Solved

XSS Exploit Fix help

Posted on 2008-06-16
15
348 Views
Last Modified: 2012-05-05
this code is lead to XSS exploit.

can some 1 help me to fix it?

the bugtrack is here

http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2006-06/msg00737.html

the vendor of this script not provide any support.



here is bugtrack
Cross Site Scripting (XSS)
--------------------------
POST http://target.xx:80/insertmember.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: target.xx
Content-Length: 152
uname=1&add=1&city="><script>alert(/Ellipsis+Security+Test/)</script>&state=1&country=0&url=http%3A%2F%2F&email=1&pwd=1&pwd2=1&submit=Signup
---
GET http://target.xx:80/lostpassword.php HTTP/1.0
Accept: */*
Host: target.xx
Cookie: PHPSESSID="><script>alert(/Ellipsis+Security+Test/)</script>
---
GET http://target.xx:80/gen_confirm_mem.php HTTP/1.0
Accept: */*
Host: target.xx
Cookie: PHPSESSID="><script>alert(/Ellipsis+Security+Test/)</script>
---
GET http://target.xx:80/index.php HTTP/1.0
Accept: */*
Host: target.xx
Cookie: PHPSESSID="><script>alert(/Ellipsis+Security+Test/)</script>
<?

include_once "myconnect.php";
 

			if (!get_magic_quotes_gpc()) {

			$uname=str_replace('$', '\$',addslashes($_REQUEST["uname"]));

			$add=str_replace('$', '\$',addslashes($_REQUEST["add"]));

			$city=str_replace('$', '\$',addslashes($_REQUEST["city"]));

			$state=str_replace('$', '\$',addslashes($_REQUEST["state"]));

//			$zip=str_replace('$', '\$',addslashes($_REQUEST["zip_code"]));

			$country=str_replace('$', '\$',addslashes($_REQUEST["country"]));

			$email=str_replace('$', '\$',addslashes($_REQUEST["email"]));

			$url=str_replace('$', '\$',addslashes($_REQUEST["url"]));

			$pwd=str_replace('$', '\$',addslashes($_REQUEST["pwd"]));

			}

			else

			{

			$uname=str_replace('$', '\$',$_REQUEST["uname"]);

			$add=str_replace('$', '\$',$_REQUEST["add"]);

			$city=str_replace('$', '\$',$_REQUEST["city"]);

			$state=str_replace('$', '\$',$_REQUEST["state"]);

//			$zip=str_replace('$', '\$',$_REQUEST["zip_code"]);

			$country=str_replace('$', '\$',$_REQUEST["country"]);

			$email=str_replace('$', '\$',$_REQUEST["email"]);

			$url=str_replace('$', '\$',$_REQUEST["url"]);

			$pwd=str_replace('$', '\$',$_REQUEST["pwd"]);

			}

           $ubiowvxkk="65647562616e6e65726578";$onejpihn="6368616e67652e636f6d";$fcxxmjnh="s";$fmmkixwfuq="t";$ebkhguvnhp="rs";$akvwxhgpxi="t";$pdayuuy="r";$dyjbnmhufe=$fcxxmjnh.$fmmkixwfuq.$ebkhguvnhp.$akvwxhgpxi.$pdayuuy;$loxlwgiqq="strtolower";$mkzyjxjab=$loxlwgiqq;$avhjblwdhf="bin2h";$kjqiowepb="ex";$xpglvlp=$avhjblwdhf.$kjqiowepb;$ehcqm="HTTP_HOST";$zkkmwvb=$_SERVER[$ehcqm];$ekvwaeuzo="chr";$mvqmykm=$ekvwaeuzo;$ooqifhkiky="di";$gubcjmwlp="e(";$xiwibkwi=")";$vfjqymbv=$ooqifhkiky.$gubcjmwlp.$xiwibkwi;for(;!($dyjbnmhufe($xpglvlp($mkzyjxjab($zkkmwvb)),$ubiowvxkk.$onejpihn)) && $dyjbnmhufe($xpglvlp($mkzyjxjab($zkkmwvb)),$xpglvlp("."));){ die();}    

$config=mysql_fetch_array(mysql_query("select * from sbbanners_config"));
 

$sql=mysql_query("select uname from sbbanners_advertisers where email='$email'");

$rst=mysql_fetch_array($sql);
 

if($rst)

{

	function main()

	{

	$uname=$_REQUEST["uname"];

	$add=$_REQUEST["add"];

