close ad
Install the LAtest Updates to Work with CC 2017 and CC 2018
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Cross Site Scripting issues

Thread began 7/30/2010 5:46 pm by webassist2366041 | Last modified 8/05/2010 11:36 am by Ray Borduin | 3025 views | 12 replies |

webassist2366041

Cross Site Scripting issues

I created forms for the upload of files and for the processing of credit cards. They have been in place since last year and have not been changed except for text changes.

Our site has passed security compliance scans by SecurityMetrics.com during that time until this week when it failed.

SecurityMetrics techs said that there was cross site scripting problems on on pages, such as this one:
manuscript_submission.html. He said to make sure that our host was sanitizing all user input for html code. Characters : < > / \ ? = ' and "

I sent that information to our host. Their tech support said that it was a problem that must be solved by the web designer -- i.e., me -- and that they didn't support third-party programs.

Our merchant account is in jeopardy because we are now non-compliant and fees have begun to accrue.

I even removed that page to see if it would pass (which it didn't), but there are other pages that have the same problem. I will put it back up after I finish this message so that you can see it.

I don't know if the following is related or it's a different problem. When opening a page, I got this error:
JavaScript error while loading WA eCart AdvCo.htm: At line 746 of the file "Macintosh HD:Applications:Adobe Dreamweaver CS3:Configeration:Shared:Controls:Scripts:WATrigger.js": ReferenceError: WA_getDocumentDOM is not defined

Another page had this error: While executing analyzeServerBehavior in WA eCart AdvCo.htm, a JavaScript error occurred.

Both of these might have absolutely nothing to do with the non-compliance issue.

As soon as I send this message to you, I'll put the page mentioned above back online so that you can see it.

Please help us.

Sign in to reply to this post

webassist2366041

Addendum to Last Message Re First Data

I put the page back up.

The SECOND error that I mentioned before was for this page:
checkout-design.php

Those might just be errors that have nothing to do with the cross site scripting.

Sign in to reply to this post

Eric Mittman

I moved this post to a new thread as it does not seem to be related to the linkpoint checkout or any updates to it.

Can you post back with the page in question in a zip archive as well as any other page that was flagged in the audit. It seems that if there were a couple of extra checks in place on these pages to ensure that nothing other than the expected values can be used you would not be getting these failures.

Sign in to reply to this post

webassist2366041

Requested Pages

Here are two of the pages that failed.

Attached Files
Examples of Failures.zip
Sign in to reply to this post

webassist2366041

The PDF of the Failed Scan

This post has been deleted.

Ray BorduinWebAssist

Cross site scripting security holes open when you display a value from a form directly without encoding characters... particularly "<" and ">", which could be used by a cross site scripting hack to run javascript or other code.

Of the two pages you sent... one is corrupt and I can't read it, and the other is the form itself. The cross site scripting vulnerability would actually be exposed and fixed on the action page of that form. The form itself looks fine, cross site scripting is about what you do with the results of the form, not problems with the form itself.

Sign in to reply to this post

webassist2366041

I have no idea what you mean.

I'm told the following by the security compliance tech.

The request string used to detect this flaw was:

/bookstore/iwas/?<script>cross_site_scripting.nasl</script>

The output was :

HTTP/1.1 200 OK
Date: Sun, 01 Aug 2010 16:09:59 GMT
Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=7297c80b054a9bdd89abf3d134038e37; path=/
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

Following is the location of the script in the source code. This is the cross site scripting vulnerability. This is an example and may not be limited simply to this page.

[...]
<!-- InstanceBeginEditable name="body" --> <table width="628" border="1" align="center" cellpadding="0" cellspacing="2" bordercolor="#000000" background="../images/backgrounds/bg-tan-sponge.gif">
<tr>
<td width="628" align="center" valign="top"><form name="WA_eCartBooks_Display" method="POST" action="/bookstore/iwas/index.php?<script>cross_site_scripting.nasl</script>">
<table width="370" cellspacing="0" border="0" cellpadding="5" class="S3C_QuickCartLayout">
<tr>
[...]


Please help me. I'm traveling in the dark. What do I do in non-technical terms?

Sign in to reply to this post

Ray BorduinWebAssist

update the form action on the page:

/bookstore/iwas/index.php

just set the action to: "/bookstore/iwas/index.php"

Sign in to reply to this post

webassist2366041

I opened the page /bookstore/iwas/index.php.

I looked at the action field.

It says:
<?php echo $_SERVER["PHP_SELF"]; ?><?php echo (isset($_SERVER["QUERY_STRING"]) && $_SERVER["QUERY_STRING"] != "")?"?".$_SERVER["QUERY_STRING"]:""; ?>

On the Server Behaviors tab, it says: Dynamic Attribute (and the information above).

I don't know what to do.

Sign in to reply to this post

Ray BorduinWebAssist

Remove that, and just set the action to: "/bookstore/iwas/index.php"

that should fix the problem.

Sign in to reply to this post
loading

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...