Page 1 of 1
Urgent help needed for XSS and injection
Posted: Sun Jun 07, 2009 4:58 pm
by morris520
Hi all
I am urgently needing help to solve the following problem about XSS and injection. If you are pro please write me something below that is most most appreticated.
Problem:
Possible cross site scripting on
https://www.???.co.uk/register.php
Use the following commands to verify this: wp --inject
"
https://www.???.co.uk/register.php?sign ... cript%POST curl -L -k -d
"signin=sign+incheckout=0%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E"
"
https://www.???.co.uk/register.php"| grep "123" This website may have other injection related vulnerabilities.
Now, the problematic code of register.php is: (as privacy issuses I can't post all codes here)
Code: Select all
<div class="mainsearch">
<form name="formsignin" action="register.php" method="post">
<input type="hidden" name="checkout" value="<?=($_REQUEST['checkout']==1?'1':'0');?>" />
<!-- Test XSS by adding this hidden value -->
<input type="hidden" name="XSSTestValue" value="999" />
<h2>Sign In </h2>
<div class="searchitem">
<label>email</label>
<input type="text" name="cusr" maxlength="255" />
</div>
<div class="searchitem">
<label>password</label>
<input type="password" name="cpwd" maxlength="255" />
</div>
<div class="searchitem">
<!-- Extra DIV added for alignment-->
<div style="padding-top:19px;">
<input type="submit" name="signin" value="sign in" class="btn05w" />
</div>
</div>
<span class="mainsearchtext"><label>UK delivery only</label></span>
<span class="mainsearchtext">Not yet registered? Please enter your details below </span>
<span class="mainsearchtext">NB: If you opened an account with us before 20/01/09, please can you register with us again. We sincerely apologise for the inconvenience, however this is due to the increased security protection of our new system. We hope that you enjoy using our new site and find the changes beneficial!
</span>
</form>
</div>
Anyone based on this info can find out any problem for me? I thank you very much.
Thanks
M
Re: Urgent help needed for XSS and injection
Posted: Sun Jun 07, 2009 5:07 pm
by kaisellgren
The code you provided only uses PHP on the line 4 where it either outputs 0 or 1. No problems there. I think you should post more code.
Re: Urgent help needed for XSS and injection
Posted: Mon Jun 08, 2009 4:06 am
by morris520
Code: Select all
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>???</title>
<?php include("includes/meta.php"); ?>
</head>
<body>
<div id="wrapper">
<div id="page">
<?php include("includes/header.php"); ?>
<?php include("includes/navigation.php"); ?>
<div id="content">
<div class="pageimg"><img src="media/header/<?=$homepage['other_header_image'];?>" alt="<?=$homepage['other_header_alt_text'];?>" /></div>
<div class="pageimg01" style="background-image:url(media/header/<?=$homepage['other_header_image_sub'];?>)"><h2><strong>register</strong> / sign in </h2></div>
<?php include("includes/quick_shop.php"); ?>
<?php
//If its a failed saech request
if($Incorrect == true) {
?>
<div class="fullwidth mainsearch">
<p style="padding:0px 10px;">
<strong class="green">Login Error</strong><br />
Sorry, the login details you supplied were incorrect. Please check and try again.
</p>
</div>
<?php
// End failed login
} elseif(trim($errors)!="" && $_POST['forgotpwd']=='1') {
//If its a failed password reset
?>
<div class="fullwidth mainsearch">
<p style="padding:0px 10px;">
<strong class="green">Please check the following:</strong><br />
<ul>
<?=$errors;?>
</ul>
</p>
</div>
<?php }
//If its a failed password reset
elseif(trim($errors)=="" && $_POST['forgotpwd']=='1') {
?>
<div class="fullwidth mainsearch">
<p style="padding:0px 10px;">
<strong class="green">Your password has been reset</strong><br />
Please check your email to retrieve your new password.
