Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Nessus XSS warning

Posted on 2012-03-23
7
Medium Priority
?
598 Views
Last Modified: 2012-06-06
Hi, I'm doing a vulnerability scan on my php 5.2 / rhel5 / apache 2.2.8 web server and nessus gives me this output:

Solution Modify the relevant CGIs so that they filter metacharacters, convert &lt and &gt to escape sequences
Risk factor Medium / CVSS Base Score : 4.3
"Non-persistent Cross-Site Scripting Vulnerability"
"CGI abuses : XSS "
"Medium Priority
See also:
Plugin
Category
Priority
Description The following CGI script seem to be vulnerable to XSS non-persistent hole : /eggster/eggster.php
Unsafe arguments : l p
Unsafe URLs : /eggster/eggster.php?l=%3c%2fscript%3e%3cIMG%20SRC%3d%22javascript%3aa
lert(12345)%3b%22%3e&p=2012-03-07-29857172 (XSS pattern: &lt /script&gt &lt IMG SRC="javascript:alert(12345) "&gt )
/eggster/eggster.php?l=50&p=%3c%2fscript%3e%3cIMG%20SRC%3d%22javascrip
t%3aalert(12345)%3b%22%3e (XSS pattern: &lt /script&gt &lt IMG SRC="javascript:alert(12345) "&gt )
An attacker may exploit this flaws to steal user's cookies

http://www.cgisecurity.com/articles/xss-faq.shtml

-----

I have made changes to my script and included these lines, which are the only variables present on my website that is publicly available:

$var1 = preg_replace('/[^-0-9]/', null, $_GET['l']);
$var2 = preg_replace('/[^-0-9]/', null, $_GET['p']);

but I continue getting the error, what am I missing here?
0
Comment
Question by:eggster34
7 Comments
 
LVL 12

Accepted Solution

by:
larsrohr earned 2000 total points
ID: 37758909
You'll want to filter out metacharacters in general, but < and > in particular.

You can use strip_tags() for a simplistic approach, or filter_tags(), or at least make a preg_replace to change < and > to &lt; and &gt;

I also found a more complete example function of sanitizing input against xss, just by googling for "preg_replace xss":

function xss_clean($data)
{
// Fix &entity\n;
$data = str_replace(array('&amp;','&lt;','&gt;'), array('&amp;amp;','&amp;lt;','&amp;gt;'), $data);
$data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
$data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
$data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');

// Remove any attribute starting with "on" or xmlns
$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);

// Remove javascript: and vbscript: protocols
$data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);

// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);

// Remove namespaced elements (we do not need them)
$data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);

do
{
        // Remove really unwanted tags
        $old_data = $data;
        $data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
}
while ($old_data !== $data);

// we are done...
return $data;
}

Open in new window

0
 

Author Comment

by:eggster34
ID: 37759154
that helps a lot, many thanks!
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 37759520
If you have these instructions in the code:

$var1 = preg_replace('/[^-0-9]/', null, $_GET['l']);
$var2 = preg_replace('/[^-0-9]/', null, $_GET['p']);

And you do not make further reference to $_GET, the error is a false-positive.  But you still want to upgrade PHP.  PHP 5.2 is not supported any more, not even for security releases.

Best regards, ~Ray
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 37780409
hmm, I'm not sure how php's so called PCRE works in this case, but I'd assume that [^-0-9] is not what you want, better use [^0-9-]
(@php-gurus, please correct me if I'm wrong)

anyway, if nessus reports the XSS it detects passed values reflected in the response unescaped, which means that the sanitation (better: output encoding) did not work
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 37781002
These produce congruent output.  See http://www.laprbass.com/RAY_temp_ahoffmann.php
<?Php // RAY_temp_ahoffmann.php
error_reporting(E_ALL);

// TEST DATA WITH UNWANTED CHARACTERS
$data = "1-5,000.3<evil>";

// REGULAR EXPRESSIONS TO ELIMINATE NON-NUMERICS
$rgx1
= '#'        // REGEX DELIMITER
. '['        // BEGIN CHARACTER CLASS
. '^'        // NEGATION - MATCH NONE OF THESE CHARACTERS
. '-'        // HYPHEN
. '0-9'      // CHARACTER RANGE ZERO THROUGH NINE
. ']'        // ENDOF CHARACTER CLASS
. '#'        // REGEX DELIMITER
;

$rgx2
= '#'        // REGEX DELIMITER
. '['        // BEGIN CHARACTER CLASS
. '^'        // NEGATION - MATCH NONE OF THESE CHARACTERS
. '0-9'      // CHARACTER RANGE ZERO THROUGH NINE
. '-'        // HYPHEN
. ']'        // ENDOF CHARACTER CLASS
. '#'        // REGEX DELIMITER
;

// TEST THE EXPRESSIONS
$str1 = preg_replace($rgx1, NULL, $data);
var_dump($str1);

$str2 = preg_replace($rgx2, NULL, $data);
var_dump($str2);

Open in new window

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37781054
thanks ray for the test case, so we see that php handles hyphens differently than (most) other regex engines, nice to know ;-)
0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 37803663
So, you may want to take a look at OWASP ESAPI so you don't (or continue) to reinvent the wheel. Validating the input (whitelist) is very important but you will also want to encode the output to prevent XSS. The API will do all of the encoding validation properly thus reducing the chance you are overlooking something.

https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question