Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Moderator: General Moderators
morris520
Forum Commoner
Posts: 60 Joined: Thu Sep 18, 2008 8:56 pm
Location: Manchester UK
Post
by morris520 » Sun Jun 07, 2009 4:58 pm
Hi all
I am urgently needing help to solve the following problem about XSS and injection. If you are pro please write me something below that is most most appreticated.
Problem:
Possible cross site scripting on
https://www.???.co.uk/register.php
Use the following commands to verify this: wp --inject
"
https://www.???.co.uk/register.php?sign ... cript%POST curl -L -k -d
"signin=sign+incheckout=0%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E"
"
https://www.???.co.uk/register.php "| grep "123" This website may have other injection related vulnerabilities.
Now, the problematic code of register.php is: (as privacy issuses I can't post all codes here)
Code: Select all
<div class="mainsearch">
<form name="formsignin" action="register.php" method="post">
<input type="hidden" name="checkout" value="<?=($_REQUEST['checkout']==1?'1':'0');?>" />
<!-- Test XSS by adding this hidden value -->
<input type="hidden" name="XSSTestValue" value="999" />
<h2>Sign In </h2>
<div class="searchitem">
<label>email</label>
<input type="text" name="cusr" maxlength="255" />
</div>
<div class="searchitem">
<label>password</label>
<input type="password" name="cpwd" maxlength="255" />
</div>
<div class="searchitem">
<!-- Extra DIV added for alignment-->
<div style="padding-top:19px;">
<input type="submit" name="signin" value="sign in" class="btn05w" />
</div>
</div>
<span class="mainsearchtext"><label>UK delivery only</label></span>
<span class="mainsearchtext">Not yet registered? Please enter your details below </span>
<span class="mainsearchtext">NB: If you opened an account with us before 20/01/09, please can you register with us again. We sincerely apologise for the inconvenience, however this is due to the increased security protection of our new system. We hope that you enjoy using our new site and find the changes beneficial!
</span>
</form>
</div>
Anyone based on this info can find out any problem for me? I thank you very much.
Thanks
M
Last edited by
Benjamin on Sun Jun 07, 2009 11:43 pm, edited 1 time in total.
Reason: Changed code type from text to html.
kaisellgren
DevNet Resident
Posts: 1675 Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.
Post
by kaisellgren » Sun Jun 07, 2009 5:07 pm
The code you provided only uses PHP on the line 4 where it either outputs 0 or 1. No problems there. I think you should post more code.
morris520
Forum Commoner
Posts: 60 Joined: Thu Sep 18, 2008 8:56 pm
Location: Manchester UK
Post
by morris520 » Mon Jun 08, 2009 4:06 am
Code: Select all
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>???</title>
<?php include("includes/meta.php"); ?>
</head>
<body>
<div id="wrapper">
<div id="page">
<?php include("includes/header.php"); ?>
<?php include("includes/navigation.php"); ?>
<div id="content">
<div class="pageimg"><img src="media/header/<?=$homepage['other_header_image'];?>" alt="<?=$homepage['other_header_alt_text'];?>" /></div>
<div class="pageimg01" style="background-image:url(media/header/<?=$homepage['other_header_image_sub'];?>)"><h2><strong>register</strong> / sign in </h2></div>
<?php include("includes/quick_shop.php"); ?>
<?php
//If its a failed saech request
if($Incorrect == true) {
?>
<div class="fullwidth mainsearch">
<p style="padding:0px 10px;">
<strong class="green">Login Error</strong><br />
Sorry, the login details you supplied were incorrect. Please check and try again.
</p>
</div>
<?php
// End failed login
} elseif(trim($errors)!="" && $_POST['forgotpwd']=='1') {
//If its a failed password reset
?>
<div class="fullwidth mainsearch">
<p style="padding:0px 10px;">
<strong class="green">Please check the following:</strong><br />
<ul>
<?=$errors;?>
</ul>
</p>
</div>
<?php }
//If its a failed password reset
elseif(trim($errors)=="" && $_POST['forgotpwd']=='1') {
?>
<div class="fullwidth mainsearch">
<p style="padding:0px 10px;">
<strong class="green">Your password has been reset</strong><br />
Please check your email to retrieve your new password.