</p>
</div>
<?php } ?>
<?php if($_POST['registerme']!=1) { ?>
<div class="mainsearch">
<form name="formsignin" action="register.php" method="post">
<input type="hidden" name="checkout" value="<?=($_REQUEST['checkout']==1?'1':'0');?>" />
<!-- Test XSS by adding this hidden value -->
<!-- <input type="hidden" name="XSSTestValue" value="999" />-->
<h2>Sign In </h2>
<div class="searchitem">
<label>email</label>
<input type="text" name="cusr" maxlength="255" />
</div>
<div class="searchitem">
<label>password</label>
<input type="password" name="cpwd" maxlength="255" />
</div>
<div class="searchitem">
<!-- Extra DIV added for alignment-->
<div style="padding-top:19px;">
<input type="submit" name="signin" value="sign in" class="btn05w" />
</div>
</div>
<span class="mainsearchtext"><label>UK delivery only</label></span>
<span class="mainsearchtext">Not yet registered? Please enter your details below </span>
<span class="mainsearchtext">NB: If you opened an account with us before 20/01/09, please can you register with us again. We sincerely apologise for the inconvenience, however this is due to the increased security protection of our new system. We hope that you enjoy using our new site and find the changes beneficial!
</span>
</form>
</div>
<div class="mainsearch">
<form name="formforgotpwd" action="register.php" method="post">
<input type="hidden" name="checkout" id="checkout" value="0" />
<input type="hidden" name="forgotpwd" id="forgotpwd" value="1" />
<h2>Forgotten Password </h2>
<div class="searchitem">
<label>email</label>
<input type="text" name="reminderemail" maxlength="255" />
</div>
<div class="searchitem">
<!-- Extra DIV added for alignment-->
<div style="padding-top:19px;">
<input type="submit" name="newpwd" value="enter" class="btn05w" />
</div>
</div>
<span class="mainsearchtext">Forgotten your password? Please enter your email address to create a new one.</span>
</form>
</div>
<?php } ?>
<div class="mainsearch">
<form name="formregister" action="register.php" method="post">
<input type="hidden" name="registerme" value="1" />
<input type="hidden" name="checkout" value="<?=$_REQUEST['checkout'];?>" />
<h2>Register </h2>
<span class="mainsearchtext"><h3>Register here to place orders or sign up to our mailing list</h3>
Please note, the boxes marked with a * must be filled in</span>
<?php if(trim($errors)!="" && $_POST['registerme']=='1') { ?>
<span class="mainsearchtext">
<h3>Please check the following:</h3>
<ul>
<?=$errors;?>
</ul>
</span>
<?php } ?>
<div class="searchitemfull">
<label>title*</label>
<input type="text" name="title" value="<?=$_POST['title'];?>" maxlength="20" />
<!-- <select name="title">
<option value=""> - </option>
<?php
//$items = array('Mr & Mrs', 'Mr' , 'Mrs', 'Ms', 'Miss', 'Dr');
//foreach($items as $item){
?>
<option value="<?=$item?>" <?=($_POST['title']==$item?' SELECTED':'')?>><?=$item?></option>
<?php //} ?>
</select> -->
</div>
</p>
<div class="searchitemfull">
<label>forename*</label>
<input type="text" name="forename" value="<?=$_POST['forename'];?>" maxlength="255" />
<div class="linebreak"></div>
</div>
<div class="searchitemfull">
<label>surname*</label>
<input type="text" name="surname" value="<?=$_POST['surname'];?>" maxlength="255" />
<div class="linebreak"></div>
</div>
<div class="searchitemfull">
<label>tel no.*</label>
<input type="text" name="telephone_1" value="<?=$_POST['telephone_1'];?>" maxlength="30" />
</div>
<div class="searchitemfull">
<label>mobile no.</label>
<input type="text" name="telephone_2" value="<?=$_POST['telephone_2'];?>" maxlength="30" />
