Reflected XSS due to lack of Output Encoding

RESOLVED FIXED

Status

Websites Graveyard
www.drumbeat.org
--
critical
RESOLVED FIXED
8 years ago
3 years ago

People

(Reporter: mcoates, Unassigned)

Tracking

({drupal-module, helpwanted, wsec-xss})

Details

(Whiteboard: [donation] [drumbeat] [civicrm] [infrasec:xss])

Issue

Data accepted from the email address is displayed on the confirmation page without proper output encoding. As a result, an attacker could construct a malicious cross site scripting attack and leverage the email address field to attack a user.

Steps to Reproduce:
1. Browse to http://donate.trellon.org/dbl/civicrm/contribute/transact?reset=1&id=1&reset=1&id=1
2. Enter any donation amount
3. Enter the following for the email address:
test<hr>ing<hr>@mozilla.com
4. Press submit
5. Observe the confirmation page has rendered the <hr> and two lines are displayed.
An attacker could insert a more advanced attack (such as a meta refresh) to either redirect the attacker or execute an XSS attack.

Recommended Remediation
Use HTML entity output encoding when displaying the email address on the confirmations page to safely display any characters entered by the user.

Comment 1

8 years ago
I think this is a false alarm.

Try inputting:
<script>a</script>a@b.com

This is flagged as a potential scripting attack.
There are a variety of *ways of inserting an XSS attack. Although the example you provided is caught, the fact that any HTML can be entered and rendered within the response indicates a problem.

For example, the <hr> tags are rendered. It's also possible to insert an <iframe> tag. Instead of trying to detect all possible malicious inputs, its best to user output encoding to render any html inert upon display.

*http://ha.ckers.org/xss.html

Updated

8 years ago
Keywords: drupal-module, helpwanted, privacy
Whiteboard: donation, drumbeat → donation, drumbeat civicrm

Updated

8 years ago
Whiteboard: donation, drumbeat civicrm → donation, drumbeat, civicrm
Keywords: privacy

Comment 3

8 years ago
This will involve patching CiviCRM or finding an issue in their queue. I'll take a look soon.

Comment 4

8 years ago
My understanding is that you are using CiviCRM 2.2.7 (?), which is really quite old.  My suggestion would be to see if a fix was implemented in a newer version ... or bring up the issue on irc.freenode.net#civicrm or forum.civicrm.org.  The developers are super responsive.  That said, they'll most likely tell you to upgrade.  If you want to see whether this issues exists on the latest version, try it on the demo site:

http://drupal.demo.civicrm.org/
I'm unable to reproduce this problem on Trellon's server. I now get an error saying "Please correct the following errors in the form fields below: * Please enter valid email address.". If this is fixed, could someone confirm and then update the bug's status?

Comment 6

8 years ago
This issue has been fixed by adding additional validation rule for contribution form. Also filtering is now applied to displayed address.
I've verified that the email address issue has been fixed within http://donate.trellon.org.  Moving issue to resolved: fixed.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Whiteboard: donation, drumbeat, civicrm → donation, drumbeat, civicrm, [infrasec:xss]
Whiteboard: donation, drumbeat, civicrm, [infrasec:xss] → [donation] [drumbeat] [civicrm] [infrasec:xss]
Group: websites-security
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
(Assignee)

Updated

3 years ago
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.