</p>
</div>
<?php } ?>
<?php if($_POST['registerme']!=1) { ?>
<div class="mainsearch">
<form name="formsignin" action="register.php" method="post">
<input type="hidden" name="checkout" value="<?=($_REQUEST['checkout']==1?'1':'0');?>" />
<!-- Test XSS by adding this hidden value -->
<!-- <input type="hidden" name="XSSTestValue" value="999" />-->
<h2>Sign In </h2>
<div class="searchitem">
<label>email</label>
<input type="text" name="cusr" maxlength="255" />
</div>
<div class="searchitem">
<label>password</label>
<input type="password" name="cpwd" maxlength="255" />
</div>
<div class="searchitem">
<!-- Extra DIV added for alignment-->
<div style="padding-top:19px;">
<input type="submit" name="signin" value="sign in" class="btn05w" />
</div>
</div>
<span class="mainsearchtext"><label>UK delivery only</label></span>
<span class="mainsearchtext">Not yet registered? Please enter your details below </span>
<span class="mainsearchtext">NB: If you opened an account with us before 20/01/09, please can you register with us again. We sincerely apologise for the inconvenience, however this is due to the increased security protection of our new system. We hope that you enjoy using our new site and find the changes beneficial!
</span>
</form>
</div>
<div class="mainsearch">
<form name="formforgotpwd" action="register.php" method="post">
<input type="hidden" name="checkout" id="checkout" value="0" />
<input type="hidden" name="forgotpwd" id="forgotpwd" value="1" />
<h2>Forgotten Password </h2>
<div class="searchitem">
<label>email</label>
<input type="text" name="reminderemail" maxlength="255" />
</div>
<div class="searchitem">
<!-- Extra DIV added for alignment-->
<div style="padding-top:19px;">
<input type="submit" name="newpwd" value="enter" class="btn05w" />
</div>
</div>
<span class="mainsearchtext">Forgotten your password? Please enter your email address to create a new one.</span>
</form>
</div>
<?php } ?>
<div class="mainsearch">
<form name="formregister" action="register.php" method="post">
<input type="hidden" name="registerme" value="1" />
<input type="hidden" name="checkout" value="<?=$_REQUEST['checkout'];?>" />
<h2>Register </h2>
<span class="mainsearchtext"><h3>Register here to place orders or sign up to our mailing list</h3>
Please note, the boxes marked with a * must be filled in</span>
<?php if(trim($errors)!="" && $_POST['registerme']=='1') { ?>
<span class="mainsearchtext">
<h3>Please check the following:</h3>
<ul>
<?=$errors;?>
</ul>
</span>
<?php } ?>
<div class="searchitemfull">
<label>title*</label>
<input type="text" name="title" value="<?=$_POST['title'];?>" maxlength="20" />
<!-- <select name="title">
<option value=""> - </option>
<?php
//$items = array('Mr & Mrs', 'Mr' , 'Mrs', 'Ms', 'Miss', 'Dr');
//foreach($items as $item){
?>
<option value="<?=$item?>" <?=($_POST['title']==$item?' SELECTED':'')?>><?=$item?></option>
<?php //} ?>
</select> -->
</div>
</p>
<div class="searchitemfull">
<label>forename*</label>
<input type="text" name="forename" value="<?=$_POST['forename'];?>" maxlength="255" />
<div class="linebreak"></div>
</div>
<div class="searchitemfull">
<label>surname*</label>
<input type="text" name="surname" value="<?=$_POST['surname'];?>" maxlength="255" />
<div class="linebreak"></div>
</div>
<div class="searchitemfull">
<label>tel no.*</label>
<input type="text" name="telephone_1" value="<?=$_POST['telephone_1'];?>" maxlength="30" />
</div>
<div class="searchitemfull">
<label>mobile no.</label>
<input type="text" name="telephone_2" value="<?=$_POST['telephone_2'];?>" maxlength="30" />
</div>
<div class="searchitemfull">
<label>email*</label>
<input type="text" name="email" value="<?=$_POST['email'];?>" maxlength="255" />
