Cross-Site Scripting: Reflected

[jberanek]

I'm using MRBS 1.7.3 (and php 7.1 on a Windows Server 2016 machine), and my web team is saying they won't allow * tcp 80 in until I fix my cross-site scripting critical issue (which happens for search.php, day.php, week.php, month.php, report.php, view_entry.php, edit_entry.php, help.php, and admin.php); they use Fortify Software Security Center by Micro Focus; hoping one of their request/responses can help you (help me! please; sorry/thank you).

Request:

GET /day.php/%37%36%37%32%33 HTTP/1.1
Referer: https://pre.calendar.neurobio.pitt.edu/month.php?year=2019&month=09&day=23&area=2&room=5
Accept: */*
Pragma: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Host: pre.calendar.neurobio.pitt.edu
Connection: Keep-Alive
X-WIPP: AscVersion=19.1.0.311
X-Scan-Memo: Category="Audit.Attack"; SID="5AE6AAF7B243EED3031E43D6A2A41368"; PSID="1CF84C4C76DB345F21F5594AB0F5E3AA"; SessionType="AuditAttack"; CrawlType="None"; AttackType="UrlComponentManipulation"; OriginatingEngineID="1354e211-9d7d-4cc1-80e6-4de3fd128002"; AttackSequence="26"; AttackParamDesc=""; AttackParamIndex="1"; AttackParamSubIndex="0"; CheckId="5105"; Engine="Cross+Site+Scripting"; SmartMode="NonServerSpecificOnly"; AttackString="%2537%2536%2537%2532%2533"; AttackStringProps="Attack"; ThreadId="166"; ThreadType="AuditorStateRequestor"; 
X-RequestManager-Memo: sid="12920"; smi="0"; sc="1"; ID="95f46801-168f-49b8-b94b-8b9263d47c87"; 
X-Request-Memo: ID="b7a024f3-bdd7-4df6-aacb-058afde99f8f"; sc="1"; tid="166"; 
Cookie: CustomCookie=WebInspect0;MRBS_SESSID=ofi1rrv2o3n0f2lqgaieiga66o;TS018c07de=0134f538f17327295523ee841c20d66f1dd389bfa69ece299714a90b946cf4c9fcc96db0ee8d99a1638e12c9362ab29d176e925667;TS018c07de_26=0197b4c8ca6b6c045da5a03d31d5f7612f9bef15d1d3e8e2918c3f7fc5c44653531f36dae2e0e4196eb68b493c5ac42597348742e62025c2fd24c27a99bfe8a444352ea9af

Response:

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-Frame-Options: SAMEORIGIN
Date: Tue, 24 Sep 2019 01:06:50 GMT
Content-Length: 5745
Set-Cookie: TS018c07de=0134f538f17327295523ee841c20d66f1dd389bfa69ece299714a90b946cf4c9fcc96db0ee8d99a1638e12c9362ab29d176e925667; Path=/
Set-Cookie: TS018c07de_26=0197b4c8cacafc7e8a76503d42ebc56f8cd2e4dab1d3e8e2918c3f7fc5c44653531f36dae2da6ec48e57ed52b9bdc2acab5ec0d6539fd0fc7d2b66aa32e4a72ba20610c4c5; Path=/

<!DOCTYPE html>
<!--[if lte IE 9]>
<html lang="en" class="unsupported_browser">
<![endif]-->
<!--[if (!IE)|(gt IE 9)]><!-->
<html lang="en">
<!--<![endif]-->
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="csrf_token" content="106377b90dceb592aeb5d437871b8e260675ed93909d1e63ac6009f8173bb3f2">
<title>Meeting Room Booking System</title>
  <link href="jquery/ui/css/jquery-ui.structure.min.css" rel="stylesheet" type="text/css">
  <link href="jquery/ui/css/sunny/jquery-ui.theme.min.css" rel="stylesheet" type="text/css">
  <link href="jquery/datatables/css/jquery.dataTables.min.css" rel="stylesheet" type="text/css">
  <link href="jquery/datatables/css/buttons.dataTables.css" rel="stylesheet" type="text/css">
  <link href="jquery/datatables/css/fixedColumns.dataTables.min.css" rel="stylesheet" type="text/css">
  <link href="jquery/datatables/css/colReorder.dataTables.css" rel="stylesheet" type="text/css">

    <link rel="stylesheet" href="css/mrbs.css.php" type="text/css">
        <link rel="stylesheet" media="print" href="css/mrbs-print.css.php" type="text/css">
    <!--[if IE]>
    <link rel="stylesheet" href="css/mrbs-ie.css" type="text/css">
    <![endif]-->
        <meta name="robots" content="noindex, nofollow">
  <script type="text/javascript" src="jquery/jquery-3.2.1.min.js"></script>
    <script type="text/javascript" src="jquery/jquery-migrate-3.0.0.min.js"></script>
    <script type="text/javascript" src="jquery/ui/jquery-ui.min.js"></script>

