CMS Made Simple Forums

Content management as it is meant to be
https://forum.cmsmadesimple.org/

XSS and the search module

https://forum.cmsmadesimple.org/viewtopic.php?t=39784

Page 1 of 1

XSS and the search module

Posted: Wed Dec 09, 2009 8:39 pm
by drow
an audit was dinging us for an XSS vulnerability related to the search form on the website.  basically, a request for...

    GET /cgi-bin/blah blah blah;

results in our 404 page, which includes...

    blah blah blah;">
   
     

i'm pretty sure that no modern browser is going to parse a inside another tag's attribute, but there you have it.
this was resolved by making a change in lib/classes/module_support/modform.inc.php -> function __curPageURL

    if ($_SERVER['REDIRECT_STATUS'] == '404') {
      $str = '/';
    } else {
      $str = $_SERVER['REQUEST_URI'];
      ...
    }
    $pageURL .= $_SERVER["SERVER_NAME"].$str;

we didn't find what the client requested the first time, why would we use that URI again for anything?

Re: XSS and the search module

Posted: Wed Apr 14, 2010 4:59 am
by JohnnyB
Is the same vulnerability there when using search_method='post' in the search tag??

Re: XSS and the search module

Posted: Wed Apr 14, 2010 5:14 am
by cyberman
Have you read the entry about a secure CMSms?

http://wiki.cmsmadesimple.org/index.php ... mall_Guide

;)

(Deny inserting script tags via .htaccess)

Re: XSS and the search module

Posted: Wed Apr 14, 2010 5:18 am
by JohnnyB
yes, thanks.
(I actually added "Note: allow_url_fopen = Off may cause some internal functions to stop working. " some time ago to that document)
I have a set of .htaccess rules that I've been meaning to post , so now is a good time:

Not all of these are acceptable with all hosts, esp. shared servers

Code: Select all

# -- Filter Bad Requests -- #
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC,OR]
# Query String Exploits  
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\[|\]|\)|\*|%0|%A|%B|%C|%D|%E|%F|%0A|%0D|%22|%27|%3C|%3E|%5C|%7B|%7C|%00|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.* (globals|encode|request|union|select|insert|cast|set|declare|drop|update|md5|benchmark|loopback).* [NC,OR]
# if the URI contains a "<__script__>"
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|'>|'<|/|\\\.\.\\).{0,9999}.* [NC,OR]
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited