FORUMS CLOSED DUE TO SPAM. YOU STILL CAN ADD POST!

ForumsGeneral bug reports / problems

XSS Vulnerability

Feed 15 posts, 11 voices

Avatar
Radek
4 posts

Hi Philippe.
Radek, Kreus CMS
 
Avatar
Juan
8 posts

I could not reproduce it in version 0.95 RC2
 
Avatar
Radek
4 posts

Great, will upgrade from 0.94 to 0.95 then.
 
Avatar
Radek
4 posts

Nope, 0.95 RC2 still the same:
 
Avatar
David
1493 posts

Hmmm… I’m puzzled too. I can’t reproduce this on either 0.9.4 or 0.9.5 with or without mod_rewrite enabled. I get “access forbidden” messages or 404’s.
 
Avatar
Radek
4 posts

Are you using IE7 too?
 
Avatar
Radek
4 posts

Look I am not making it up (madebyfrog.com):
 
Avatar
Martijn (mvdkleijn)
651 posts

When I try to replicate this with madebyfrog.com on FireFox I get:

Not Found

The requested URL /1%3Cscript%3Ealert(%27Frog%27)%3C/script%3E was not found on this server.
KISS ‘Keep It Simple, Stupid’

I think you are correct in your conclusion that Frog is vulnerable to XSS. It would seem that Frog is not cleaning up the URL before using it.

The reason why people can’t replicate the problem on FF is because it (quite correctly) encodes the HTML characters. Internet Explorer should also be encoding the characters, so I consider that a bug in IE.

However, Frog should not assume that HTTP requests for URLs come only through browsers. Hackers will not be using FireFox to make their attacks.

Issue added. I’ll see about fixing this in 0.9.5 final.
 
Avatar
David
1493 posts

It seems to vary not only by browser, but also by host. At a rough estimate, about 50% of the Frog sites I tried this on echoed the scripted message. It also varied with browser (as you note), with Opera being very quick to comply :) on some occasions.

But Martijn is on the case, I see. ;)
 
Avatar
Tunnis
31 posts

yep i am able to reproduce on my site aswell
 
Avatar
philippe
541 posts

haha interesting !! and funny thanks for that
 
Avatar
Andy
257 posts

An interesting little article that just popped up in my RSS regarding how common this problem is and how to combat it…
 
Avatar
crusnac
21 posts

I did some automated testing of my own site to see if there are anymore vulnerabilities. Below are the findings:

Vulnerable to URL Cross-Site Scripting:

http://www.frogdomain.com:80/admin/login"><script>alert(097531);</script>
http://www.frogdomain.com:80/admin/baddir123"><script>alert(097531);</script>
http://www.frogdomain.com:80/admin"><script>alert(097531);</script>

Vulnerable to Cross-Site Scripting:

URL: http://www.frogdomain.com:80/admin/login/forgot

Request:

POST /admin/login/forgot HTTP/1.1
Referer: http://www.frogdomain.com:80/admin/login/forgot
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
Accept: */*
Alert: Webinspect Scan being performed by IRM
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: www.frogdomain.com
Connection: Keep-Alive
Cookie: CustomCookie=WebInspect32404ZXD4AFB0B22E2D4D85A0C53912C21043F2Y8F07;PHPSESSID=q1es9hslum0b1uadmumsapbv81
forgot[email]=John.Doe%40somewhere.com%22%3e%3csCrIpT%3ealert(54231)%3c%2fsCrIpT%3e

Response:

HTTP/1.1 200 OK
Date: Thu, 30 Apr 2009 20:33:12 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Connection: Keep-Alive
Content-Length: 1609
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
  <title>Forgot password</title>
  <base href="http://www.frogdomain.com/admin/" />
  <meta http-equiv="content-type" content="text/html; charset=utf-8" />
  <link href="stylesheets/login.css" rel="Stylesheet" type="text/css" />
  <link href="themes/default/styles.css" id="css_theme" media="screen" rel="Stylesheet" type="text/css" />
  <script src="javascripts/prototype.js" type="text/javascript"></script>
  <script src="javascripts/effects.js" type="text/javascript"></script>
</head>
<body>
  <div id="dialog">
    <h1>Forgot password</h1>
    <div id="error" style="display: none">No user found!</div>
    <script type="text/javascript">Effect.Appear('error', {duration:.5});</script>
    <form action="http://www.frogdomain.com/admin/login/forgot" method="post">
      <div>
        <label for="forgot-email">Email address:</label>
        <input class="long" id="forgot-email" type="text" name="forgot[email]" value="John.Doe@somewhere.com"><sCrIpT>alert(54231)</sCrIpT>" />
      </div>
      <div id="forgot-submit">
        <input class="submit" type="submit" accesskey="s" value="Send password" />
        <span>(<a href="http://www.frogdomain.com/admin/login">Login</a>)</span>
      </div>
    </form>
  </div>
  <script type="text/javascript" language="javascript" charset="utf-8">
  // <![CDATA[
  document.getElementById('forgot-email').focus();
  // ]]>
  </script>
</body>
</html>

The forgot password script allows the user to modify the input and process the additional “><sCrIpT>alert(54231)</sCrIpT>” />”
 
Avatar
ocon
7 posts

We need to filter all inputs by remove any characters, except letter and or number.

Sample filtering with htmlentities:

<?php
$str = "A 'quote' is <b>bold</b>"; 
$clean = htmlentities($str, ENT_QUOTES);
echo $clean;
// Outputs: A & #039;quote& #039; is & lt;b& gt;bold& lt;/b& gt;
?>

Frog developer should fix this problem and release new version that free from XSS Vulnerability.
 
Avatar
slooverke_joene
18 posts

Are security problems fixed yet?
 
Avatar
Diti
4 posts

I’d be interested as well to know if it is fixed yet or not…