an audit was dinging us for an XSS vulnerability related to the search form on the website. basically, a request for...
GET /cgi-bin/blah blah blah;
results in our 404 page, which includes...
blah blah blah;">
i'm pretty sure that no modern browser is going to parse a inside another tag's attribute, but there you have it.
this was resolved by making a change in lib/classes/module_support/modform.inc.php -> function __curPageURL
if ($_SERVER['REDIRECT_STATUS'] == '404') {
$str = '/';
} else {
$str = $_SERVER['REQUEST_URI'];
...
}
$pageURL .= $_SERVER["SERVER_NAME"].$str;
we didn't find what the client requested the first time, why would we use that URI again for anything?
XSS and the search module
Re: XSS and the search module
Is the same vulnerability there when using search_method='post' in the search tag??
"The art of life lies in a constant readjustment to our surroundings." -Okakura Kakuzo
--
LinkedIn profile
--
I only speak/write in English so I may not translate well on International posts.
--
--
LinkedIn profile
--
I only speak/write in English so I may not translate well on International posts.
--
-
cyberman
Re: XSS and the search module
Have you read the entry about a secure CMSms?
http://wiki.cmsmadesimple.org/index.php ... mall_Guide
(Deny inserting script tags via .htaccess)
http://wiki.cmsmadesimple.org/index.php ... mall_Guide
(Deny inserting script tags via .htaccess)
Re: XSS and the search module
yes, thanks.
(I actually added "Note: allow_url_fopen = Off may cause some internal functions to stop working. " some time ago to that document)
I have a set of .htaccess rules that I've been meaning to post , so now is a good time:
Not all of these are acceptable with all hosts, esp. shared servers
(I actually added "Note: allow_url_fopen = Off may cause some internal functions to stop working. " some time ago to that document)
I have a set of .htaccess rules that I've been meaning to post , so now is a good time:
Not all of these are acceptable with all hosts, esp. shared servers
Code: Select all
# -- Filter Bad Requests -- #
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC,OR]
# Query String Exploits
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\[|\]|\)|\*|%0|%A|%B|%C|%D|%E|%F|%0A|%0D|%22|%27|%3C|%3E|%5C|%7B|%7C|%00|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.* (globals|encode|request|union|select|insert|cast|set|declare|drop|update|md5|benchmark|loopback).* [NC,OR]
# if the URI contains a "<__script__>"
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|'>|'<|/|\\\.\.\\).{0,9999}.* [NC,OR]"The art of life lies in a constant readjustment to our surroundings." -Okakura Kakuzo
--
LinkedIn profile
--
I only speak/write in English so I may not translate well on International posts.
--
--
LinkedIn profile
--
I only speak/write in English so I may not translate well on International posts.
--
