• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • FREE workshop: Preparing contractors for Autumn : Weds 29th Sep at 7.15pm. More details here.

PHP cross site scripting vulnerability

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    PHP cross site scripting vulnerability

    Got a Sitelock warning about
    "Cross site scripting vulnerability found in args:back,fwd,maxpage,page"

    This is a very simple page that allows you to click on a back or forward button and scroll between a set of pictures.

    Eg forward button code:

    if (isset($_POST['fwd']))
    {
    $page = $_POST['page'];
    $maxpage = $_POST['maxpage'];
    $page++;
    if ($page>$maxpage)
    {
    $page = 1;
    }
    else
    {
    $fwd = "visible";
    }
    $back = "visible";
    }

    HTML stuff here

    <?php
    echo "<img src='month$page.jpg' width='950' alt='$page'>";
    ?>

    more HTML

    <form name="page" action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post">
    <?php
    echo <<<END
    <div class="content-back"><input style="visibility:$back" type="submit" name="back" value=""></div>
    <div class="content-fwd"><input style="visibility:$fwd" type="submit" name="fwd" value=""></div>
    <input type='hidden' name='page' value='$page'>
    <input type='hidden' name='maxpage' value='$maxpage'>
    END;


    Any ideas why that would be vulnerable? Cheers.
    Last edited by xoggoth; 20 November 2014, 10:41.
    bloggoth

    If everything isn't black and white, I say, 'Why the hell not?'
    John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

    #2
    It's because you're using unsanitised variables directly within the script. As it happens, because you're just putting them into vanilla HTML then I don't think it's really a vulnerability (It's no different to what one could do with the Developer Tools in Chrome etc) but it'd get dangerous if you were putting them into any calls or DB queries.

    Try using something like this: http://php.net/manual/en/function.htmlspecialchars.php

    $page = htmlspecialchars($_POST['page']);
    Last edited by vwdan; 20 November 2014, 10:54.

    Comment


      #3
      Much cheers. Their message is a bit misleading but putting that for $page seems to have sorted it. I was already using HTML entities in the form to self post but not similarly protecting the page bit.
      bloggoth

      If everything isn't black and white, I say, 'Why the hell not?'
      John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

      Comment


        #4
        Originally posted by xoggoth View Post
        Much cheers. Their message is a bit misleading but putting that for $page seems to have sorted it. I was already using HTML entities in the form to self post but not similarly protecting the page bit.
        Ah yes - never even spotted that bit.

        Glad you got it sorted!

        Comment


          #5
          I'm not 100% sure, but could there not be an issue with $maxpage?

          Some unscrupulous person could inject Javascript into the query string and it could pop out within the page and be executed.
          The JS could then pull in some really malicious code via Ajax...
          Don't believe it, until you see it!

          Comment


            #6
            I'm starting to wonder if their messages mean anything at all. Although this is the first email I got, I note a list of messages on their webpage. Site is ok, site has a problem, Site is ok, site has a problem, Site is ok, site has a problem.... Maybe it only has a problem on Mondays.
            bloggoth

            If everything isn't black and white, I say, 'Why the hell not?'
            John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

            Comment


              #7
              Originally posted by darrylmg View Post
              I'm not 100% sure, but could there not be an issue with $maxpage?

              Some unscrupulous person could inject Javascript into the query string and it could pop out within the page and be executed.
              The JS could then pull in some really malicious code via Ajax...
              I'd definitely recommend ensuring $maxpage is a meaningful value, as it's coming in from the client then being echoed back out. At least make sure it's a number:

              PHP Code:
              $maxpage intval($_POST['maxpage'], 10);
              // do sanity checking here, as an XSS attack or such would result in $maxpage being zero 
              Might also be worth doing the same with $page, as there's a code path which I think won't necessarily coerce it into being a number.

              Comment


                #8
                Cheer chaps, will do.
                bloggoth

                If everything isn't black and white, I say, 'Why the hell not?'
                John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

                Comment

                Working...
                X