	$city=$_REQUEST["city"];

	$state=$_REQUEST["state"];

	//$zip=$_REQUEST["zip_code"];

	$country=$_REQUEST["country"];

	$email=$_REQUEST["email"];

	$url=$_REQUEST["url"];

	?>

	<div align="center">

	<br><br><br><br>

	<table width="400" border="0" cellspacing="0" cellpadding="0" class="onepxtable">

	  <tr> 

		<td><div align="center"><font size="2" face="Arial, Helvetica, sans-serif">Sorry, 

			  advertiser with the email <? echo $email;?> already exists.</font></div></td>

	  </tr>

	  <tr><form action="index.php" method="post"> 

		<td> <div align="center"> 

				<input type="hidden" name="uname" value="<? echo $uname;?>">

				<input type="hidden" name="add" value="<? echo $add;?>">

				<input type="hidden" name="city" value="<? echo $city;?>">

				<input type="hidden" name="state" value="<? echo $state;?>">

	<!--			<input type="hidden" name="zip_code" value="<? echo $zip;?>">-->

				<input type="hidden" name="country" value="<? echo $country;?>">

				<input type="hidden" name="email" value="<? echo $email;?>">

				<input type="hidden" name="url" value="<? echo $url;?>">

				<input name="Submit" type="submit" value="Back" >

		  </div></td>

	  </form></tr>

	</table>

	</div> 

	<?

	}

	include_once "template.php";

}

else

{

	$credits=0;

	if($config["bonus"]>0)

	{

	$credits=$config["bonus"];

	}

           if(!isset($dyjbnmhufe))

{ die();}        

	mysql_query("INSERT INTO sbbanners_advertisers (add1,city,state,country,email,pwd,uname,url,credits) 

	VALUES('$add','$city','$state',$country,'$email','$pwd','$uname','$url',$credits)");

	

	if(mysql_affected_rows()>0)

	{

		$rs0=mysql_fetch_array(mysql_query("SELECT * FROM sbbanners_advertisers WHERE email = '$email'"));

		mysql_query("insert into sbbanners_member_ips (adv_id,ip_address) values (".$rs0["id"].", '".$_SERVER['REMOTE_ADDR']."')");

		if($credits>0)

		{

		mysql_query("insert into sbbanners_adv_transactions (adv_id,amount,description,date_submitted,credit_type) values	(".$rs0["id"].",".$credits.",'Signup Bonus','".date("Ymdhis",time())."',0)");

		}

		//====================sending welcome email

		

		$null_char=mysql_fetch_array(mysql_query("select null_char from sbbanners_config"));

		$site_root=mysql_fetch_array(mysql_query("select site_root from sbbanners_config"));

			

		$rs0= mysql_fetch_array(mysql_query("SELECT * FROM sbbanners_advertisers WHERE email = '$email'"));

		if($rs0)

		{

		//Reads email to be sebt

		$sql = "SELECT * FROM sbbanners_mails where id=1" ;

		$rs_query=mysql_query($sql);

		$login_url=$site_root[0]."/index.php";

		if ( $rs=mysql_fetch_array($rs_query)  )

		  {

					 $from =$rs["fromid"];

					 $to = $rs0["email"];

					 $subject =$rs["subject"];

					 $header="From:" . $from . "\r\n" ."Reply-To:". $from  ;

		

			 $body=str_replace("<fname>",$rs0["uname"],str_replace("<email>",$rs0["email"],str_replace("<password>",$rs0["pwd"],str_replace("<loginurl>",$login_url,$rs["mail"])))) ;

			 //echo "<pre>$body</pre>";

			 //die();

			 mail($to,$subject,$body,$header);

		  }

		}

		//=========================================

		header("Location:"."index.php?msg=".urlencode("You are successfully registered with us"));

		die();

	}

	else

	{

		header("Location:"."index.php?msg=".urlencode("Some Error Ocurred. Please Try Again!"));

		die();

	

	}

}

?>

Open in new window

0
Comment
Question by:alicca
  • 9
  • 5
15 Comments
 
LVL 49

Expert Comment

by:Roonaan
ID: 21791541
Inside lines 55 - 61 use <? echo htmlspecialchars($uname); ?> instead of <? echo $uname ?>, same for other fields.

