Menu
▾
▴
[WebERP-developers] Fwd: Fwd: Stored XSS with Normal user
|
From: Phil D. <ph...@lo...> - 2018-01-06 00:24:36
|
I received this note below informing us of a cross site scripting issue.
Of course it can only be executed by a logged in user so I am not sure
it is a major concern.... However, I am wondering if we could avoid such
issues by replacing any "script>" strings in $_POST and $_GET variables
with "" is there something I've overlooked or a more elegant solution?
I just committed this:
--- a/trunk/includes/session.php
+++ b/trunk/includes/session.php
@@ -55,13 +55,14 @@
if(get_magic_quotes_gpc()) {
$_POST['name'] = stripslashes($_POST['name']);
}
- $_POST[$PostVariableName] = DB_escape_string($PostVariableValue);
+
+ $_POST[$PostVariableName] =
DB_escape_string(str_replace('script>','',$PostVariableValue));
} else {
foreach ($PostVariableValue as $PostArrayKey => $PostArrayValue) {
if(get_magic_quotes_gpc()) {
$PostVariableValue[$PostArrayKey] = stripslashes($value[$PostArrayKey]);
}
- $PostVariableValue[$PostArrayKey] = DB_escape_string($PostArrayValue);
+ $PostVariableValue[$PostArrayKey] =
DB_escape_string(str_replace('script>','',$PostArrayValue));
}
}
}
@@ -71,7 +72,7 @@
*/
foreach ($_GET as $GetKey => $GetValue) {
if (gettype($GetValue) != 'array') {
- $_GET[$GetKey] = DB_escape_string($GetValue);
+ $_GET[$GetKey] = DB_escape_string(str_replace('script>','',$GetValue));
}
}
Phil
---------- Forwarded message ----------
From: *Shappa Noob* <raj...@gm... <mailto:raj...@gm...>>
Date: Thu, Dec 21, 2017 at 12:39 PM
Subject: Re: Stored XSS with Normal user
To: sec...@we... <mailto:sec...@we...>
Hello Team,
Also found 2 more Stored Xss below are steps to reproduce the problem
1)Another Stored Xss on
http://127.0.0.1:1234/webERP/Factors.php?FactorID=1
<http://127.0.0.1:1234/webERP/Factors.php?FactorID=1>
Tested with Notmal user able to add stored Xss and also verfied they are
getting executed on admin account.
Payables->Maintain Factor Compnies->Create New Factor
Enter the
Company Name <script> alert(1) </script>
Address Line 1:<script> alert(2) </script>
Address Line 2:<script> alert(3) </script>
Address Line 3:<script> alert(4) </script>
Address Line 4:<script> alert(5) </script>
2)http://127.0.0.1:1234/webERP/index.php
<http://127.0.0.1:1234/webERP/index.php>
Receivables->Add Customer ->
Enter the script in Inut Text field as below
Customer Code 777
Customer Name:script> alert(1) </script>
Now Just try to view the customer Information
Receivables->Select Customer ->Enter a partial Code: 777->Search
now->View Customer Details> Stored Xss will get executed.
Mitigation:
In most situations where user-controllable data is copied into
application responses, cross-site scripting attacks can be prevented
using two layers of defences:**
**
*1.*Input should be validated as strictly as possible on arrival, given
the kind of content that it is expected to contain. For example,
personal names should consist of alphabetical and a small range of
typographical characters, and be relatively short; a year of birth
should consist of exactly four numerals; email addresses should match a
well-defined regular expression. Input which fails the validation should
be rejected, not sanitized.**
*2.*User input should be HTML-encoded at any point where it is copied
into application responses. All HTML meta characters, including < > " '
and =, should be replaced with the corresponding HTML entities (<
> etc).**
*3.*Implementation of the https://github.com/cure53/DOMPurify/
<https://github.com/cure53/DOMPurify/>**
Thanks and Regards
Shappa
On Thu, Dec 21, 2017 at 11:20 AM, Shappa Noob <raj...@gm...
<mailto:raj...@gm...>> wrote:
HelloTeam,
Any updates on this ?
Thanks
On Fri, Dec 15, 2017 at 8:58 PM, Shappa Noob <raj...@gm...
<mailto:raj...@gm...>> wrote:
Hello Weberp Team,
I have found the stored access on "Fixed Asset Locations" module
Please find the below video to reproduce the problem with normal
user Test (Accountant )
https://drive.google.com/open?id=1iXaE85eAd1p_A-yxiIBXUUim1H6o1iXh
<https://drive.google.com/open?id=1iXaE85eAd1p_A-yxiIBXUUim1H6o1iXh>
Thank you
|
