[WebERP-developers] Fwd: Re: Fwd: Aw: Vulnerabilities in webERP

[Phil D. <ph...@lo...>]

What about adding some parsing of the URI ...

if(strpos($_SERVER['REQUEST_URI'],'%3C') AND 
strpos($_SERVER['REQUEST_URI'],'%3E')) {
         $Title = _('Cross Site Scripting Error Report');
         include ('includes/header.php');
         prnMsg(_('This page was called using an incorrectly formed URL 
- a potential CSS attack has been blocked'), 'error');
         include ('includes/footer.php');
         exit;
}


This looks for %3C  i.e. the "<" character and the %3E the ">" character 
in the URI and blocks any further processing if these are found in the URI.
The output doesn't look great but nobbles this attack - what else though 
would break - those characters - well both in the same URI are surely OK 
to prohibit?

Any thoughts?

Phil

-------- Forwarded Message --------
Subject: 	Re: [WebERP-developers] Fwd: Aw: Vulnerabilities in webERP
Date: 	Tue, 4 Aug 2020 13:00:37 +0100
From: 	Tim Schofield <tim...@gm...>
To: 	Paul Thursby <pth...@gm...>, Phil Daintree 
<ph...@lo...>, Rafael Emilio Chacon 
<raf...@gm...>, ExsonQu <hex...@gm...>, 
Gilberto Dos Santos Alves <gs...@gm...>



Has anything been done regarding this? If so what?

Thanks
Tim

On Sat, 25 Jul 2020 at 11:34, Tim Schofield 
<tim...@gm...> wrote:
> This can be avoided using nginx with the following added to the conf file:
>
>      location / {
>          try_files $uri $uri/ =404;
>      }
>
> as can be seen here
> https://weberp.kwamoja.org/ImportBankTrans.php/"><script>alert("XSS")</script>>
> (note the user/password combination is admin/kwamoja)
>
> Not sure what is needed in apache.
>
>
> On Sat, 25 Jul 2020 at 06:54, Phil Daintree <ph...@lo...> wrote:
>> There is $_GET sanitation in includes/session.php but using this syntax to send the parameter containing the script defeats our sanitation sadly
>>
>> Phil
>> Phil Daintree
>> +64 (0)275 567 890
>>
>>> On 23/07/2020, at 12:33 PM, Exson Qu <hex...@gm...> wrote:
>>>
>>> Dear all,
>>>             I checked these cases yesterday. and following is the summary:
>>>             1. GET x-site attack cannot be sanitized by current code
>>> because there is no $_GET set up. We should enhance the code to parse the
>>> uri.
>>>             2. The POST injection is a little special since there is no Var
>>> validation in the script mentioned--        GLCashFlowsIndirect.php.  It is
>>> easy to fix by adding validation.
>>>
>>>             We feedback more as I find a solution for x-site attack.
>>>             Best regards!
>>>             Exson
>>>
>>>
>>>
>>>> On Wed, Jul 22, 2020 at 9:39 AM Phil Daintree <ph...@lo...> wrote:
>>>>
>>>> Gents,
>>>>
>>>> This looks like it is sent as GET parameter but is not captured by our
>>>> session cleansing routine?
>>>>
>>>> Anyone any ideas?
>>>>
>>>> Phil
>>>> -------- Forwarded Message --------
>>>> Subject:        Aw: Vulnerabilities in webERP
>>>> Date:   Sat, 18 Jul 2020 10:51:14 +0200
>>>> From:   Mario Riederer <Mar...@gm...>
>>>> To:     Phil Daintree <ph...@lo...>
>>>>
>>>>
>>>>
>>>> Hello Phil,
>>>> thanks for your reply :)
>>>> I found 2 Cross Site Scripting and 2 SQL Injections in the software.
>>>> You can find an explanation of the vulnerabilities in the Attachment.
>>>> Please let me know if you need further help.
>>>> Best regards,
>>>> Mario
>>>> *Gesendet:* Samstag, 18. Juli 2020 um 07:22 Uhr
>>>> *Von:* "Phil Daintree" <ph...@lo...>
>>>> *An:* mar...@gm..., "in...@we..." <in...@we...>
>>>> *Betreff:* Vulnerabilities in webERP
>>>> Hi Mario,
>>>>
>>>> Further to your message to me at Logic Works ... if you could expand on
>>>> the vulnerabilities please so we can fix.
>>>>
>>>> Many thanks
>>>>
>>>> Phil
>>>>
>>>> --
>>>> Phil Daintree
>>>> 0275 567890
>>>> _______________________________________________
>>>> Web-erp-developers mailing list
>>>> Web...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>>>
>>>
>>> _______________________________________________
>>> Web-erp-developers mailing list
>>> Web...@li...
>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>>
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web...@li...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
>
> --
> www.weberpafrica.com
> @TimSchofield2
> Blog: https://kwamoja.home.blog/



-- 
www.weberpafrica.com
@TimSchofield2
Blog: https://kwamoja.home.blog/