<script type="text/javascript">
  //<![CDATA[
    function init(params)
  {
  }
  //]]>
</script>

<script type="text/javascript" src="js/functions.js.php?area=2"></script>
<script type="text/javascript" src="js/datepicker.js.php?area=2"></script>
<script type="text/javascript" src="js/general.js.php?area=2"></script>

<!--[if lte IE 8]>
      <script src="js/html5shiv.min.js"></script>
    <![endif]-->

<script type="text/javascript">

//<![CDATA[

$(window).on('load', function() {

  var args = {area: '2',
              room: '5',
              page: '76723',
              page_date: '2019-09-23',
              isAdmin: false};
    init(args);

});

//]]>
</script></head>
<body class="non_js 76723">
    <script type="text/javascript">
      //<![CDATA[
      $('body').addClass('js').removeClass('non_js');
      //]]>
    </script> 
    <div class="unsupported_message">
<header class="banner simple">
<nav>
<ul>
<li>
<div class="company">
<div class="logo">
<a href="http://www.pitt.edu">
<img src="PittLogoSimple.png" width="55" height="55" alt="Pitt">
</a>
</div>
<div id="more_info"><a href="http://www.neurobio.pitt.edu">Neurobiology</a><br /><small><small><a href="http://calendar.neurobio.pitt.edu">calendar.neurobio.pitt.edu</a></small></small></div>
<div class="mrbs">
<a href="index.php">Meeting Room Booking System</a>
</div>
</div>
</li>
</ul>
</nav>
</header>
<div class="contents">
<p>Unfortunately your browser isn't supported by MRBS.  You will need to upgrade to a more recent version, or else use another browser.</p>
</div>
</div>
<header class="banner">
<nav>
<ul>
<li>
<div class="company">
<div class="logo">
<a href="http://www.pitt.edu">
<img src="PittLogoSimple.png" width="55" height="55" alt="Pitt">
</a>
</div>
<div id="more_info"><a href="http://www.neurobio.pitt.edu">Neurobiology</a><br /><small><small><a href="http://calendar.neurobio.pitt.edu">calendar.neurobio.pitt.edu</a></small></small></div>
<div class="mrbs">
<a href="index.php">Meeting Room Booking System</a>
</div>
</div>
</li>
<li>
<form id="form_nav" method="get" action="day.php">
<input type="hidden" name="csrf_token" value="106377b90dceb592aeb5d437871b8e260675ed93909d1e63ac6009f8173bb3f2">
<input type="date" name="page_date" value="2019-09-23" required data-submit="form_nav">
<input type="submit" value="Go to">
</form>
</li>
<li>
<a href="help.php?day=23&amp;month=09&amp;year=2019">Help</a>
</li>
<li>
<a href="admin.php?day=23&amp;month=09&amp;year=2019">Rooms</a>
</li>
<li>
<a href="report.php?day=23&amp;month=09&amp;year=2019">Report</a>
</li>
<li>
<label><a href="search.php?advanced=1">Search</a></label>
<form id="header_search" method="post" action="search.php">
<input type="hidden" name="csrf_token" value="106377b90dceb592aeb5d437871b8e260675ed93909d1e63ac6009f8173bb3f2">
<input type="hidden" name="day" value="23">
<input type="hidden" name="month" value="09">
<input type="hidden" name="year" value="2019">
<input type="search" name="search_str" required>
</form>
</li>
<li id="logon_box">
<a href="">Unknown user</a>
<form method="post" action="admin.php">
<input type="hidden" name="csrf_token" value="106377b90dceb592aeb5d437871b8e260675ed93909d1e63ac6009f8173bb3f2">
<input type="hidden" name="target_url" value="76723?">
<input type="hidden" name="action" value="QueryName">
<input type="submit" value="Log in">
</form>
</li>
</ul>
</nav>
</header>
<div class="contents">
<p>You do not have the necessary rights to view this page.</p>
<form class="standard" id="logon" method="post" action="76723">
<input type="hidden" name="csrf_token" value="106377b90dceb592aeb5d437871b8e260675ed93909d1e63ac6009f8173bb3f2">
<input type="hidden" name="returl">
<input type="hidden" name="target_url" value="76723?">
<input type="hidden" name="action" value="SetName">
<fieldset>
<legend>Please log in</legend>
<div>
<label title="Name" for="username">User</label>
<input type="text" id="username" name="username" placeholder="Name" required autofocus>
</div>
<div>
<label for="password">Password</label>
<input type="password" id="password" name="password">
</div>
<div>
<label></label>
<input type="submit" value="Log in">
</div>
</fieldset>
</form>
</div>
  </body>
</html>

Reported by: hunter3740

Original Ticket: mrbs/bugs/448

[jberanek]

I have sent you a private message.

Original comment by: campbell-m