Solved

Nessus XSS warning

Posted on 2012-03-23
7
591 Views
Last Modified: 2012-06-06
Hi, I'm doing a vulnerability scan on my php 5.2 / rhel5 / apache 2.2.8 web server and nessus gives me this output:

Solution Modify the relevant CGIs so that they filter metacharacters, convert &lt and &gt to escape sequences
Risk factor Medium / CVSS Base Score : 4.3
"Non-persistent Cross-Site Scripting Vulnerability"
"CGI abuses : XSS "
"Medium Priority
See also:
Plugin
Category
Priority
Description The following CGI script seem to be vulnerable to XSS non-persistent hole : /eggster/eggster.php
Unsafe arguments : l p
Unsafe URLs : /eggster/eggster.php?l=%3c%2fscript%3e%3cIMG%20SRC%3d%22javascript%3aa
lert(12345)%3b%22%3e&p=2012-03-07-29857172 (XSS pattern: &lt /script&gt &lt IMG SRC="javascript:alert(12345) "&gt )
/eggster/eggster.php?l=50&p=%3c%2fscript%3e%3cIMG%20SRC%3d%22javascrip
t%3aalert(12345)%3b%22%3e (XSS pattern: &lt /script&gt &lt IMG SRC="javascript:alert(12345) "&gt )
An attacker may exploit this flaws to steal user's cookies

http://www.cgisecurity.com/articles/xss-faq.shtml

-----

I have made changes to my script and included these lines, which are the only variables present on my website that is publicly available:

$var1 = preg_replace('/[^-0-9]/', null, $_GET['l']);
$var2 = preg_replace('/[^-0-9]/', null, $_GET['p']);

but I continue getting the error, what am I missing here?
0
Comment
Question by:eggster34
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 12

Accepted Solution

by:
larsrohr earned 500 total points
ID: 37758909
You'll want to filter out metacharacters in general, but < and > in particular.

You can use strip_tags() for a simplistic approach, or filter_tags(), or at least make a preg_replace to change < and > to &lt; and &gt;

I also found a more complete example function of sanitizing input against xss, just by googling for "preg_replace xss":

function xss_clean($data)
{
// Fix &entity\n;
$data = str_replace(array('&amp;','&lt;','&gt;'), array('&amp;amp;','&amp;lt;','&amp;gt;'), $data);
$data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
$data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
$data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');

// Remove any attribute starting with "on" or xmlns
$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);

// Remove javascript: and vbscript: protocols
$data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);

// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);

// Remove namespaced elements (we do not need them)
$data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);

do
{
        // Remove really unwanted tags
        $old_data = $data;
        $data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
}
while ($old_data !== $data);

// we are done...
return $data;
}

Open in new window

0
 

Author Comment

by:eggster34
ID: 37759154
that helps a lot, many thanks!
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 37759520
If you have these instructions in the code:

$var1 = preg_replace('/[^-0-9]/', null, $_GET['l']);
$var2 = preg_replace('/[^-0-9]/', null, $_GET['p']);

And you do not make further reference to $_GET, the error is a false-positive.  But you still want to upgrade PHP.  PHP 5.2 is not supported any more, not even for security releases.

Best regards, ~Ray
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 37780409
hmm, I'm not sure how php's so called PCRE works in this case, but I'd assume that [^-0-9] is not what you want, better use [^0-9-]
(@php-gurus, please correct me if I'm wrong)

anyway, if nessus reports the XSS it detects passed values reflected in the response unescaped, which means that the sanitation (better: output encoding) did not work
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 37781002
These produce congruent output.  See http://www.laprbass.com/RAY_temp_ahoffmann.php
<?Php // RAY_temp_ahoffmann.php
error_reporting(E_ALL);

// TEST DATA WITH UNWANTED CHARACTERS
$data = "1-5,000.3<evil>";

// REGULAR EXPRESSIONS TO ELIMINATE NON-NUMERICS
$rgx1
= '#'        // REGEX DELIMITER
. '['        // BEGIN CHARACTER CLASS
. '^'        // NEGATION - MATCH NONE OF THESE CHARACTERS
. '-'        // HYPHEN
. '0-9'      // CHARACTER RANGE ZERO THROUGH NINE
. ']'        // ENDOF CHARACTER CLASS
. '#'        // REGEX DELIMITER
;

$rgx2
= '#'        // REGEX DELIMITER
. '['        // BEGIN CHARACTER CLASS
. '^'        // NEGATION - MATCH NONE OF THESE CHARACTERS
. '0-9'      // CHARACTER RANGE ZERO THROUGH NINE
. '-'        // HYPHEN
. ']'        // ENDOF CHARACTER CLASS
. '#'        // REGEX DELIMITER
;

// TEST THE EXPRESSIONS
$str1 = preg_replace($rgx1, NULL, $data);
var_dump($str1);

$str2 = preg_replace($rgx2, NULL, $data);
var_dump($str2);

Open in new window

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37781054
thanks ray for the test case, so we see that php handles hyphens differently than (most) other regex engines, nice to know ;-)
0
 
LVL 10

Expert Comment

by:pand0ra_usa
ID: 37803663
So, you may want to take a look at OWASP ESAPI so you don't (or continue) to reinvent the wheel. Validating the input (whitelist) is very important but you will also want to encode the output to prevent XSS. The API will do all of the encoding validation properly thus reducing the chance you are overlooking something.

https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question