</div>
<div class="searchitemfull">
<label>password*</label>
<input type="password" name="passwurd" value="<?=$_POST['passwurd'];?>" maxlength="255" />
</div>
<div class="searchitemfull">
<label>re-type password*</label>
<input type="password" name="confirm_password" id="confirm_password" value="" maxlength="255" />
</div>
<div class="searchitem"></div>
<div class="searchitem">
<label>Subscribe to mailing list? </label>
I would like to receive updates<br />
<?php
//Opt selector
$OptIn = NULL;
$OptOut = NULL;
if($_POST['opt_in'] || !$_POST) {
// If its set or no post yet
$OptIn = " checked=\"checked\"";
$OptOut = NULL;
}
else {
// Not set but with post meaning they deselcted
$OptIn = NULL;
$OptOut = " checked=\"checked\"";
}
?>
<input name="opt_in" type="radio" value="1" <?=$OptIn;?> class="radio"/>Yes
<input name="opt_in" type="radio" value="0" <?=$OptOut;?> class="radio"/>No
</div>
<div class="searchitem"></div>
<div class="searchitem"></div>
<div class="searchitem">
<label>where did you hear about us? </label>
<?php
include("includes/functions/public_get_referrer.php");
$selected = 0;
if($_POST['referrer_id'] > 0) { $selected = $_POST['referrer_id']; }
?>
<select name="referrer_id">
<option value="0"<?=($selected==0)?' selected="selected"':'';?>>Select...</option>
<?php
while ($referrer = mysql_fetch_assoc($referrer_list)) { //START:repeat
if($referrer['show_in_list'] == 1 && $referrer['indate'] == 1) {
?>
<option value="<?=$referrer['id'];?>"<?=($referrer['id'] == $selected)?' selected="selected"':'';?>><?=stripslashes($referrer['name']);?></option>
<?php
} //END:if
} //END:repeat
?>
</select>
</div>
<div class="searchitem"></div>
<div class="searchitem">
</div>
<div class="searchitem">
<!-- Extra DIV added for alignment-->
<div style="padding-top:19px; float: left;">
<input type="submit" name="register" value="register" class="btn05w" style="float: left;"/>
</div>
</div>
</form>
</div>
<?php include("includes/guarantee.php"); ?>
<?php include("includes/footer.php"); ?>
</div>
</div>
</div>
</body>
</html>
Last edited by
Benjamin on Mon Jun 08, 2009 10:44 am, edited 1 time in total.
Reason: Changed code type from text to php.
kaisellgren
DevNet Resident
Posts: 1675 Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.
Post
by kaisellgren » Mon Jun 08, 2009 6:04 am
Hmm.
Line 115 is vulnerable to XSS attacks.
Same applies to line 134 and lines 148-170.
Line 220 ($referrer['name']) is vulnerable to XSS attacks, too.
morris520
Forum Commoner
Posts: 60 Joined: Thu Sep 18, 2008 8:56 pm
Location: Manchester UK
Post
by morris520 » Mon Jun 08, 2009 6:42 am
I am guessing you are using some kinda software to scan the codes right?
One thing I don't quite get it. Where should it put my filtering code to prevent attacks?
should I say:
Code: Select all
<input type="hidden" name="checkout" value="<?=[color=#FF0000]FILTER_XSS([/color]$_REQUEST['checkout'][color=#FF0000])[/color];?>" />
Thanks for your kind advice.
kaisellgren
DevNet Resident
Posts: 1675 Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.
Post
by kaisellgren » Mon Jun 08, 2009 7:02 am
morris520 wrote: I am guessing you are using some kinda software to scan the codes right?
Yes, it's called my head.
morris520 wrote: One thing I don't quite get it. Where should it put my filtering code to prevent attacks?
You filter input before passing it into output. So, instead of direct outputting user submitted data, filter it first, then output the filtered data.
morris520 wrote: should I say:
Code: Select all
<input type="hidden" name="checkout" value="<?=[color=#FF0000]FILTER_XSS([/color]$_REQUEST['checkout'][color=#FF0000])[/color];?>" />
Yes, that is the idea.