Solved

Nessus XSS warning

Posted on 2012-03-23
7
579 Views
Last Modified: 2012-06-06
Hi, I'm doing a vulnerability scan on my php 5.2 / rhel5 / apache 2.2.8 web server and nessus gives me this output:

Solution Modify the relevant CGIs so that they filter metacharacters, convert &lt and &gt to escape sequences
Risk factor Medium / CVSS Base Score : 4.3
"Non-persistent Cross-Site Scripting Vulnerability"
"CGI abuses : XSS "
"Medium Priority
See also:
Plugin
Category
Priority
Description The following CGI script seem to be vulnerable to XSS non-persistent hole : /eggster/eggster.php
Unsafe arguments : l p
Unsafe URLs : /eggster/eggster.php?l=%3c%2fscript%3e%3cIMG%20SRC%3d%22javascript%3aa
lert(12345)%3b%22%3e&p=2012-03-07-29857172 (XSS pattern: &lt /script&gt &lt IMG SRC="javascript:alert(12345) "&gt )
/eggster/eggster.php?l=50&p=%3c%2fscript%3e%3cIMG%20SRC%3d%22javascrip
t%3aalert(12345)%3b%22%3e (XSS pattern: &lt /script&gt &lt IMG SRC="javascript:alert(12345) "&gt )
An attacker may exploit this flaws to steal user's cookies

http://www.cgisecurity.com/articles/xss-faq.shtml

-----

I have made changes to my script and included these lines, which are the only variables present on my website that is publicly available:

$var1 = preg_replace('/[^-0-9]/', null, $_GET['l']);
$var2 = preg_replace('/[^-0-9]/', null, $_GET['p']);

but I continue getting the error, what am I missing here?
0
Comment
Question by:eggster34
7 Comments
 
LVL 12

Accepted Solution

by:
larsrohr earned 500 total points
ID: 37758909
You'll want to filter out metacharacters in general, but < and > in particular.

You can use strip_tags() for a simplistic approach, or filter_tags(), or at least make a preg_replace to change < and > to &lt; and &gt;

I also found a more complete example function of sanitizing input against xss, just by googling for "preg_replace xss":

function xss_clean($data)
{
// Fix &entity\n;
$data = str_replace(array('&amp;','&lt;','&gt;'), array('&amp;amp;','&amp;lt;','&amp;gt;'), $data);
$data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
$data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
$data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');

// Remove any attribute starting with "on" or xmlns
$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);

// Remove javascript: and vbscript: protocols
$data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);

// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);

// Remove namespaced elements (we do not need them)
$data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);

do
{
        // Remove really unwanted tags
        $old_data = $data;
        $data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
}
while ($old_data !== $data);

// we are done...
return $data;
}

Open in new window

0
 

Author Comment

by:eggster34
ID: 37759154
that helps a lot, many thanks!
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 37759520
If you have these instructions in the code:

$var1 = preg_replace('/[^-0-9]/', null, $_GET['l']);
$var2 = preg_replace('/[^-0-9]/', null, $_GET['p']);

And you do not make further reference to $_GET, the error is a false-positive.  But you still want to upgrade PHP.  PHP 5.2 is not supported any more, not even for security releases.

Best regards, ~Ray
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 51

Expert Comment

by:ahoffmann
ID: 37780409
hmm, I'm not sure how php's so called PCRE works in this case, but I'd assume that [^-0-9] is not what you want, better use [^0-9-]
(@php-gurus, please correct me if I'm wrong)

anyway, if nessus reports the XSS it detects passed values reflected in the response unescaped, which means that the sanitation (better: output encoding) did not work
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 37781002
These produce congruent output.  See http://www.laprbass.com/RAY_temp_ahoffmann.php
<?Php // RAY_temp_ahoffmann.php
error_reporting(E_ALL);

// TEST DATA WITH UNWANTED CHARACTERS
$data = "1-5,000.3<evil>";

// REGULAR EXPRESSIONS TO ELIMINATE NON-NUMERICS
$rgx1
= '#'        // REGEX DELIMITER
. '['        // BEGIN CHARACTER CLASS
. '^'        // NEGATION - MATCH NONE OF THESE CHARACTERS
. '-'        // HYPHEN
. '0-9'      // CHARACTER RANGE ZERO THROUGH NINE
. ']'        // ENDOF CHARACTER CLASS
. '#'        // REGEX DELIMITER
;

$rgx2
= '#'        // REGEX DELIMITER
. '['        // BEGIN CHARACTER CLASS
. '^'        // NEGATION - MATCH NONE OF THESE CHARACTERS
. '0-9'      // CHARACTER RANGE ZERO THROUGH NINE
. '-'        // HYPHEN
. ']'        // ENDOF CHARACTER CLASS
. '#'        // REGEX DELIMITER
;

// TEST THE EXPRESSIONS
$str1 = preg_replace($rgx1, NULL, $data);
var_dump($str1);

$str2 = preg_replace($rgx2, NULL, $data);
var_dump($str2);

Open in new window

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37781054
thanks ray for the test case, so we see that php handles hyphens differently than (most) other regex engines, nice to know ;-)
0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 37803663
So, you may want to take a look at OWASP ESAPI so you don't (or continue) to reinvent the wheel. Validating the input (whitelist) is very important but you will also want to encode the output to prevent XSS. The API will do all of the encoding validation properly thus reducing the chance you are overlooking something.

https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now