So one of the sites I'm working on apparently has an xss vulnerability.
The normal html is this:
<form name="contact_us" action="somewhere" method="post">
<div id="contactUsNoticeContent" class="content"></div>
<fieldset id="contactUsForm">
<legend>Contact Us</legend>
<div class="alert forward">* Required information</div>
<label class="inputLabel" for="contactname">Full Name:</label>
<input type="text" name="contactname" size="40" id="contactname"><span class="alert">*
</span><br class="clearBoth">
<label class="inputLabel" for="email-address">Email Address:</label>
<input type="text" name="email" size="40" id="email-address"><span class="alert">*
</span><br class="clearBoth">
<label for="enquiry">Message:<span class="alert">*</span></label>
<textarea name="enquiry" cols="30" rows="7" id="enquiry"></textarea>
</fieldset>
<div class="buttonRow forward"><input type="image"src="an image src" alt="Send Now"
title=" Send Now "></div>
<div yourface" alt="Back" title=" Back " width="85" height="25"></a></div>
</form>
They sent me back the following code as a vulnerability:
<input type="text" name="email" value="
<s cript>alert('S AINTL2NvbnRhY3RfdX MuaHRtbD9hY3Rpb249c2VuZ CBlbWFpbA==')
</s cri pt>" s ize="40" id="emailaddress " /><s pan clas s ="alert">*</s pan>
<br clas s ="clearBoth" />
Code for redrawing $value is the raw post data:
$field = '<input type="' . zen_output_string($type) . '" name="' .
zen_output_string($name) . '"';
if ( (isset($GLOBALS[$name])) && ($reinsert_value == true) ) {
$field .= ' value="' . zen_output_string(stripslashes($GLOBALS[$name])) . '"';
} elseif (zen_not_null($value)) {
$field .= ' value="' . zen_output_string($value) . '"';
}
if (zen_not_null($parameters)) $field .= ' ' . $parameters;
$field .= ' />';
I guess that when the form is submitted an alert should show up on page reload? I cant seem to trigger this though. I figure all I need to do is escape the heck out of the value before i repost it to the form to fix it, but now I'm kind of curious what I'm doing wrong that I cant seem to trigger it. Any one have any ideas how I can reproduce this or what I'm doing wrong?
It is on an old zen cart framework with known vulnerabilities btw. But I'd like to understand them rather than just install patches. Zen function reference
It is on an old zen cart framework with known vulnerabilities btw. But I'd like to understand them rather than just install patches
Your old site does indeed have known vulnerabilities. A very quick way to see the fix is to grab the code for the new version (which fixed the issue) and compare the files. There are two files involved:
A quick comparison with WinMerge or your favorite compare tool will point out the differences for you.
There are further system-wide sanitization actions taken elsewhere in the bootstrap core code that also handle related issues.
PS: You really ought to be upgrading to the latest version if you want all those protections ;)