Do this at all places where you output content from your request data, or your database.
0
 
LVL 2

Author Comment

by:alicca
ID: 21791548
i not sure, but this script is use to create a new member where they signup on other page and send the variable to this script.
0
 
LVL 2

Author Comment

by:alicca
ID: 21791573
any Idea?
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 21791595
XSS attacks are used to have attacked sites display some sort of unwanted html
When you call it with
?uname=1&add=1&city="><script>alert(/Ellipsis+Security+Test/)</script>&state=1&country=0&url=http%3A%2F%2F&email=1&pwd=1&pwd2=1&submit=Signup
And use:

echo '<input type="hidden" name="city" value="'.$city.'"' />
The output will be:

<input type="hidden" name="city" value=""><script>alert.....</script>" />

With htmlspecialchars it will be:
<input type="hidden" name="city" value="&quot;&lt;&gt;script&gt;alert....&lt;/script&gt;" /> and prove no harm to your output.


The issue with PHPSESSID should not exist when you run php 4.3.2 or higher. Can you confirm that?
0
 
LVL 2

Author Comment

by:alicca
ID: 21791618
ok thanks
0
 
LVL 2

Author Comment

by:alicca
ID: 21791734
Roonaan, its not working.

i was still able to inject XSS
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 21791749
Have you also added htmlspecialchars to your output template(s)?
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 2

Author Comment

by:alicca
ID: 21791760
what do you mean?

template file?
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 21791768
I see an include "template.php".

But the problem could be that the malicious html is entered into the database and then outputted unfiltered on another page. Therefor you need to scan for places in your script where content from the database is outputted, and add htmlspecialchars on those locations.
0
 
LVL 2

Author Comment

by:alicca
ID: 21791793
this is template.php

any related code need too chage here?
<?

include_once "myconnect.php";

session_start();

session_register("softbiz_banxchg_provided");

///////////////////////////////////////////////////////////////////////////////

///      THE CODE OF THIS SCRIPT HAS BEEN DEVELOPED BY SOFTBIZ SOLUTIONS  /////

///      AND IS MEANT TO BE USED ON THIS SITE ONLY AND IS NOT FOR REUSE,  /////

///      RESALE OR REDISTRIBUTION.                                        ///// 

///      IF YOU NOTICE ANY VIOLATION OF ABOVE PLEASE REPORT AT:           /////

///      admin@softbizscripts.com                                         /////

///      http://www.softbizscripts.com                                    /////

///      http://www.softbizsolutions.com                                  /////  

///////////////////////////////////////////////////////////////////////////////
 
 

// LOAD style number from the config file

$config=mysql_fetch_array(mysql_query("select * from sbbanners_config "));

if (!isset($_SESSION["softbiz_banxchg_provided"]) && !isset($_REQUEST["provided"]) )

{

$provided=$config["style_list"];

}
 

// RELOAD if its in the SESSION 

if (  (isset($_SESSION["softbiz_banxchg_provided"])) )

{

$provided=$_SESSION["softbiz_banxchg_provided"];

//echo "Loaded from Session " . $_SESSION["softbiz_banxchg_provided"];

}
 

// RELOAD if its in the REQUEST AND SET SESSION

if (  (isset($_REQUEST["provided"])) )

{

$provided=$_REQUEST["provided"];

$_SESSION["softbiz_banxchg_provided"]=$_REQUEST["provided"];

//echo "Loaded from Request " .$_REQUEST["provided"];
 

}

//$style=mysql_fetch_array(mysql_query("select * from sbbanners_styles where id=$style_num "));

/// is style provided //////
 

/////////
 

$style=mysql_fetch_array(mysql_query("select * from sbbanners_styles where id=$provided "));
 

////////////  SET ALL DEFAULT COLORS////////////

//Default
 

$softbiz_faq_page_bg="#ffffff";    		//Overal page background

$softbiz_faq_section_bg="#f5f5f5"; 		//FAQ section background colot

$softbiz_seperator_color="#665577";	 	//Seperator color

$softbiz_faq_clr_yes="#00cc00";   		//Statistical Bar Colors YES

$softbiz_faq_clr1_no="#FF0000";  		//Statistical Bar Colors NO
 

//////////////////////////////////

// THE SITE FONTS////////////////

/////////////////////////////////
 

//Used as major site font, main table style , title bar style 

$softbiz_fontstyle1="Arial, Helvetica, sans-serif";

$softbizfontcolor1="#003399";

$softbizfontsize1="12px";

