Cross-site scripting, or XSS, is a common vulnerability in the software. It can happen wherever an unauthorized party can add arbitrary content to a page. Some sites allow user-created content and have to scrutinize input to keep JavaScript out. Others, such as ones using the plugin discussed here, unintentionally let unauthorized parties add content. Sites that
allow XSS because they fail to verify authorization keep turning up.
Preventing the problem is better than having to fix it, of course. There are several steps to preventing the theft of database credentials.
The first is to protect the configuration file. Make sure it's in a directory that can't be reached by Web access and that any copies of it are equally safe. Keep plugins updated to fix any vulnerabilities.
Another important step is to restrict access to the database by IP address. Only systems that need database access should have it. Typically, this means just the servers that run the CMS. There should be no direct access to the database from any other client locations, even with the right credentials.
Third, a Web Application Firewall will catch requests that attempt to exploit path traversal vulnerabilities or download arbitrary files. This will protect against vulnerabilities that haven't been patched yet. The Quttera WAF provides broad website protection against both known and unknown attacks. It keeps malicious requests of all kinds from reaching the Web server. You get this protection when you
sign up for ThreatSign. With ThreatSign, your systems are protected against hostile access and data theft. That means more uptime and a website that visitors trust.