Solved

Nessus XSS warning

Posted on 2012-03-23
7
581 Views
Last Modified: 2012-06-06
Hi, I'm doing a vulnerability scan on my php 5.2 / rhel5 / apache 2.2.8 web server and nessus gives me this output:

Solution Modify the relevant CGIs so that they filter metacharacters, convert &lt and &gt to escape sequences
Risk factor Medium / CVSS Base Score : 4.3
"Non-persistent Cross-Site Scripting Vulnerability"
"CGI abuses : XSS "
"Medium Priority
See also:
Plugin
Category
Priority
Description The following CGI script seem to be vulnerable to XSS non-persistent hole : /eggster/eggster.php
Unsafe arguments : l p
Unsafe URLs : /eggster/eggster.php?l=%3c%2fscript%3e%3cIMG%20SRC%3d%22javascript%3aa
lert(12345)%3b%22%3e&p=2012-03-07-29857172 (XSS pattern: &lt /script&gt &lt IMG SRC="javascript:alert(12345) "&gt )
/eggster/eggster.php?l=50&p=%3c%2fscript%3e%3cIMG%20SRC%3d%22javascrip
t%3aalert(12345)%3b%22%3e (XSS pattern: &lt /script&gt &lt IMG SRC="javascript:alert(12345) "&gt )
An attacker may exploit this flaws to steal user's cookies

http://www.cgisecurity.com/articles/xss-faq.shtml

-----

I have made changes to my script and included these lines, which are the only variables present on my website that is publicly available:

$var1 = preg_replace('/[^-0-9]/', null, $_GET['l']);
$var2 = preg_replace('/[^-0-9]/', null, $_GET['p']);

but I continue getting the error, what am I missing here?
0
Comment
Question by:eggster34
7 Comments
 
LVL 12

Accepted Solution

by:
larsrohr earned 500 total points
ID: 37758909
You'll want to filter out metacharacters in general, but < and > in particular.

You can use strip_tags() for a simplistic approach, or filter_tags(), or at least make a preg_replace to change < and > to &lt; and &gt;

I also found a more complete example function of sanitizing input against xss, just by googling for "preg_replace xss":

function xss_clean($data)
{
// Fix &entity\n;
$data = str_replace(array('&amp;','&lt;','&gt;'), array('&amp;amp;','&amp;lt;','&amp;gt;'), $data);
$data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
$data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
$data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');

// Remove any attribute starting with "on" or xmlns
$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);

// Remove javascript: and vbscript: protocols
$data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);

// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);

// Remove namespaced elements (we do not need them)
$data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);

do
{
        // Remove really unwanted tags
        $old_data = $data;
        $data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
}
while ($old_data !== $data);

// we are done...
return $data;
}

Open in new window

0
 

Author Comment

by:eggster34
ID: 37759154
that helps a lot, many thanks!
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 37759520
If you have these instructions in the code:

$var1 = preg_replace('/[^-0-9]/', null, $_GET['l']);
$var2 = preg_replace('/[^-0-9]/', null, $_GET['p']);

And you do not make further reference to $_GET, the error is a false-positive.  But you still want to upgrade PHP.  PHP 5.2 is not supported any more, not even for security releases.

Best regards, ~Ray
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 37780409
hmm, I'm not sure how php's so called PCRE works in this case, but I'd assume that [^-0-9] is not what you want, better use [^0-9-]
(@php-gurus, please correct me if I'm wrong)

anyway, if nessus reports the XSS it detects passed values reflected in the response unescaped, which means that the sanitation (better: output encoding) did not work
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 37781002
These produce congruent output.  See http://www.laprbass.com/RAY_temp_ahoffmann.php
<?Php // RAY_temp_ahoffmann.php
error_reporting(E_ALL);

// TEST DATA WITH UNWANTED CHARACTERS
$data = "1-5,000.3<evil>";

// REGULAR EXPRESSIONS TO ELIMINATE NON-NUMERICS
$rgx1
= '#'        // REGEX DELIMITER
. '['        // BEGIN CHARACTER CLASS
. '^'        // NEGATION - MATCH NONE OF THESE CHARACTERS
. '-'        // HYPHEN
. '0-9'      // CHARACTER RANGE ZERO THROUGH NINE
. ']'        // ENDOF CHARACTER CLASS
. '#'        // REGEX DELIMITER
;

$rgx2
= '#'        // REGEX DELIMITER
. '['        // BEGIN CHARACTER CLASS
. '^'        // NEGATION - MATCH NONE OF THESE CHARACTERS
. '0-9'      // CHARACTER RANGE ZERO THROUGH NINE
. '-'        // HYPHEN
. ']'        // ENDOF CHARACTER CLASS
. '#'        // REGEX DELIMITER
;

// TEST THE EXPRESSIONS
$str1 = preg_replace($rgx1, NULL, $data);
var_dump($str1);

$str2 = preg_replace($rgx2, NULL, $data);
var_dump($str2);

Open in new window

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37781054
thanks ray for the test case, so we see that php handles hyphens differently than (most) other regex engines, nice to know ;-)
0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 37803663
So, you may want to take a look at OWASP ESAPI so you don't (or continue) to reinvent the wheel. Validating the input (whitelist) is very important but you will also want to encode the output to prevent XSS. The API will do all of the encoding validation properly thus reducing the chance you are overlooking something.

https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
wamp versus xampp 4 44
mysqli 3 18
RELATED: How do I fix this error:  Warning: strpos(): Empty needle on line 122 11 32
unset shopping cart session 15 29
Read about achieving the basic levels of HRIS security in the workplace.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now