modified it a bit to be safe for the known parameters - but not sure how to protect the dummy Parameters ... guess the whole Function needs to be adapted to be safe ... (go though every GET Param and sanitize input)
Anyone got a better idea?
Bye from snowy Austria
Andreas Schnederle-Wagner
Last edit: randome 2015-03-04
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you for your warning. However I have some trouble understanding how this could result in an XSS vulnerability. Could you please exlain what a full workflow would be?
Thank you,
Alexandre
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
if I call the Page like this:
/search.html?query=1&blubb="><script>prompt(955422)</script>&rows=15"><script>prompt(955422)</script>&p=5"><script>prompt(955422)</script>
\<a href="/Kitzbueheler-Anzeiger-Suche_pid,19085,type,search.html?query=1&blubb="><script>prompt(955422)</script>"><script>prompt(955422)</script>"><script>prompt(955422)</script>&rows=15&p=171">>>Letzte Seite
Andreas
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes the page is broken... I can not edit or delete your previous posts.
I understand the process you describe but I can't see exactly how this could be an XSS vulnerability. You can only inject Javascript code in the page YOU see. You will not be able to inject javascript code in the page that others would see.
For example in this forum you were able to break the page, but say the javascript you entered in your reply would have been executed for me when I load the page that would possibly be an XX vulnerability.
Do you see what I mean? Could you explain further what the threat would be for other people?
Thank you,
Alexandre
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
unfortunetely you are not entirely correct about I can only inject within Pages I see ... I wish it would be that way ... ;-)
Guess you are speaking about Persistent XSS .... but this is a kind of Reflected XSS ...
(authstealer.js does something nasty to your PC ... stealing Cookies, exploiting some Windows 0-Day Exploit, or whatever ...)
Now I send this Link within E-Mail / Spam to others who click it ... et voilà ... JS successfully injected ... ON THEIR SIDE
Or I distribute this modified Link within some Forums, on Web-Sites, ... one can imagine hundreds of ways how to distribute such a XSS-infested Link to the masses ...
Especially dangerous is - they all think they are visiting some serious Site ... and don't know there is something nasty going on ...
Hey there,
I found a XSS Vulnerability within the OSS-PHP Pagination Class ...
oss_paging.class.php --> public function compute()
As you simply output $_SERVER['REQUEST_URI'] one can inject malicious JS Code ...
/search.html?p=170"><script>prompt(955422)</script>&query=1&rows=15"><script>prompt(955422)</script>&blubb="><script>prompt(955422)</script>
One can inject within known Parameters like p or rows - or even with dummy Parameters ...
modified it a bit to be safe for the known parameters - but not sure how to protect the dummy Parameters ... guess the whole Function needs to be adapted to be safe ... (go though every GET Param and sanitize input)
Anyone got a better idea?
Bye from snowy Austria
Andreas Schnederle-Wagner
Last edit: randome 2015-03-04
Hello,
Thank you for your warning. However I have some trouble understanding how this could result in an XSS vulnerability. Could you please exlain what a full workflow would be?
Thank you,
Alexandre
Hi Alexandre,
if I call the Page like this:
/search.html?query=1&blubb="><script>prompt(955422)</script>&rows=15"><script>prompt(955422)</script>&p=5"><script>prompt(955422)</script>
it results in an Output like this:
So I can inject any JS I want ;-)
Andreas
alright - seems I broke the board with this Code ... ;-)
URL: /search.html?query=1&blubb="><script>prompt(955422)</script>&rows=15"><script>prompt(955422)</script>&p=5"><script>prompt(955422)</script>
Result:
Andreas
Hi Andreas,
Yes the page is broken... I can not edit or delete your previous posts.
I understand the process you describe but I can't see exactly how this could be an XSS vulnerability. You can only inject Javascript code in the page YOU see. You will not be able to inject javascript code in the page that others would see.
For example in this forum you were able to break the page, but say the javascript you entered in your reply would have been executed for me when I load the page that would possibly be an XX vulnerability.
Do you see what I mean? Could you explain further what the threat would be for other people?
Thank you,
Alexandre
Hi,
unfortunetely you are not entirely correct about I can only inject within Pages I see ... I wish it would be that way ... ;-)
Guess you are speaking about Persistent XSS .... but this is a kind of Reflected XSS ...
Imagine this URL:
(authstealer.js does something nasty to your PC ... stealing Cookies, exploiting some Windows 0-Day Exploit, or whatever ...)
Now I send this Link within E-Mail / Spam to others who click it ... et voilà ... JS successfully injected ... ON THEIR SIDE
Or I distribute this modified Link within some Forums, on Web-Sites, ... one can imagine hundreds of ways how to distribute such a XSS-infested Link to the masses ...
Especially dangerous is - they all think they are visiting some serious Site ... and don't know there is something nasty going on ...
Maybe you want to have a look at the WIKI Page: http://en.wikipedia.org/wiki/Cross-site_scripting
Hope you see the attack vector now :)
Andreas
ps) also tried to edit my posts to "unbreak" the Forum ... but wasn't able too ... :-/
Last edit: randome 2015-03-05
see the Problem now? :)