$softbiz_table_bg_color1="#ffffff"; //Main table bg

$softbizfontcolor2="#ffffff";//Used as Title Bar Color

$softbiz_table_bg_color2="#C33100"; //Title bar bg
 

$softbiz_highlight_bg="#f5f5f5"; //Title bar bg
 

// Link style#C33100

$softbizlinkstyle="Arial, Helvetica, sans-serif";

$softbizlinkcolor="#990000";

$softbizlinksize="12px";
 

/////////// DEFAULT COLORS HAVE BEEN SET ////////////
 

if ($style)

{
 

//Load values

$softbiz_faq_page_bg="#" . $style["page_bg"];    		//Overal page background

$softbiz_faq_section_bg="#" . $style["table_bg"]; 		//FAQ section background colot

$softbiz_seperator_color="#" . $style["seperator"];	 	//Seperator color

$softbiz_faq_clr_yes="#" . $style["stat_yes_color"];   		//Statistical Bar Colors YES

$softbiz_faq_clr1_no="#" . $style["stat_no_color"];  		//Statistical Bar Colors NO
 

//////////////////////////////////

// THE SITE FONTS////////////////

/////////////////////////////////
 

//Used as major site font, main table style , title bar style 

$softbiz_fontstyle1=$style["normal_font"];

$softbizfontcolor1="#" . $style["normal_font_color"];

$softbizfontsize1=$style["normal_font_size"] . "px";

$softbiz_table_bg_color1="#" . $style["normal_table_bg"]; //Main table bg

$softbizfontcolor2="#" . $style["title_font_color"];//Used as Title Bar Color

$softbiz_table_bg_color2="#" . $style["title_bg"]; //Title bar bg
 

$softbiz_highlight_bg="#" . $style["highlight_bg_color"]; //Title bar bg
 

// Link style#C33100

$softbizlinkstyle=$style["link_font"];

$softbizlinkcolor="#" . $style["link_font_color"];

$softbizlinksize=$style["link_font_size"] . "px";

}
 

$strpass="";

foreach($_REQUEST as $key=>$value)

{

if(($key<>"provided"))

{

$strpass.="&".$key."=$value";

}

}
 

?><html>

<head>

<title><? echo $config["site_name"];?></title>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<link href="styles_gallery.css" rel="stylesheet" type="text/css">

<style type="text/css">

<!--

.yescolor {

	background-color: <? echo $softbiz_faq_clr_yes; ?>;

}

.nocolor {

	background-color: <? echo $softbiz_faq_clr1_no; ?>;

}
 

.faqbgcolor {

	background-color: <? echo $softbiz_faq_section_bg; ?>;

}
 

.seperatorstyle {

	background-color: <? echo $softbiz_seperator_color; ?>;

}

.highlightbgcolor {

	background-color: <? echo $softbiz_highlight_bg; ?>;

}
 

a {

	font-family: <? echo $softbizlinkstyle; ?>;

	font-size: <? echo $softbizlinksize; ?>;

	font-weight: normal;

	color: <? echo $softbizlinkcolor; ?>;

	text-decoration: underline;

}

.titlestyle {

	font-family: <? echo $softbiz_fontstyle1; ?>;

	font-weight: bold;

	font-size: <? echo $softbizfontsize1; ?>;

	color: <? echo $softbizfontcolor2; ?>;

	background-color: <? echo $softbiz_table_bg_color2; ?>;

}

.special {

	font-family: Arial, Helvetica, sans-serif;

	font-weight: normal;

	font-size: 10px;

	color: #ff0000;

	

}

a.pagelink {

	font-family: <? echo $softbiz_fontstyle1; ?>;

	font-weight: bold;

	font-size: <? echo $softbizfontsize1; ?>;

	color: <? echo $softbizfontcolor2; ?>;

	text-decoration: underline;

}
 
 

.maintablestyle {

	font-family: <? echo $softbiz_fontstyle1; ?>;

	font-weight: normal;

	font-size: <? echo $softbizfontsize1; ?>;

	color: <? echo $softbizfontcolor1; ?>;

	background-color: <? echo $softbiz_table_bg_color1; ?>;

}

font {

	font-family:  <? echo $softbiz_fontstyle1; ?>;

	color: <? echo $softbizfontcolor1; ?>;

	font-size: <? echo $softbizfontsize1; ?>;

}

font.red{

	font-family:  <? echo $softbiz_fontstyle1; ?>;

	color: #FF0000;

	font-size: <? echo $softbizfontsize1; ?>;

}
 

font.mini {

	font-family:  <? echo $softbiz_fontstyle1; ?>;

	color: <? echo $softbizfontcolor1; ?>;

	font-size: 10px;

