♥valerif Posted December 12, 2007 Posted December 12, 2007 hi i was advised that some pages could be still subjected under cross site sripting attack even after the last update. in fact this would be forms like the quick search, currency, contact us and others see the advise: When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the client. Ensure that parameters and user input are sanitized by doing the following: Remove < input and replace with < Remove > input and replace with > Remove ' input and replace with ' Remove " input and replace with " Remove ) input and replace with ) Remove ( input and replace with ( Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query keywords= Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query products_id= Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query currency=USD Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query currency=USD Mode=debug Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query currency=USD %2F__%2F__%2F__%2F__%2F__%2F__%2F__%2F__%2F__%2Fboot_ini= Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query currency=USD %2F__%2F__%2F__%2F__%2F__%2F__%2F__%2F__%2F__%2Fetc%2Fpasswd= Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query currency=USD scanalert=%3E%5C%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%5C%22 Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query currency=USD keywords=x%5C%27%3B%5C%22%2C%29%60 Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query keywords=x%27%3B%22%2C%29%60 Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query currency=USD x%27%3B%22%2C%29%60=USD I wonder if some one could help me to understand how to disable the possibility of inputing these symbols on the forms thanks valerif
Dennisra Posted February 15, 2008 Posted February 15, 2008 It appears this is a security issue. Anyone knowledgeable in this area? "The remote web application appears to be vulnerable to cross-site scripting (XSS). The cross-site scripting attack is one of the most common, yet overlooked, security problems facing web developers today. A web site is vulnerable if it displays user-submitted content without sanitizing user input. The target of cross-site scripting attacks is not the server itself, but the users of the server. By finding a page that does not properly sanitize user input the attacker submits client-side code to the server that will then be rendered by the client. It is important to note that websites that use SSL are just as vulnerable as websites that do not encrypt browser sessions. The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload onto their computer via browser. The pages listed in the vulnerability output will display embedded javascript with no filtering back to the user." hii was advised that some pages could be still subjected under cross site sripting attack even after the last update. in fact this would be forms like the quick search, currency, contact us and others see the advise: When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the client. Ensure that parameters and user input are sanitized by doing the following: Remove < input and replace with < Remove > input and replace with > Remove ' input and replace with ' Remove " input and replace with " Remove ) input and replace with ) Remove ( input and replace with ( Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query keywords= Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query products_id= Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query currency=USD Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query currency=USD Mode=debug Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query currency=USD %2F__%2F__%2F__%2F__%2F__%2F__%2F__%2F__%2F__%2Fboot_ini= Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query currency=USD %2F__%2F__%2F__%2F__%2F__%2F__%2F__%2F__%2F__%2Fetc%2Fpasswd= Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query currency=USD scanalert=%3E%5C%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%5C%22 Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query currency=USD keywords=x%5C%27%3B%5C%22%2C%29%60 Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query keywords=x%27%3B%22%2C%29%60 Path /%3E%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%3C%22 Query currency=USD x%27%3B%22%2C%29%60=USD I wonder if some one could help me to understand how to disable the possibility of inputing these symbols on the forms thanks valerif
Guest Posted February 17, 2008 Posted February 17, 2008 if i am not mistaken the currency holes were fixed in the rc1 update. if you have mod_security available on your server, enable it. that will block people trying to execute <script commands. as well, check out this topic: http://www.oscommerce.com/forums/index.php?showtopic=293128
♥valerif Posted March 7, 2008 Author Posted March 7, 2008 if i am not mistaken the currency holes were fixed in the rc1 update. if you have mod_security available on your server, enable it. that will block people trying to execute <script commands. as well, check out this topic: http://www.oscommerce.com/forums/index.php?showtopic=293128 hi all, i found this contribution that resolved my cross scripting problem hope this information will be helpful to some one cheers http://addons.oscommerce.com/info/5752
♥FWR Media Posted March 7, 2008 Posted March 7, 2008 hi all,i found this contribution that resolved my cross scripting problem hope this information will be helpful to some one cheers http://addons.oscommerce.com/info/5752 Perhaps you might like to post something nice in the contribution support thread ;) http://www.oscommerce.com/forums/index.php?showtopic=293326 Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work.
Dennisra Posted March 9, 2008 Posted March 9, 2008 I installed mod_security abd it works very nicely. Thanks for the tip. if you have mod_security available on your server, enable it. that will block people trying to execute <script commands.as well, check out this topic: http://www.oscommerce.com/forums/index.php?showtopic=293128
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.