Page 1 of 1
[solved] How save is CMSMS against XSS?
Posted: Wed Aug 22, 2007 7:54 am
by SimonSchaufi
Hi all!
Since i have installed Visitorstats, i see who is visiting my website. I have really many visitors who are trying to hack the CMS using Crosssite Scripting. Most of them are trying to use external URLs as page alias like:
http://www.example.org/index.php?page=h ... ml?&cmd=id
or
http://www.example.org/index.php?page=h ... 1/find.jpg
What are they acctually trying by typing this url?
If you know how the hackers are trying to hack your site, you can protect your homepage more.
Re: How save is CMSMS against XSS?
Posted: Wed Aug 22, 2007 10:06 am
by Pierre M.
Hello,
have a look at release notes, release annoncements or devblog : the coders are doing their best to harden CMSms and avoid potential XSS exploits. For example, if the code cleans page aliases (and other parameters) before using them, you shouldn't mind about odd aliases.
BTW : do you have mod_rewrite enabled ? odd URLs can be stopped at the webserver level before they reach PHP/CMSms.
Pierre M.
Re: How save is CMSMS against XSS?
Posted: Wed Aug 22, 2007 10:12 am
by SimonSchaufi
yes, i have enabled it but i dont know how to use mod_rewrite apart from the example that is already included in CMSMS!
could you give a link or help me?
Thanx!
Re: How save is CMSMS against XSS?
Posted: Wed Aug 22, 2007 10:21 am
by Pierre M.
I don't know about VisitorStats.
Have a look at your actual webserver access logs. There should be only nices URLs : w.site.net/some/path/page.html
There are information about URL rewriting in
post intall optional settings.
If you want to filter at the webserver level, please read
http://httpd.apache.org/docs/2.2/
And remind us to provide some hardening rules in next provided .htaccess sample
Pierre M.
Re: How save is CMSMS against XSS?
Posted: Thu Aug 30, 2007 9:53 pm
by SimonSchaufi
I have not yet found a solution but i am googling and googling...
I am collecting links for everybody who is interested in the same:
English Links:
http://f0rked.com/articles/mod_rewrite
http://www.workingwith.me.uk/articles/s ... od_rewrite
German links (sorry but maybe some Germans are comming to this thread because i am German, too
):
http://forum.oesterchat.com/phpBB2/viewtopic.php?t=1468
http://www.bsi.de/literat/studien/sistu ... 3.pdf - Seite 112
My newest hack try was :
Thanx for the visitorstats module! I love it!
Re: How save is CMSMS against XSS?
Posted: Fri Aug 31, 2007 1:38 pm
by Pierre M.
Hello again,
here are some official mod_rewrite pointers :
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
http://httpd.apache.org/docs/2.2/rewrite/
http://httpd.apache.org/docs/2.2/misc/rewriteguide.html
http://httpd.apache.org/docs/2.2/rewrit ... guide.html
http://httpd.apache.org/docs/2.2/rewrit ... anced.html
According to the above links, you can block such requests at the webserver level before they reach PHP/CMSms :
Code: Select all
# have a custom forbidden error message
ErrorDocument 403 /403-forbidden.html
RewriteEngine on
#IF the URI contains a ":"
RewriteCond %{REQUEST_URI} \: [OR]
#OR if the URI contains a "["
RewriteCond %{REQUEST_URI} \[ [OR]
#add as much filters as your want...
RewriteCond %{REQUEST_URI} \]
#THEN whatever the request, don't process it, send a 403.
RewriteRule ^.*$ - [F,L]
#put your usual .htaccess stuf after this line
May be this is not useable "as is" and you should tune it according to your context.
Pierre M.
Re: How save is CMSMS against XSS?
Posted: Fri Aug 31, 2007 3:18 pm
by SimonSchaufi
thank you, thank you, thank you!
For others: if you have pretty urls enabled, you need to remove the red part!
well, my own works only with "QUERY_STRING":
RewriteEngine on
#IF the URI contains a "
http:"
RewriteCond %{QUERY_STRING} http\: [OR]
#: alone could make problems in the admin area or if you have installed dokuwiki for example in a subfolder
#OR if the URI contains a "["
RewriteCond %{QUERY_STRING} \[ [OR]
#OR if the URI contains a "]"
RewriteCond %{QUERY_STRING} \]
[OR]
#OR if the URI contains a "/"
RewriteCond %{QUERY_STRING} \/
#add as much filters as your want...
#THEN whatever the request, don't process it, send a 403.
RewriteRule ^.*$ - [F,L]
Re: [solved] How save is CMSMS against XSS?
Posted: Mon Sep 03, 2007 7:22 am
by SimonSchaufi
ok, one more question because a little problem came up after this rewrite:
if i type a subdomain for example:
http://sub.example.org/webmail but the folder doesnt exist, it also tries
http://www.example.org/webmail but i dont want that!
Instead i want a 404 ERROR that the folder doesnt exists. what must i modify here:
RewriteRule ^.*$ - [F,L]
Re: [solved] How save is CMSMS against XSS?
Posted: Mon Sep 03, 2007 1:26 pm
by Pierre M.
Hello,
then, there is a serious problem in your hosting : A.d.com and B.d.com are separate things.
A request to A.d.com/xyz should never ever "try also" B.d.com/xyz (even if A and B are at the same hosting provider, even 2 virtualhosts on the same computer).
Just imagine : bank.d.com/checkpassword "also ties" thief.d.com/checkpassword
Computers have no will. If this one "also tries" things, you have configured it to do so. You should fix this asap.
Pierre M.
Re: [solved] How save is CMSMS against XSS?
Posted: Thu Sep 06, 2007 8:26 pm
by SimonSchaufi
ok, I only get a redirect from webmail to the port where the webmail is but other folders are working properly with an error. Puh.
but i dont know why this redirect is setup.
