[WebERP-developers] Fwd: Re: Fwd: Fwd: Stored XSS with Normal user

[Phil D. <ph...@lo...>]

Well that does make it tricky to store html in variables as I do in the

webSHOP setup script.... but yes nicer in some respects. It is only
<script> tag that causes the issues though aye?

Phil

Phil Daintree
Logic Works Ltd - +64 (0)275 567890
http://www.logicworks.co.nz

On 06/01/18 21:53, Tim Schofield wrote:
> Just insert the following:
>
> $PostVariableValue = strip_tags($PostVariableValue);
>
> at line 54 of session.php. and
>
> $GetValue = strip_tags($GetValue);
>
> at line 73. Removing all HTML tags from input makes more sense than
> doing string replaces.
>
> Tim
>
> On 6 January 2018 at 00:23, Phil Daintree <ph...@lo...> wrote:
>> I received this note below informing us of a cross site scripting issue. Of
>> course it can only be executed by a logged in user so I am not sure it is a
>> major concern.... However, I am wondering if we could avoid such issues by
>> replacing any "script>" strings in $_POST and $_GET variables with "" is
>> there something I've overlooked or a more elegant solution?
>>
>> I just committed this:
>>
>> --- a/trunk/includes/session.php
>> +++ b/trunk/includes/session.php
>> @@ -55,13 +55,14 @@
>>                          if(get_magic_quotes_gpc()) {
>>                                  $_POST['name'] =
>> stripslashes($_POST['name']);
>>                          }
>> - $_POST[$PostVariableName] = DB_escape_string($PostVariableValue);
>> +
>> + $_POST[$PostVariableName] =
>> DB_escape_string(str_replace('script>','',$PostVariableValue));
>>                  } else {
>>                          foreach ($PostVariableValue as $PostArrayKey =>
>> $PostArrayValue) {
>>                                  if(get_magic_quotes_gpc()) {
>>                                          $PostVariableValue[$PostArrayKey] =
>> stripslashes($value[$PostArrayKey]);
>>                                  }
>> - $PostVariableValue[$PostArrayKey] = DB_escape_string($PostArrayValue);
>> + $PostVariableValue[$PostArrayKey] =
>> DB_escape_string(str_replace('script>','',$PostArrayValue));
>>                          }
>>                  }
>>          }
>> @@ -71,7 +72,7 @@
>>          */
>>          foreach ($_GET as $GetKey => $GetValue) {
>>                  if (gettype($GetValue) != 'array') {
>> - $_GET[$GetKey] = DB_escape_string($GetValue);
>> + $_GET[$GetKey] = DB_escape_string(str_replace('script>','',$GetValue));
>>                  }
>>          }
>>
>>
>>
>> Phil
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: *Shappa Noob* <raj...@gm... <mailto:raj...@gm...>>
>> Date: Thu, Dec 21, 2017 at 12:39 PM
>> Subject: Re: Stored XSS with Normal user
>> To: sec...@we... <mailto:sec...@we...>
>>
>>
>> Hello Team,
>>
>> Also found 2 more Stored Xss below are steps to reproduce the problem
>>
>>
>>
>> 1)Another Stored Xss on http://127.0.0.1:1234/webERP/Factors.php?FactorID=1
>> <http://127.0.0.1:1234/webERP/Factors.php?FactorID=1>
>>
>> Tested with Notmal user able to add stored Xss and also verfied they are
>> getting executed on admin account.
>>
>> Payables->Maintain Factor Compnies->Create New Factor
>>
>> Enter the
>>
>> Company Name <script> alert(1) </script>
>> Address Line 1:<script> alert(2) </script>
>> Address Line 2:<script> alert(3) </script>
>> Address Line 3:<script> alert(4) </script>
>> Address Line 4:<script> alert(5) </script>
>>
>> 2)http://127.0.0.1:1234/webERP/index.php
>> <http://127.0.0.1:1234/webERP/index.php>
>>
>> Receivables->Add Customer ->
>>
>> Enter the script in Inut Text field as below
>>
>> Customer Code 777
>> Customer Name:script> alert(1) </script>
>>
>>
>> Now Just try to view the customer Information
>>
>> Receivables->Select Customer ->Enter a partial Code: 777->Search now->View
>> Customer Details> Stored Xss will get executed.
>>
>>
>>
>> Mitigation:
>>
>> In most situations where user-controllable data is copied into application
>> responses, cross-site scripting attacks can be prevented using two layers of
>> defences:**
>>
>> **
>>
>> *1.*Input should be validated as strictly as possible on arrival, given the
>> kind of content that it is expected to contain. For example, personal names
>> should consist of alphabetical and a small range of typographical
>> characters, and be relatively short; a year of birth should consist of
>> exactly four numerals; email addresses should match a well-defined regular
>> expression. Input which fails the validation should be rejected, not
>> sanitized.**
>>
>> *2.*User input should be HTML-encoded at any point where it is copied into
>> application responses. All HTML meta characters, including < > " ' and =,
>> should be replaced with the corresponding HTML entities (&lt; &gt; etc).**
>>
>> *3.*Implementation of the https://github.com/cure53/DOMPurify/
>> <https://github.com/cure53/DOMPurify/>**
>>
>> Thanks and Regards
>>
>> Shappa
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Dec 21, 2017 at 11:20 AM, Shappa Noob <raj...@gm...
>> <mailto:raj...@gm...>> wrote:
>>
>>     HelloTeam,
>>
>>     Any updates on this ?
>>
>>
>>     Thanks
>>
>>
>>     On Fri, Dec 15, 2017 at 8:58 PM, Shappa Noob <raj...@gm...
>>     <mailto:raj...@gm...>> wrote:
>>
>>         Hello Weberp Team,
>>
>>
>>         I have found the stored access on "Fixed Asset Locations" module
>>
>>
>>         Please find the below video to reproduce the problem with normal
>>         user Test (Accountant )
>>
>>
>>         https://drive.google.com/open?id=1iXaE85eAd1p_A-yxiIBXUUim1H6o1iXh
>>         <https://drive.google.com/open?id=1iXaE85eAd1p_A-yxiIBXUUim1H6o1iXh>
>>
>>
>>         Thank you
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web...@li...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>