  50. Restricting access to content
  51. About WordPress site security
  52. Relative security of different releases of WordPress
  53. Security issues with WP sites
  54. Where to store OAuth 2.0 client id and secret?
  55. Using HTACCESS for Secret Access
  56. Definitive wordpress directory ownership and permissions on linux
  57. Changing Table Prefixes – once done, am I good to go going forward?
  58. wordpress website host price and security [closed]
  59. Are there security risks in working directly in the themes folder that builds into a theme folder?
  60. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  61. Hack-Proof OR Security in WordPress — is it real?
  62. Changing the default header name
  63. how much information can we hide when using wordpress cms?
  64. Is it safe to use a global wp nonce per user instead of a nonce per action?
  65. Wordfence detects change in wp-admin/includes/upgrade.php
  66. Basic password protection without using users and roles
  67. System setting changed by system user
  68. Does meta-data need to be sanitized?
  69. Is there any pre-existing plugin to track and block IPs with suspicious activity on my site?
  70. 404/500 error on content images if Referer header is from another domain [closed]
  71. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  72. Switching between security plugins is a risk?
  73. How to obfuscate wp-config.php or code
  74. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  75. How to prevent to direct access of my custom plugin folder/files
  76. Checking for origin of a xmlrpc request
  77. RESTRICT EDIT of PHP files?
  78. wp-content – permissions for files/folders created by apache
  79. Function to replace comment’s accented characters before posting
  80. How can I restrict access to specific parts of a page, not just the page itself?
  81. User generated content and security
  82. Monitor wordpress all external calls
  83. Is it safe to use the basic administration with reduced rights for private member space
  84. Securing WordPress running on Azure platform
  85. Spam Registrations
  86. How can I have more confidence that WP plugins aren’t getting and storing user data?
  87. Character encoding issue – black diamond question marks on imported post excerpts
  88. Standard Method for Securing a WordPress Site
  89. wordpress security (only one part of the site)
  90. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  91. Any way to disable /wp-login.php redirecting to the site folder?
  92. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  93. Secure a WordPress website in 2019: one plugin or a combinations of them?
  94. What are the different types of firewall protections available for a WordPress website?
  95. Run a security scan on WordPress site that has .htaccess password [closed]
  96. Is this a WordPress security bug?
  97. Competitor is somehow accessing MetaData on a hidden WordPress site
  98. How do you search for backdoors from the previous IT person?
  99. Is wp-cron.php vulnerable to external attacks and how to protect it?
  100. How to address security vulnerabilities: LUCKY13, BEAST, and BREACH

Leave a Comment

techhipbettruvabetnorabahisbahis forumutaraftarium24edusedusedusedueduedueduseduseduedu