Closed
Bug 560696
Opened 14 years ago
Closed 14 years ago
Reflected XSS due to lack of Output Encoding
Categories
(Websites Graveyard :: drumbeat.org, defect)
Websites Graveyard
drumbeat.org
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mcoates, Unassigned)
Details
(Keywords: drupal-module, helpwanted, wsec-xss, Whiteboard: [donation] [drumbeat] [civicrm] [infrasec:xss])
Issue Data accepted from the email address is displayed on the confirmation page without proper output encoding. As a result, an attacker could construct a malicious cross site scripting attack and leverage the email address field to attack a user. Steps to Reproduce: 1. Browse to http://donate.trellon.org/dbl/civicrm/contribute/transact?reset=1&id=1&reset=1&id=1 2. Enter any donation amount 3. Enter the following for the email address: test<hr>ing<hr>@mozilla.com 4. Press submit 5. Observe the confirmation page has rendered the <hr> and two lines are displayed. An attacker could insert a more advanced attack (such as a meta refresh) to either redirect the attacker or execute an XSS attack. Recommended Remediation Use HTML entity output encoding when displaying the email address on the confirmations page to safely display any characters entered by the user.
Comment 1•14 years ago
|
||
I think this is a false alarm. Try inputting: <script>a</script>a@b.com This is flagged as a potential scripting attack.
Reporter | ||
Comment 2•14 years ago
|
||
There are a variety of *ways of inserting an XSS attack. Although the example you provided is caught, the fact that any HTML can be entered and rendered within the response indicates a problem. For example, the <hr> tags are rendered. It's also possible to insert an <iframe> tag. Instead of trying to detect all possible malicious inputs, its best to user output encoding to render any html inert upon display. *http://ha.ckers.org/xss.html
Updated•14 years ago
|
Whiteboard: donation, drumbeat → donation, drumbeat civicrm
Updated•14 years ago
|
Whiteboard: donation, drumbeat civicrm → donation, drumbeat, civicrm
Comment 3•14 years ago
|
||
This will involve patching CiviCRM or finding an issue in their queue. I'll take a look soon.
Comment 4•14 years ago
|
||
My understanding is that you are using CiviCRM 2.2.7 (?), which is really quite old. My suggestion would be to see if a fix was implemented in a newer version ... or bring up the issue on irc.freenode.net#civicrm or forum.civicrm.org. The developers are super responsive. That said, they'll most likely tell you to upgrade. If you want to see whether this issues exists on the latest version, try it on the demo site: http://drupal.demo.civicrm.org/
Comment 5•14 years ago
|
||
I'm unable to reproduce this problem on Trellon's server. I now get an error saying "Please correct the following errors in the form fields below: * Please enter valid email address.". If this is fixed, could someone confirm and then update the bug's status?
Comment 6•14 years ago
|
||
This issue has been fixed by adding additional validation rule for contribution form. Also filtering is now applied to displayed address.
Reporter | ||
Comment 7•14 years ago
|
||
I've verified that the email address issue has been fixed within http://donate.trellon.org. Moving issue to resolved: fixed.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•14 years ago
|
Whiteboard: donation, drumbeat, civicrm → donation, drumbeat, civicrm, [infrasec:xss]
Reporter | ||
Updated•14 years ago
|
Whiteboard: donation, drumbeat, civicrm, [infrasec:xss] → [donation] [drumbeat] [civicrm] [infrasec:xss]
Updated•12 years ago
|
Group: websites-security
Comment 8•11 years ago
|
||
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Keywords: wsec-xss
Assignee | ||
Updated•9 years ago
|
Product: Websites → Websites Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•