eggster34
asked on
Nessus XSS warning
Hi, I'm doing a vulnerability scan on my php 5.2 / rhel5 / apache 2.2.8 web server and nessus gives me this output:
Solution Modify the relevant CGIs so that they filter metacharacters, convert < and > to escape sequences
Risk factor Medium / CVSS Base Score : 4.3
"Non-persistent Cross-Site Scripting Vulnerability"
"CGI abuses : XSS "
"Medium Priority
See also:
Plugin
Category
Priority
Description The following CGI script seem to be vulnerable to XSS non-persistent hole : /eggster/eggster.php
Unsafe arguments : l p
Unsafe URLs : /eggster/eggster.php?l=%3c %2fscript% 3e%3cIMG%2 0SRC%3d%22 javascript %3aa
lert(12345)%3b%22%3e&p=201 2-03-07-29 857172 (XSS pattern: < /script> < IMG SRC="javascript:alert(1234 5) "> )
/eggster/eggster.php?l=50& p=%3c%2fsc ript%3e%3c IMG%20SRC% 3d%22javas crip
t%3aalert(12345)%3b%22%3e (XSS pattern: < /script> < IMG SRC="javascript:alert(1234 5) "> )
An attacker may exploit this flaws to steal user's cookies
http://www.cgisecurity.com/articles/xss-faq.shtml
-----
I have made changes to my script and included these lines, which are the only variables present on my website that is publicly available:
$var1 = preg_replace('/[^-0-9]/', null, $_GET['l']);
$var2 = preg_replace('/[^-0-9]/', null, $_GET['p']);
but I continue getting the error, what am I missing here?
Solution Modify the relevant CGIs so that they filter metacharacters, convert < and > to escape sequences
Risk factor Medium / CVSS Base Score : 4.3
"Non-persistent Cross-Site Scripting Vulnerability"
"CGI abuses : XSS "
"Medium Priority
See also:
Plugin
Category
Priority
Description The following CGI script seem to be vulnerable to XSS non-persistent hole : /eggster/eggster.php
Unsafe arguments : l p
Unsafe URLs : /eggster/eggster.php?l=%3c
lert(12345)%3b%22%3e&p=201
/eggster/eggster.php?l=50&
t%3aalert(12345)%3b%22%3e (XSS pattern: < /script> < IMG SRC="javascript:alert(1234
An attacker may exploit this flaws to steal user's cookies
http://www.cgisecurity.com/articles/xss-faq.shtml
-----
I have made changes to my script and included these lines, which are the only variables present on my website that is publicly available:
$var1 = preg_replace('/[^-0-9]/', null, $_GET['l']);
$var2 = preg_replace('/[^-0-9]/', null, $_GET['p']);
but I continue getting the error, what am I missing here?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you have these instructions in the code:
$var1 = preg_replace('/[^-0-9]/', null, $_GET['l']);
$var2 = preg_replace('/[^-0-9]/', null, $_GET['p']);
And you do not make further reference to $_GET, the error is a false-positive. But you still want to upgrade PHP. PHP 5.2 is not supported any more, not even for security releases.
Best regards, ~Ray
$var1 = preg_replace('/[^-0-9]/', null, $_GET['l']);
$var2 = preg_replace('/[^-0-9]/', null, $_GET['p']);
And you do not make further reference to $_GET, the error is a false-positive. But you still want to upgrade PHP. PHP 5.2 is not supported any more, not even for security releases.
Best regards, ~Ray
hmm, I'm not sure how php's so called PCRE works in this case, but I'd assume that [^-0-9] is not what you want, better use [^0-9-]
(@php-gurus, please correct me if I'm wrong)
anyway, if nessus reports the XSS it detects passed values reflected in the response unescaped, which means that the sanitation (better: output encoding) did not work
(@php-gurus, please correct me if I'm wrong)
anyway, if nessus reports the XSS it detects passed values reflected in the response unescaped, which means that the sanitation (better: output encoding) did not work
These produce congruent output. See http://www.laprbass.com/RAY_temp_ahoffmann.php
<?Php // RAY_temp_ahoffmann.php
error_reporting(E_ALL);
// TEST DATA WITH UNWANTED CHARACTERS
$data = "1-5,000.3<evil>";
// REGULAR EXPRESSIONS TO ELIMINATE NON-NUMERICS
$rgx1
= '#' // REGEX DELIMITER
. '[' // BEGIN CHARACTER CLASS
. '^' // NEGATION - MATCH NONE OF THESE CHARACTERS
. '-' // HYPHEN
. '0-9' // CHARACTER RANGE ZERO THROUGH NINE
. ']' // ENDOF CHARACTER CLASS
. '#' // REGEX DELIMITER
;
$rgx2
= '#' // REGEX DELIMITER
. '[' // BEGIN CHARACTER CLASS
. '^' // NEGATION - MATCH NONE OF THESE CHARACTERS
. '0-9' // CHARACTER RANGE ZERO THROUGH NINE
. '-' // HYPHEN
. ']' // ENDOF CHARACTER CLASS
. '#' // REGEX DELIMITER
;
// TEST THE EXPRESSIONS
$str1 = preg_replace($rgx1, NULL, $data);
var_dump($str1);
$str2 = preg_replace($rgx2, NULL, $data);
var_dump($str2);
thanks ray for the test case, so we see that php handles hyphens differently than (most) other regex engines, nice to know ;-)
So, you may want to take a look at OWASP ESAPI so you don't (or continue) to reinvent the wheel. Validating the input (whitelist) is very important but you will also want to encode the output to prevent XSS. The API will do all of the encoding validation properly thus reducing the chance you are overlooking something.
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
ASKER