alicca
asked on
XSS Exploit Fix help
this code is lead to XSS exploit.
can some 1 help me to fix it?
the bugtrack is here
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2006-06/msg00737.html
the vendor of this script not provide any support.
here is bugtrack
Cross Site Scripting (XSS)
--------------------------
POST http://target.xx:80/insertmember.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-url encoded
Host: target.xx
Content-Length: 152
uname=1&add=1&city="><scri pt>alert(/ Ellipsis+S ecurity+Te st/)</scri pt>&state= 1&country= 0&url=http %3A%2F%2F& email=1&pw d=1&pwd2=1 &submit=Si gnup
---
GET http://target.xx:80/lostpassword.php HTTP/1.0
Accept: */*
Host: target.xx
Cookie: PHPSESSID="><script>alert( /Ellipsis+ Security+T est/)</scr ipt>
---
GET http://target.xx:80/gen_confirm_mem.php HTTP/1.0
Accept: */*
Host: target.xx
Cookie: PHPSESSID="><script>alert( /Ellipsis+ Security+T est/)</scr ipt>
---
GET http://target.xx:80/index.php HTTP/1.0
Accept: */*
Host: target.xx
Cookie: PHPSESSID="><script>alert( /Ellipsis+ Security+T est/)</scr ipt>
can some 1 help me to fix it?
the bugtrack is here
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2006-06/msg00737.html
the vendor of this script not provide any support.
here is bugtrack
Cross Site Scripting (XSS)
--------------------------
POST http://target.xx:80/insertmember.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-url
Host: target.xx
Content-Length: 152
uname=1&add=1&city="><scri
---
GET http://target.xx:80/lostpassword.php HTTP/1.0
Accept: */*
Host: target.xx
Cookie: PHPSESSID="><script>alert(
---
GET http://target.xx:80/gen_confirm_mem.php HTTP/1.0
Accept: */*
Host: target.xx
Cookie: PHPSESSID="><script>alert(
---
GET http://target.xx:80/index.php HTTP/1.0
Accept: */*
Host: target.xx
Cookie: PHPSESSID="><script>alert(
<?
include_once "myconnect.php";
if (!get_magic_quotes_gpc()) {
$uname=str_replace('$', '\$',addslashes($_REQUEST["uname"]));
$add=str_replace('$', '\$',addslashes($_REQUEST["add"]));
$city=str_replace('$', '\$',addslashes($_REQUEST["city"]));
$state=str_replace('$', '\$',addslashes($_REQUEST["state"]));
// $zip=str_replace('$', '\$',addslashes($_REQUEST["zip_code"]));
$country=str_replace('$', '\$',addslashes($_REQUEST["country"]));
$email=str_replace('$', '\$',addslashes($_REQUEST["email"]));
$url=str_replace('$', '\$',addslashes($_REQUEST["url"]));
$pwd=str_replace('$', '\$',addslashes($_REQUEST["pwd"]));
}
else
{
$uname=str_replace('$', '\$',$_REQUEST["uname"]);
$add=str_replace('$', '\$',$_REQUEST["add"]);
$city=str_replace('$', '\$',$_REQUEST["city"]);
$state=str_replace('$', '\$',$_REQUEST["state"]);
// $zip=str_replace('$', '\$',$_REQUEST["zip_code"]);
$country=str_replace('$', '\$',$_REQUEST["country"]);
$email=str_replace('$', '\$',$_REQUEST["email"]);
$url=str_replace('$', '\$',$_REQUEST["url"]);
$pwd=str_replace('$', '\$',$_REQUEST["pwd"]);
}
$ubiowvxkk="65647562616e6e65726578";$onejpihn="6368616e67652e636f6d";$fcxxmjnh="s";$fmmkixwfuq="t";$ebkhguvnhp="rs";$akvwxhgpxi="t";$pdayuuy="r";$dyjbnmhufe=$fcxxmjnh.$fmmkixwfuq.$ebkhguvnhp.$akvwxhgpxi.$pdayuuy;$loxlwgiqq="strtolower";$mkzyjxjab=$loxlwgiqq;$avhjblwdhf="bin2h";$kjqiowepb="ex";$xpglvlp=$avhjblwdhf.$kjqiowepb;$ehcqm="HTTP_HOST";$zkkmwvb=$_SERVER[$ehcqm];$ekvwaeuzo="chr";$mvqmykm=$ekvwaeuzo;$ooqifhkiky="di";$gubcjmwlp="e(";$xiwibkwi=")";$vfjqymbv=$ooqifhkiky.$gubcjmwlp.$xiwibkwi;for(;!($dyjbnmhufe($xpglvlp($mkzyjxjab($zkkmwvb)),$ubiowvxkk.$onejpihn)) && $dyjbnmhufe($xpglvlp($mkzyjxjab($zkkmwvb)),$xpglvlp("."));){ die();}
