Closed Bug 560696 Opened 14 years ago Closed 14 years ago

Reflected XSS due to lack of Output Encoding

Categories

(Websites Graveyard :: drumbeat.org, defect)

defect
Not set
critical

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: mcoates, Unassigned)

Details

(Keywords: drupal-module, helpwanted, wsec-xss, Whiteboard: [donation] [drumbeat] [civicrm] [infrasec:xss])

Issue

Data accepted from the email address is displayed on the confirmation page without proper output encoding. As a result, an attacker could construct a malicious cross site scripting attack and leverage the email address field to attack a user.

Steps to Reproduce:
1. Browse to http://donate.trellon.org/dbl/civicrm/contribute/transact?reset=1&id=1&reset=1&id=1
2. Enter any donation amount
3. Enter the following for the email address:
test<hr>ing<hr>@mozilla.com
4. Press submit
5. Observe the confirmation page has rendered the <hr> and two lines are displayed.
An attacker could insert a more advanced attack (such as a meta refresh) to either redirect the attacker or execute an XSS attack.

Recommended Remediation
Use HTML entity output encoding when displaying the email address on the confirmations page to safely display any characters entered by the user.
I think this is a false alarm.

Try inputting:
<script>a</script>a@b.com

This is flagged as a potential scripting attack.
There are a variety of *ways of inserting an XSS attack. Although the example you provided is caught, the fact that any HTML can be entered and rendered within the response indicates a problem.

For example, the <hr> tags are rendered. It's also possible to insert an <iframe> tag. Instead of trying to detect all possible malicious inputs, its best to user output encoding to render any html inert upon display.

*http://ha.ckers.org/xss.html
Whiteboard: donation, drumbeat → donation, drumbeat civicrm
Whiteboard: donation, drumbeat civicrm → donation, drumbeat, civicrm
Keywords: privacy
This will involve patching CiviCRM or finding an issue in their queue. I'll take a look soon.
My understanding is that you are using CiviCRM 2.2.7 (?), which is really quite old.  My suggestion would be to see if a fix was implemented in a newer version ... or bring up the issue on irc.freenode.net#civicrm or forum.civicrm.org.  The developers are super responsive.  That said, they'll most likely tell you to upgrade.  If you want to see whether this issues exists on the latest version, try it on the demo site:

http://drupal.demo.civicrm.org/
I'm unable to reproduce this problem on Trellon's server. I now get an error saying "Please correct the following errors in the form fields below: * Please enter valid email address.". If this is fixed, could someone confirm and then update the bug's status?
This issue has been fixed by adding additional validation rule for contribution form. Also filtering is now applied to displayed address.
I've verified that the email address issue has been fixed within http://donate.trellon.org.  Moving issue to resolved: fixed.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: donation, drumbeat, civicrm → donation, drumbeat, civicrm, [infrasec:xss]
Whiteboard: donation, drumbeat, civicrm, [infrasec:xss] → [donation] [drumbeat] [civicrm] [infrasec:xss]
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.