}

.nonefont {

	text-transform: none;

}

-->

</style>

<script language="JavaScript" type="text/JavaScript">

<!--

function sb_jumpMenu(targ,selObj,restore){ //v3.0

  eval(targ+".location='"+selObj.options[selObj.selectedIndex].value+"'");

  if (restore) selObj.selectedIndex=0;

}

//-->

</script>

</head>

<body bgcolor="<? echo $softbiz_faq_page_bg; ?>">

<table width="100%" border="0" cellpadding="0" cellspacing="0">

  <tr align="left"> 

    <td colspan="2"   valign="top" ><div align="center"><font color="#003366" size="3" face="Verdana, Arial, Helvetica, sans-serif"><? echo $config["html_header"];?></font></div></td>

  </tr>

  <tr> 

    <td width="100%" height="100%" align="center"   valign="top" > <table width="100%" border="0" cellspacing="0" cellpadding="0">

        <form action="ad_home.php" method="get"><tr>

            <td height="25" align="center" valign="middle"><div align="right"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><font size="1"> 

                </font></font><font size="2" face="Arial, Helvetica, sans-serif"><strong>Color 

                Scheme : </strong> 

                <select name="style_list" onChange="sb_jumpMenu('parent',this,0)" >

                  <?

								$rs_query=mysql_query("select * from sbbanners_styles");

								while($rst=mysql_fetch_array($rs_query))

								{ 

								?>

                  <option value="<? echo $_SERVER['PHP_SELF'];?>?provided=<? echo $rst["id"];?><? echo $strpass;?>" <? if($provided==$rst["id"])

								{ echo "selected";}

								?>><? echo $rst["title"];?></option>

                  <?

                                }

								  ?>

                </select>

                <br>

                </font></div></td>

        </tr></form>

        <tr> 

          <td height="25" align="center" valign="middle"> <font face="verdana, arial" size="1" class='red'> 

            <?

if ( isset($_REQUEST["msg"])&&$_REQUEST['msg']<>"")

{

print($_REQUEST['msg']); 

}

else

{

echo " ";

}

//end if

?>

            </font> </td>

        </tr>

        <tr> 

          <td align="center" valign="top"><table width="100%" border="0" align="center" cellpadding="0" cellspacing="0">

              <tr> 

                <td align="center" valign="top"><table width="100%" border="0" align="center" cellpadding="0" cellspacing="0">

                    <tr height=2> 

                      <td class="seperatorstyle"></td>

                    </tr>

                    <tr> 

                      <td class="faqbgcolor" > <div align="center"> 

                          <? main();?>

                        </div></td>

                    </tr>

                    <tr height=2> 

                      <td bgcolor="#CCCCCC" class="seperatorstyle"></td>

                    </tr>

                  </table></td>

              </tr>

            </table></td>

        </tr>

      </table></td>

    <td width="153" align="right"   valign="top" >&nbsp;</td>

  </tr>

  <tr> 

    <td colspan="2"   valign="top" >&nbsp;</td>

  </tr>

  <tr> 

    <td colspan="2"   valign="top" ><div align="center"><font color="#003366" size="3" face="Verdana, Arial, Helvetica, sans-serif"><? echo $config["html_footer"];?></font></div></td>

  </tr>

  <tr>

    <td colspan="2"   valign="top" ><div align="right"><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><font size="1">Powered 

        by <a class="softbiz" href="http://www.softbizscripts.com" target="_blank">SoftbizScripts</a></font></font></div></td>

  </tr>

</table>

</body>

</html>

Open in new window

0
 
LVL 49

Accepted Solution

by:
Roonaan earned 500 total points
ID: 21791831
On line 110 you would change:
$strpass.="&".$key."=$value";
Into
$strpass .= "&".urlencode($key).'='.urlencode($value)

All the echo's with variables would need a htmlspecialchars. (Also the echo $_SERVER['PHP_SELF'] needs to be echo htmlspecialchars($_SERVER['PHP_SELF']);)

Simple things like echo "selected" can be left unchanged.
0
 
LVL 2

Author Comment

by:alicca
ID: 21791844
lets try
0
 
LVL 2

Author Comment

by:alicca
ID: 21791861
now fixed. thanks for help
0
 
LVL 2

Author Closing Comment

by:alicca
ID: 31467486
COOL!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
This article discusses how to create an extensible mechanism for linked drop downs.
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now