search

elfuchsjekyll / vosao

Automatically exported from code.google.com/p/vosao
0 stars 0 forks source link

Stored XSS in Registration Plugin #149

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Test:
1) Open the registration form for user self registration
2) Enter the following XSS Strings in the fields (everything after the :)

Name: "><script>alert("Cross Site Scripting in the Name field");</script>

Email: "><script>alert("Cross Site Scripting in the Email field");</script>

Password & Confirmation: Anything you like while the field is not 
vulnerable as long as the password is not shown anywhere

3) Now as administrator open the plugins configuration page and you will 
see that the Javascript code injected in the fields is executed in 
configuration interface with the rights of the currently loged on user.

Critical issue:
This could lead to the scenario that anybody could execute javascript code 
under administrator rights.

I would recommend to use something as the OWASP ESAPI security library to 
secure the code: 
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

- Detailed information about XSS: http://www.owasp.org/index.php/Cross-
site_Scripting_(XSS)
- XSS Prevention Cheat sheet: 
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_
Sheet

Original issue reported on code.google.com by mithan...@gmail.com on 9 Mar 2010 at 9:36

GoogleCodeExporter commented 9 years ago 
Implemented using http://josephoconnell.com/java/xss-html-filter/

Also added xss filter for form values.

Original comment by kinyelo@gmail.com on 10 Mar 2010 at 11:42

GoogleCodeExporter commented 9 years ago 
That did not work for the registration page. See attached screenshots.

Input was: "><script>alert("Bla");</script> in the name field.

If you want to go for the blacklist approach there is a huge regex file (part 
of a PHP IDS system) which you could just check against: 
https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml

New filters and attack vectors are discussed here: 
http://sla.ckers.org/forum/read.php?12,30425,page=1

Original comment by mithan...@gmail.com on 11 Mar 2010 at 9:41

Attachments:

GoogleCodeExporter commented 9 years ago 
I just checked svn code and it works good. Please checkout from svn.

Original comment by kinyelo@gmail.com on 12 Mar 2010 at 7:57