XSS in PayumServer

[itmox]

A reflected xss vulnerability in PayumServer can be performed.

PoC: by inserting

as gateway name the server returns the message: "Parameter "name" for route "gateway_get" must match "[^/]++" ("" given) to generate a corresponding URL." but also delivers the injected script which is performed in the browser.

The issue can be soled by not returning the input after checking it or by sanitizing and escaping the returned String before delivering it to the client.

Unfortunately we were unable to install PayumServer and fix the bug.

[makasim]

Not sure what to do. The UI is not meant to be used by untrusted people. It is backend stuff and only an admin or a manager have access to it. They want do xss injections, I hope.

The api must not be publicly accessible too. Though the security topic is not solved yet in Payum. It is PoC and everything is public for now.

[makasim]

Thank for raising starting discussion on this topic.

[makasim]

What problems did you face trying to install payumserver?

[nilportugues]

Strict data validation input should clear this up.

[makasim]

What do you mean by Strict data validation?

[nilportugues]

Giving some ideas to harden security.

• Selected input exists in the list for the current user.
• Casting it to an integer if it's an auto-incremental index will clear up some problems as it will change the whole string to '0'.
• Additional checks could be look up if value it exists within the existing range of identifiers.

It will make the code slower, but more secure.. and that's what we want for Payum.

[makasim]

Why should we bother about it. The functionality is accessible by limited set of users. They work on your company.

We can do changes audit. What was changed and by what user.

[nilportugues]

Yeah just as idea. I agree with you it's overkill @makasim.

[itmox]

Hey, i already fixed this issue in my pull-request. Just an example: Jack (a client) wants Barbara (a secretary) to add a gateway. I a mail he sends her the name (a xss) and the xss sends information (user token etc.) to Jack.

I understood that the Gatway is only accessible by a limited set of users but the security awareness of these users is important. I always ask myselfe "what if my mum would be the secretary?"

[makasim]

I gave it one more thought and now I tend to think we have to sanitize it. Maybe a regexp validation rule for some fields would be the way to go.