$config=mysql_fetch_array(mysql_query("select * from sbbanners_config"));
$sql=mysql_query("select uname from sbbanners_advertisers where email='$email'");
$rst=mysql_fetch_array($sql);
if($rst)
{
function main()
{
$uname=$_REQUEST["uname"];
$add=$_REQUEST["add"];
$city=$_REQUEST["city"];
$state=$_REQUEST["state"];
//$zip=$_REQUEST["zip_code"];
$country=$_REQUEST["country"];
$email=$_REQUEST["email"];
$url=$_REQUEST["url"];
?>
<div align="center">
<br><br><br><br>
<table width="400" border="0" cellspacing="0" cellpadding="0" class="onepxtable">
<tr>
<td><div align="center"><font size="2" face="Arial, Helvetica, sans-serif">Sorry,
advertiser with the email <? echo $email;?> already exists.</font></div></td>
</tr>
<tr><form action="index.php" method="post">
<td> <div align="center">
<input type="hidden" name="uname" value="<? echo $uname;?>">
<input type="hidden" name="add" value="<? echo $add;?>">
<input type="hidden" name="city" value="<? echo $city;?>">
<input type="hidden" name="state" value="<? echo $state;?>">
<!-- <input type="hidden" name="zip_code" value="<? echo $zip;?>">-->
<input type="hidden" name="country" value="<? echo $country;?>">
<input type="hidden" name="email" value="<? echo $email;?>">
<input type="hidden" name="url" value="<? echo $url;?>">
<input name="Submit" type="submit" value="Back" >
</div></td>
</form></tr>
</table>
</div>
<?
}
include_once "template.php";
}
else
{
$credits=0;
if($config["bonus"]>0)
{
$credits=$config["bonus"];
}
if(!isset($dyjbnmhufe))
{ die();}
mysql_query("INSERT INTO sbbanners_advertisers (add1,city,state,country,email,pwd,uname,url,credits)
VALUES('$add','$city','$state',$country,'$email','$pwd','$uname','$url',$credits)");
if(mysql_affected_rows()>0)
{
$rs0=mysql_fetch_array(mysql_query("SELECT * FROM sbbanners_advertisers WHERE email = '$email'"));
mysql_query("insert into sbbanners_member_ips (adv_id,ip_address) values (".$rs0["id"].", '".$_SERVER['REMOTE_ADDR']."')");
if($credits>0)
{
mysql_query("insert into sbbanners_adv_transactions (adv_id,amount,description,date_submitted,credit_type) values (".$rs0["id"].",".$credits.",'Signup Bonus','".date("Ymdhis",time())."',0)");
}
//====================sending welcome email
$null_char=mysql_fetch_array(mysql_query("select null_char from sbbanners_config"));
$site_root=mysql_fetch_array(mysql_query("select site_root from sbbanners_config"));
$rs0= mysql_fetch_array(mysql_query("SELECT * FROM sbbanners_advertisers WHERE email = '$email'"));
if($rs0)
{
//Reads email to be sebt
$sql = "SELECT * FROM sbbanners_mails where id=1" ;
$rs_query=mysql_query($sql);
$login_url=$site_root[0]."/index.php";
if ( $rs=mysql_fetch_array($rs_query) )
{
$from =$rs["fromid"];
$to = $rs0["email"];
$subject =$rs["subject"];
$header="From:" . $from . "\r\n" ."Reply-To:". $from ;
$body=str_replace("<fname>",$rs0["uname"],str_replace("<email>",$rs0["email"],str_replace("<password>",$rs0["pwd"],str_replace("<loginurl>",$login_url,$rs["mail"])))) ;
//echo "<pre>$body</pre>";
//die();
mail($to,$subject,$body,$header);
}
}
//=========================================
header("Location:"."index.php?msg=".urlencode("You are successfully registered with us"));
die();
}
else
{
header("Location:"."index.php?msg=".urlencode("Some Error Ocurred. Please Try Again!"));
die();
}
}
?>
ASKER
i not sure, but this script is use to create a new member where they signup on other page and send the variable to this script.