</div>
<div class="searchitemfull">
<label>email*</label>
<input type="text" name="email" value="<?=$_POST['email'];?>" maxlength="255" />
</div>
<div class="searchitemfull">
<label>password*</label>
<input type="password" name="passwurd" value="<?=$_POST['passwurd'];?>" maxlength="255" />
</div>
<div class="searchitemfull">
<label>re-type password*</label>
<input type="password" name="confirm_password" id="confirm_password" value="" maxlength="255" />
</div>
<div class="searchitem"></div>
<div class="searchitem">
<label>Subscribe to mailing list? </label>
I would like to receive updates<br />
<?php
//Opt selector
$OptIn = NULL;
$OptOut = NULL;
if($_POST['opt_in'] || !$_POST) {
// If its set or no post yet
$OptIn = " checked=\"checked\"";
$OptOut = NULL;
}
else {
// Not set but with post meaning they deselcted
$OptIn = NULL;
$OptOut = " checked=\"checked\"";
}
?>
<input name="opt_in" type="radio" value="1" <?=$OptIn;?> class="radio"/>Yes
<input name="opt_in" type="radio" value="0" <?=$OptOut;?> class="radio"/>No
</div>
<div class="searchitem"></div>
<div class="searchitem"></div>
<div class="searchitem">
<label>where did you hear about us? </label>
<?php
include("includes/functions/public_get_referrer.php");
$selected = 0;
if($_POST['referrer_id'] > 0) { $selected = $_POST['referrer_id']; }
?>
<select name="referrer_id">
<option value="0"<?=($selected==0)?' selected="selected"':'';?>>Select...</option>
<?php
while ($referrer = mysql_fetch_assoc($referrer_list)) { //START:repeat
if($referrer['show_in_list'] == 1 && $referrer['indate'] == 1) {
?>
<option value="<?=$referrer['id'];?>"<?=($referrer['id'] == $selected)?' selected="selected"':'';?>><?=stripslashes($referrer['name']);?></option>
<?php
} //END:if
} //END:repeat
?>
</select>
</div>
<div class="searchitem"></div>
<div class="searchitem">
</div>
<div class="searchitem">
<!-- Extra DIV added for alignment-->
<div style="padding-top:19px; float: left;">
<input type="submit" name="register" value="register" class="btn05w" style="float: left;"/>
</div>
</div>
</form>
</div>
<?php include("includes/guarantee.php"); ?>
<?php include("includes/footer.php"); ?>
</div>
</div>
</div>
</body>
</html>
Re: Urgent help needed for XSS and injection
Posted: Mon Jun 08, 2009 6:04 am
by kaisellgren
Hmm.
Line 115 is vulnerable to XSS attacks.
Same applies to line 134 and lines 148-170.
Line 220 ($referrer['name']) is vulnerable to XSS attacks, too.
Re: Urgent help needed for XSS and injection
Posted: Mon Jun 08, 2009 6:42 am
by morris520
I am guessing you are using some kinda software to scan the codes right?
One thing I don't quite get it. Where should it put my filtering code to prevent attacks?
should I say:
Code: Select all
<input type="hidden" name="checkout" value="<?=[color=#FF0000]FILTER_XSS([/color]$_REQUEST['checkout'][color=#FF0000])[/color];?>" />
Thanks for your kind advice.
Re: Urgent help needed for XSS and injection
Posted: Mon Jun 08, 2009 7:02 am
by kaisellgren
morris520 wrote:I am guessing you are using some kinda software to scan the codes right?
Yes, it's called my head.
morris520 wrote:One thing I don't quite get it. Where should it put my filtering code to prevent attacks?
You filter input before passing it into output. So, instead of direct outputting user submitted data, filter it first, then output the filtered data.
morris520 wrote:should I say:
Code: Select all
<input type="hidden" name="checkout" value="<?=[color=#FF0000]FILTER_XSS([/color]$_REQUEST['checkout'][color=#FF0000])[/color];?>" />
Yes, that is the idea.