#137 Possible cross-site scripting vulnerability

Next_Release
closed
None
1
2014-08-26
2014-05-13
Nick G.
No

My institution recently ran a vulnerability test on a server running Booked v2.5.5 and reported some potential cross-site scripting (XSS) vulnerabilities (CWE-79). A user does not need to be logged in to encounter the vulnerabilities. I've tried to summarize the issue below:

Detection Information
Parameter: It has been detected by exploiting the parameter rid
Authentication: In order to detect this vulnerability, no authentication has been required.
Access Path: Here is the path followed by the scanner to reach the exploitable URL:
http://localhost/
http://localhost/Web/view-schedule.php

#1 Request
Payload: rid=%22%3E%3Cqss%3E&sid=2&rd=2014-05-14
Request: GET http://localhost/Web/reservation.php?rid=%22%3E%3Cqss%3E&sid=2&rd=2014-05-14

#1 Response
<p class="loginsubmit">
<button type="submit" name="login" class="button" tabindex="100" value="submit"><img
src="img/door-open-in.png"/> Log In </button>
<input type="hidden" name="resume" value="/Web/reservation.php?rid="><qss>&sid=2&rd=2014-05-14"/>
</p>
</div>
<div style="clear:both;">&nbsp;</div>
<h4 class="register">
First Time User?
<a href="register.php" title="Create an Account" >Create an Account</a>
</h4>
</form>

I've tried to highlight the issue in the output above; you'll note that the string "qss" was injected into the page request and is echoed back in the HTML on the page returned. The vulnerability was also identified with the sid parameter on the /Web/view-schedule.php page and the rd parameter on the /Web/view-schedule.php page. I can try to provide more detailed information if desired.

The generic solution offered by the vulnerability detection suite was:

Filter all data collected from the client including user-supplied content and
browser content such as Referrer and User-Agent headers.
Any data collected from the client and displayed in a Web page should be HTML-
encoded to ensure the content is rendered as text instead of an HTML element or
JavaScript.

Discussion

  • Nick Korbel

    Nick Korbel - 2014-07-04

    Resolved in 2.5.7

     
  • Nick Korbel

    Nick Korbel - 2014-07-04
    • status: open --> closed
    • assigned_to: Nick Korbel
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks