Menu
▾
▴
Re: [WebERP-developers] Fwd: Re: Fwd: Aw: Vulnerabilities in webERP
|
From: Phil D. <ph...@lo...> - 2020-08-05 03:50:02
|
Or could we just chop off the script stuff and forward to the
appropriate URL quietly...
//check for XSS
if(strpos($_SERVER['REQUEST_URI'],'/%22%3E%3C')) {
//if so chop of the XSS code and just return the appropriate URL
header('Location: ' . 'http' . (($_SERVER['SERVER_PORT'] ==
443) ? 's' : '') . '://' . $_SERVER['HTTP_HOST'] .
substr($_SERVER['REQUEST_URI'],0,strpos($_SERVER['REQUEST_URI'],'/%22%3E%3C')));
}
Phil Daintree
0275 567890
On 5/08/20 1:39 pm, Phil Daintree wrote:
> What about adding some parsing of the URI ...
>
> if(strpos($_SERVER['REQUEST_URI'],'%3C') AND
> strpos($_SERVER['REQUEST_URI'],'%3E')) {
> $Title = _('Cross Site Scripting Error Report');
> include ('includes/header.php');
> prnMsg(_('This page was called using an incorrectly formed URL
> - a potential CSS attack has been blocked'), 'error');
> include ('includes/footer.php');
> exit;
> }
>
>
> This looks for %3C i.e. the "<" character and the %3E the ">"
> character in the URI and blocks any further processing if these are
> found in the URI.
> The output doesn't look great but nobbles this attack - what else
> though would break - those characters - well both in the same URI are
> surely OK to prohibit?
>
> Any thoughts?
>
> Phil
>
> -------- Forwarded Message --------
> Subject: Re: [WebERP-developers] Fwd: Aw: Vulnerabilities in webERP
> Date: Tue, 4 Aug 2020 13:00:37 +0100
> From: Tim Schofield <tim...@gm...>
> To: Paul Thursby <pth...@gm...>, Phil Daintree
> <ph...@lo...>, Rafael Emilio Chacon
> <raf...@gm...>, ExsonQu <hex...@gm...>,
> Gilberto Dos Santos Alves <gs...@gm...>
>
>
>
> Has anything been done regarding this? If so what?
>
> Thanks
> Tim
>
> On Sat, 25 Jul 2020 at 11:34, Tim Schofield
> <tim...@gm...> wrote:
>> This can be avoided using nginx with the following added to the conf
>> file:
>>
>> location / {
>> try_files $uri $uri/ =404;
>> }
>>
>> as can be seen here
>> https://weberp.kwamoja.org/ImportBankTrans.php/"><script>alert("XSS")</script>>
>>
>> (note the user/password combination is admin/kwamoja)
>>
>> Not sure what is needed in apache.
>>
>>
>> On Sat, 25 Jul 2020 at 06:54, Phil Daintree <ph...@lo...>
>> wrote:
>>> There is $_GET sanitation in includes/session.php but using this
>>> syntax to send the parameter containing the script defeats our
>>> sanitation sadly
>>>
>>> Phil
>>> Phil Daintree
>>> +64 (0)275 567 890
>>>
>>>> On 23/07/2020, at 12:33 PM, Exson Qu <hex...@gm...> wrote:
>>>>
>>>> Dear all,
>>>> I checked these cases yesterday. and following is the
>>>> summary:
>>>> 1. GET x-site attack cannot be sanitized by current code
>>>> because there is no $_GET set up. We should enhance the code to
>>>> parse the
>>>> uri.
>>>> 2. The POST injection is a little special since there
>>>> is no Var
>>>> validation in the script mentioned-- GLCashFlowsIndirect.php. It is
>>>> easy to fix by adding validation.
>>>>
>>>> We feedback more as I find a solution for x-site attack.
>>>> Best regards!
>>>> Exson
>>>>
>>>>
>>>>
>>>>> On Wed, Jul 22, 2020 at 9:39 AM Phil Daintree
>>>>> <ph...@lo...> wrote:
>>>>>
>>>>> Gents,
>>>>>
>>>>> This looks like it is sent as GET parameter but is not captured by
>>>>> our
>>>>> session cleansing routine?
>>>>>
>>>>> Anyone any ideas?
>>>>>
>>>>> Phil
>>>>> -------- Forwarded Message --------
>>>>> Subject: Aw: Vulnerabilities in webERP
>>>>> Date: Sat, 18 Jul 2020 10:51:14 +0200
>>>>> From: Mario Riederer <Mar...@gm...>
>>>>> To: Phil Daintree <ph...@lo...>
>>>>>
>>>>>
>>>>>
>>>>> Hello Phil,
>>>>> thanks for your reply :)
>>>>> I found 2 Cross Site Scripting and 2 SQL Injections in the software.
>>>>> You can find an explanation of the vulnerabilities in the Attachment.
>>>>> Please let me know if you need further help.
>>>>> Best regards,
>>>>> Mario
>>>>> *Gesendet:* Samstag, 18. Juli 2020 um 07:22 Uhr
>>>>> *Von:* "Phil Daintree" <ph...@lo...>
>>>>> *An:* mar...@gm..., "in...@we..." <in...@we...>
>>>>> *Betreff:* Vulnerabilities in webERP
>>>>> Hi Mario,
>>>>>
>>>>> Further to your message to me at Logic Works ... if you could
>>>>> expand on
>>>>> the vulnerabilities please so we can fix.
>>>>>
>>>>> Many thanks
>>>>>
>>>>> Phil
>>>>>
>>>>> --
>>>>> Phil Daintree
>>>>> 0275 567890
>>>>> _______________________________________________
>>>>> Web-erp-developers mailing list
>>>>> Web...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>>>>
>>>>
>>>> _______________________________________________
>>>> Web-erp-developers mailing list
>>>> Web...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>>
>>>
>>>
>>> _______________________________________________
>>> Web-erp-developers mailing list
>>> Web...@li...
>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>>
>> --
>> www.weberpafrica.com
>> @TimSchofield2
>> Blog: https://kwamoja.home.blog/
>
>
>
|
