• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 600
  • Last Modified:

Nessus XSS warning

Hi, I'm doing a vulnerability scan on my php 5.2 / rhel5 / apache 2.2.8 web server and nessus gives me this output:

Solution Modify the relevant CGIs so that they filter metacharacters, convert &lt and &gt to escape sequences
Risk factor Medium / CVSS Base Score : 4.3
"Non-persistent Cross-Site Scripting Vulnerability"
"CGI abuses : XSS "
"Medium Priority
See also:
Plugin
Category
Priority
Description The following CGI script seem to be vulnerable to XSS non-persistent hole : /eggster/eggster.php
Unsafe arguments : l p
Unsafe URLs : /eggster/eggster.php?l=%3c%2fscript%3e%3cIMG%20SRC%3d%22javascript%3aa
lert(12345)%3b%22%3e&p=2012-03-07-29857172 (XSS pattern: &lt /script&gt &lt IMG SRC="javascript:alert(12345) "&gt )
/eggster/eggster.php?l=50&p=%3c%2fscript%3e%3cIMG%20SRC%3d%22javascrip
t%3aalert(12345)%3b%22%3e (XSS pattern: &lt /script&gt &lt IMG SRC="javascript:alert(12345) "&gt )
An attacker may exploit this flaws to steal user's cookies

http://www.cgisecurity.com/articles/xss-faq.shtml

-----

I have made changes to my script and included these lines, which are the only variables present on my website that is publicly available:

$var1 = preg_replace('/[^-0-9]/', null, $_GET['l']);
$var2 = preg_replace('/[^-0-9]/', null, $_GET['p']);

but I continue getting the error, what am I missing here?
0
eggster34
Asked:
eggster34
1 Solution
 
larsrohrCommented:
You'll want to filter out metacharacters in general, but < and > in particular.

You can use strip_tags() for a simplistic approach, or filter_tags(), or at least make a preg_replace to change < and > to &lt; and &gt;

I also found a more complete example function of sanitizing input against xss, just by googling for "preg_replace xss":

function xss_clean($data)
{
// Fix &entity\n;
$data = str_replace(array('&amp;','&lt;','&gt;'), array('&amp;amp;','&amp;lt;','&amp;gt;'), $data);
$data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
$data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
$data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');

// Remove any attribute starting with "on" or xmlns
$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);

// Remove javascript: and vbscript: protocols
$data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);

// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);

// Remove namespaced elements (we do not need them)
$data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);

do
{
        // Remove really unwanted tags
        $old_data = $data;
        $data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
}
while ($old_data !== $data);

// we are done...
return $data;
}

Open in new window

0
 
eggster34Author Commented:
that helps a lot, many thanks!
0
 
Ray PaseurCommented:
If you have these instructions in the code:

$var1 = preg_replace('/[^-0-9]/', null, $_GET['l']);
$var2 = preg_replace('/[^-0-9]/', null, $_GET['p']);

And you do not make further reference to $_GET, the error is a false-positive.  But you still want to upgrade PHP.  PHP 5.2 is not supported any more, not even for security releases.

Best regards, ~Ray
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
ahoffmannCommented:
hmm, I'm not sure how php's so called PCRE works in this case, but I'd assume that [^-0-9] is not what you want, better use [^0-9-]
(@php-gurus, please correct me if I'm wrong)

anyway, if nessus reports the XSS it detects passed values reflected in the response unescaped, which means that the sanitation (better: output encoding) did not work
0
 
Ray PaseurCommented:
These produce congruent output.  See http://www.laprbass.com/RAY_temp_ahoffmann.php
<?Php // RAY_temp_ahoffmann.php
error_reporting(E_ALL);

// TEST DATA WITH UNWANTED CHARACTERS
$data = "1-5,000.3<evil>";

// REGULAR EXPRESSIONS TO ELIMINATE NON-NUMERICS
$rgx1
= '#'        // REGEX DELIMITER
. '['        // BEGIN CHARACTER CLASS
. '^'        // NEGATION - MATCH NONE OF THESE CHARACTERS
. '-'        // HYPHEN
. '0-9'      // CHARACTER RANGE ZERO THROUGH NINE
. ']'        // ENDOF CHARACTER CLASS
. '#'        // REGEX DELIMITER
;

$rgx2
= '#'        // REGEX DELIMITER
. '['        // BEGIN CHARACTER CLASS
. '^'        // NEGATION - MATCH NONE OF THESE CHARACTERS
. '0-9'      // CHARACTER RANGE ZERO THROUGH NINE
. '-'        // HYPHEN
. ']'        // ENDOF CHARACTER CLASS
. '#'        // REGEX DELIMITER
;

// TEST THE EXPRESSIONS
$str1 = preg_replace($rgx1, NULL, $data);
var_dump($str1);

$str2 = preg_replace($rgx2, NULL, $data);
var_dump($str2);

Open in new window

0
 
ahoffmannCommented:
thanks ray for the test case, so we see that php handles hyphens differently than (most) other regex engines, nice to know ;-)
0
 
pand0ra_usaCommented:
So, you may want to take a look at OWASP ESAPI so you don't (or continue) to reinvent the wheel. Validating the input (whitelist) is very important but you will also want to encode the output to prevent XSS. The API will do all of the encoding validation properly thus reducing the chance you are overlooking something.

https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now