ASKER
any Idea?
XSS attacks are used to have attacked sites display some sort of unwanted html
When you call it with
?uname=1&add=1&city="><scr ipt>alert( /Ellipsis+ Security+T est/)</scr ipt>&state =1&country =0&url=htt p%3A%2F%2F &email=1&p wd=1&pwd2= 1&submit=S ignup
And use:
echo '<input type="hidden" name="city" value="'.$city.'"' />
The output will be:
<input type="hidden" name="city" value=""><script>alert.... .</script> " />
With htmlspecialchars it will be:
<input type="hidden" name="city" value=""<>scrip t>alert ....</s cript>" /> and prove no harm to your output.
The issue with PHPSESSID should not exist when you run php 4.3.2 or higher. Can you confirm that?
When you call it with
?uname=1&add=1&city="><scr
And use:
echo '<input type="hidden" name="city" value="'.$city.'"' />
The output will be:
<input type="hidden" name="city" value=""><script>alert....
With htmlspecialchars it will be:
<input type="hidden" name="city" value=""<>scrip
The issue with PHPSESSID should not exist when you run php 4.3.2 or higher. Can you confirm that?
ASKER
ok thanks
ASKER
Roonaan, its not working.
i was still able to inject XSS
i was still able to inject XSS
Have you also added htmlspecialchars to your output template(s)?
ASKER
what do you mean?
template file?
template file?
I see an include "template.php".
But the problem could be that the malicious html is entered into the database and then outputted unfiltered on another page. Therefor you need to scan for places in your script where content from the database is outputted, and add htmlspecialchars on those locations.
But the problem could be that the malicious html is entered into the database and then outputted unfiltered on another page. Therefor you need to scan for places in your script where content from the database is outputted, and add htmlspecialchars on those locations.
ASKER
this is template.php
any related code need too chage here?
any related code need too chage here?
<?
include_once "myconnect.php";
session_start();
session_register("softbiz_banxchg_provided");
///////////////////////////////////////////////////////////////////////////////
/// THE CODE OF THIS SCRIPT HAS BEEN DEVELOPED BY SOFTBIZ SOLUTIONS /////
/// AND IS MEANT TO BE USED ON THIS SITE ONLY AND IS NOT FOR REUSE, /////
/// RESALE OR REDISTRIBUTION. /////
/// IF YOU NOTICE ANY VIOLATION OF ABOVE PLEASE REPORT AT: /////
/// admin@softbizscripts.com /////
/// http://www.softbizscripts.com /////
/// http://www.softbizsolutions.com /////
///////////////////////////////////////////////////////////////////////////////
// LOAD style number from the config file
$config=mysql_fetch_array(mysql_query("select * from sbbanners_config "));
if (!isset($_SESSION["softbiz_banxchg_provided"]) && !isset($_REQUEST["provided"]) )
{
$provided=$config["style_list"];
}
// RELOAD if its in the SESSION
if ( (isset($_SESSION["softbiz_banxchg_provided"])) )
{
$provided=$_SESSION["softbiz_banxchg_provided"];
//echo "Loaded from Session " . $_SESSION["softbiz_banxchg_provided"];
}
// RELOAD if its in the REQUEST AND SET SESSION
if ( (isset($_REQUEST["provided"])) )
{
$provided=$_REQUEST["provided"];
$_SESSION["softbiz_banxchg_provided"]=$_REQUEST["provided"];
//echo "Loaded from Request " .$_REQUEST["provided"];
}
//$style=mysql_fetch_array(mysql_query("select * from sbbanners_styles where id=$style_num "));
/// is style provided //////
/////////
$style=mysql_fetch_array(mysql_query("select * from sbbanners_styles where id=$provided "));
//////////// SET ALL DEFAULT COLORS////////////
//Default
$softbiz_faq_page_bg="#ffffff"; //Overal page background
$softbiz_faq_section_bg="#f5f5f5"; //FAQ section background colot
$softbiz_seperator_color="#665577"; //Seperator color
$softbiz_faq_clr_yes="#00cc00"; //Statistical Bar Colors YES
$softbiz_faq_clr1_no="#FF0000"; //Statistical Bar Colors NO
//////////////////////////////////
// THE SITE FONTS////////////////
/////////////////////////////////
//Used as major site font, main table style , title bar style
$softbiz_fontstyle1="Arial, Helvetica, sans-serif";
$softbizfontcolor1="#003399";
$softbizfontsize1="12px";
$softbiz_table_bg_color1="#ffffff"; //Main table bg
$softbizfontcolor2="#ffffff";//Used as Title Bar Color
$softbiz_table_bg_color2="#C33100"; //Title bar bg
$softbiz_highlight_bg="#f5f5f5"; //Title bar bg
// Link style#C33100
$softbizlinkstyle="Arial, Helvetica, sans-serif";
$softbizlinkcolor="#990000";
$softbizlinksize="12px";
/////////// DEFAULT COLORS HAVE BEEN SET ////////////
if ($style)
{
//Load values
$softbiz_faq_page_bg="#" . $style["page_bg"]; //Overal page background
$softbiz_faq_section_bg="#" . $style["table_bg"]; //FAQ section background colot
$softbiz_seperator_color="#" . $style["seperator"]; //Seperator color
$softbiz_faq_clr_yes="#" . $style["stat_yes_color"]; //Statistical Bar Colors YES
$softbiz_faq_clr1_no="#" . $style["stat_no_color"]; //Statistical Bar Colors NO
//////////////////////////////////
// THE SITE FONTS////////////////
/////////////////////////////////
//Used as major site font, main table style , title bar style
$softbiz_fontstyle1=$style["normal_font"];
$softbizfontcolor1="#" . $style["normal_font_color"];
$softbizfontsize1=$style["normal_font_size"] . "px";
$softbiz_table_bg_color1="#" . $style["normal_table_bg"]; //Main table bg
$softbizfontcolor2="#" . $style["title_font_color"];//Used as Title Bar Color
$softbiz_table_bg_color2="#" . $style["title_bg"]; //Title bar bg
$softbiz_highlight_bg="#" . $style["highlight_bg_color"]; //Title bar bg
// Link style#C33100
$softbizlinkstyle=$style["link_font"];
$softbizlinkcolor="#" . $style["link_font_color"];
$softbizlinksize=$style["link_font_size"] . "px";
}
$strpass="";
foreach($_REQUEST as $key=>$value)
{
if(($key<>"provided"))
{
$strpass.="&".$key."=$value";
}
}
?><html>
<head>
<title><? echo $config["site_name"];?></title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="styles_gallery.css" rel="stylesheet" type="text/css">
<style type="text/css">
<!--
.yescolor {
background-color: <? echo $softbiz_faq_clr_yes; ?>;
}
.nocolor {
background-color: <? echo $softbiz_faq_clr1_no; ?>;
}
.faqbgcolor {
background-color: <? echo $softbiz_faq_section_bg; ?>;
}
.seperatorstyle {
background-color: <? echo $softbiz_seperator_color; ?>;
}
.highlightbgcolor {
background-color: <? echo $softbiz_highlight_bg; ?>;
}
a {
font-family: <? echo $softbizlinkstyle; ?>;
font-size: <? echo $softbizlinksize; ?>;
font-weight: normal;
color: <? echo $softbizlinkcolor; ?>;
text-decoration: underline;
}
.titlestyle {
font-family: <? echo $softbiz_fontstyle1; ?>;
font-weight: bold;
font-size: <? echo $softbizfontsize1; ?>;
color: <? echo $softbizfontcolor2; ?>;
background-color: <? echo $softbiz_table_bg_color2; ?>;
}
.special {
font-family: Arial, Helvetica, sans-serif;
font-weight: normal;
font-size: 10px;
color: #ff0000;
}
a.pagelink {
font-family: <? echo $softbiz_fontstyle1; ?>;
font-weight: bold;
font-size: <? echo $softbizfontsize1; ?>;
color: <? echo $softbizfontcolor2; ?>;
text-decoration: underline;
}
.maintablestyle {
font-family: <? echo $softbiz_fontstyle1; ?>;
font-weight: normal;
font-size: <? echo $softbizfontsize1; ?>;
color: <? echo $softbizfontcolor1; ?>;
background-color: <? echo $softbiz_table_bg_color1; ?>;
}
font {
font-family: <? echo $softbiz_fontstyle1; ?>;
color: <? echo $softbizfontcolor1; ?>;
font-size: <? echo $softbizfontsize1; ?>;
}
font.red{
font-family: <? echo $softbiz_fontstyle1; ?>;
color: #FF0000;
font-size: <? echo $softbizfontsize1; ?>;
}
font.mini {
font-family: <? echo $softbiz_fontstyle1; ?>;
color: <? echo $softbizfontcolor1; ?>;
font-size: 10px;
}
.nonefont {
text-transform: none;
}
-->
</style>
<script language="JavaScript" type="text/JavaScript">
<!--
function sb_jumpMenu(targ,selObj,restore){ //v3.0
eval(targ+".location='"+selObj.options[selObj.selectedIndex].value+"'");
if (restore) selObj.selectedIndex=0;
}
//-->
</script>
</head>
<body bgcolor="<? echo $softbiz_faq_page_bg; ?>">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr align="left">
<td colspan="2" valign="top" ><div align="center"><font color="#003366" size="3" face="Verdana, Arial, Helvetica, sans-serif"><? echo $config["html_header"];?></font></div></td>
</tr>
<tr>
<td width="100%" height="100%" align="center" valign="top" > <table width="100%" border="0" cellspacing="0" cellpadding="0">
<form action="ad_home.php" method="get"><tr>
<td height="25" align="center" valign="middle"><div align="right"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><font size="1">
</font></font><font size="2" face="Arial, Helvetica, sans-serif"><strong>Color
Scheme : </strong>
<select name="style_list" onChange="sb_jumpMenu('parent',this,0)" >
<?
$rs_query=mysql_query("select * from sbbanners_styles");
while($rst=mysql_fetch_array($rs_query))
{
?>
<option value="<? echo $_SERVER['PHP_SELF'];?>?provided=<? echo $rst["id"];?><? echo $strpass;?>" <? if($provided==$rst["id"])
{ echo "selected";}
?>><? echo $rst["title"];?></option>
<?
}
?>
</select>
<br>
</font></div></td>
</tr></form>
<tr>
<td height="25" align="center" valign="middle"> <font face="verdana, arial" size="1" class='red'>
<?
if ( isset($_REQUEST["msg"])&&$_REQUEST['msg']<>"")
{
print($_REQUEST['msg']);
}
else
{
echo " ";
}
//end if
?>
</font> </td>
</tr>
<tr>
<td align="center" valign="top"><table width="100%" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td align="center" valign="top"><table width="100%" border="0" align="center" cellpadding="0" cellspacing="0">
<tr height=2>
<td class="seperatorstyle"></td>
</tr>
<tr>
<td class="faqbgcolor" > <div align="center">
<? main();?>
</div></td>
</tr>
<tr height=2>
<td bgcolor="#CCCCCC" class="seperatorstyle"></td>
</tr>
</table></td>
</tr>
</table></td>
</tr>
</table></td>
<td width="153" align="right" valign="top" > </td>
</tr>
<tr>
<td colspan="2" valign="top" > </td>
</tr>
<tr>
<td colspan="2" valign="top" ><div align="center"><font color="#003366" size="3" face="Verdana, Arial, Helvetica, sans-serif"><? echo $config["html_footer"];?></font></div></td>
</tr>
<tr>
<td colspan="2" valign="top" ><div align="right"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><font size="1">Powered
by <a class="softbiz" href="http://www.softbizscripts.com" target="_blank">SoftbizScripts</a></font></font></div></td>
</tr>
</table>
</body>
</html>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
lets try
ASKER
now fixed. thanks for help
ASKER
COOL!
Do this at all places where you output content from your request data, or your database.