Web Application Cross Site Scripting, Found scanalert help

[tegralens]

I read on CRE's forum that someone suggest trying the following addition:

Code: [Select]

# Rewrite Rules for antiXSS
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Comments?

This did not work.

[tegralens]

Up for discussion is the following mod_security rule for 2.x

Code: [Select]

# XSS
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|type\b\W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| [vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[|script|meta)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
        "capture,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack. Matched signature <%{TX.0}>',id:'950004',severity:'2'"


Should I add this line to the .htaccess ?

[David M. Graham]

The use of mod_rewrite and mod_security can be of great help, especially as interim responses for code which requires patch application. 

The trouble with depending on this type of thing to begin with is that not all hosts make these features available, or know how to use them effectively when they do.

David

[inetbiz]

Up for discussion is the following mod_security rule for 2.x

Code: [Select]

# XSS
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:\b(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|type\b\W*?\b(?:text\b(?:\W*?\b(?:j(?:ava)?|ecma)script\b| [vbscript])|application\b\W*?\bx-(?:java|vb)script\b)|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)\b|a(?:ctivexobject\b|lert\b\W*?\())|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\\btype\b\W*?\bimage)\b|!\[CDATA\[|script|meta)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)" \
        "capture,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack. Matched signature <%{TX.0}>',id:'950004',severity:'2'"


[inetbiz]

Try this .htaccess file. Then, run your site through Yslow

I read on CRE's forum that someone suggest trying the following addition:

Code: [Select]

# Rewrite Rules for antiXSS
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Comments?

[David M. Graham]

At this point, that works.  Many of these changes need to be made when we migrate from a PHP 5 tolerant MS 2 base to a PHP 5 compliant and optimized osCommerce 3.0 base.

Much of the work in Eos is targeted towards combining functionality and cutting some things down to make migration issues at that point easier to manage.

Not that there aren't some other issues involved there as well.

David

[tegralens]

Most of this seams complicated I think I will have to try to live like the way it is.  Not even sure what to do anymore.

[DevilsOwn]

There is more to making your files work after that,  That is the first step in making your files edit global compatible btw. 

[tegralens]

How about I do a search in all the files and change the
$HTTP_GET_VARS to   $_GET
and $HTTP_POST_VARS TO    $_POST
AND $HTTP_SESSION_VARS TO    $_SESSION


I might be able to do a mass change not sure but I think
Would THAT SOLVE MY PROBLEM ? Or is there more

[zip1]

Tat method sort of works, but it takes more then that to properly handle changes from $HTTP_POST_VARS to $POST  and dealing.

This is the data that can be held in a post array on a system set to register_globals off:
   [_POST] => Array
        (
            [gv_redeem_code] =>
            [payment] => cc_cvc
            [credit_card_type] => Visa
            [cc_owner] => Test Test
            [cc_number] => 4111111111111111
            [cc_expires_month] => 12
            [cc_expires_year] => 08
            [cc_ccv] => 123
            [comments] =>
            [submit_redeem_x] =>
        )

    [HTTP_POST_VARS] => Array
        (
            [gv_redeem_code] =>
            [payment] => cc_cvc
            [credit_card_type] => Visa
            [cc_owner] => Test Test
            [cc_number] => 4111111111111111
            [cc_expires_month] => 12
            [cc_expires_year] => 08
            [cc_ccv] => 123
            [comments] =>
        )

You will notice that [submit_redeem_x] =>  is missing the HTTP_POST_VARS space.  so you just can grab $HTTP_POST_VARS variable and assume the will be put into the $_POST when register_globals is off. This is especially turn when dealing with data generated via a php class, and in OSC and CRE loaded all payment, shipping, order_total modules are actually php class's.

So you actually need to change all $HTTP_POST_VARS to $_POST.  But on php 5 this cause more problem which requires more code changes to fix.

One thing to remeber OSC was written back around 2000 with php3. What was an excepted standard then is not today because people and deamed up and designed more exploites then there was then.

[David M. Graham]

Much as I applaud Roberts initiative and generosity in sharing this, I just don't see it as a substitute for a more general application of solid security programming habits at every possible point.

Robert (FWR Media) himself warns that this can break features.  Thats not an insignificant concern, and it grows larger with the number of contributions installed, which on CRE Loaded is a LOT.    If you decide to proceed, I'd sure like to know how it goes.

I'd prefer to see some solid TEAM programming backed up with code sniffers and a more detailed set of standards - but there certainly is a need to move the security of the cart forward towards the 21st century....

David

[tegralens]

I was thinking of installing this contrib located at oscommerce here http://addons.oscommerce.com/info/5752   What do you guys think about it?

[zip1]

Q: Where to I go to make these changes and see if they work?
I know very little of php please be patient with me.


A: They are are all over the place.  The biggest problem I have seen is with $HTTP_GET_VARS and $_GET and $_SESSION. $HTTP_GET_VARS  and $_GET are used to get the data from the form and the php url encoding. The php url encoding is: http://127.0.0.1/aloaded_temp/product_info.php?products_id=8  In the code you would see something like

$product_id = $HTTP_GET_VARS['products_id'];
This take what ever was after the products_id= to the next & symbol or to the end of the line.  If this link happens to be on another site and send the person to your site. the original site can add some javascript thta can run and get information from your site.  Like raw database information, like you customer data.

Because we did not type class or filter the input we put about anything we want after the products_id=. This includes javascript.

by changing this line to $product_id = (int)$HTTP_GET_VARS['products_id'];

we have changed the get to be an integer only so there will be no text allowed. We used (int) because we know a product id is always an integer on this page. If we don't allow text the script won't be any any form that makes sense and can run.



 I would also like to add the in creloaded this was not done intentionly the programer was more ware of the fact that they needed to fix a problem or the original code was done by some one who was a new programer that did not understand that they needed to filter to type class all get post and session data they get and use.

Q: How do you find this stuff?
A:  To tell the trueth it is not always easy to find these problems, you have to do an audit of all the code. and look at all code file to see if this problem exists. You look for such things as:

$product_id = $HTTP_GET_VARS['products_id'];
$affiliate_id = $_SESSION['affiliate_id'];

      $breadcrumb->add(NAVBAR_TITLE_DEFAULT, tep_href_link(FILENAME_ARTICLES, 'CDpath=' . $_SESSION['CDpath']) ); should be :       $breadcrumb->add(NAVBAR_TITLE_DEFAULT, tep_href_link(FILENAME_ARTICLES, 'CDpath=' . tep_db_prepare_input($_SESSION['CDpath'])) );

This done this way because CDpath is not an integer so we need to filter and change some characters that will break the script. The function tep_db_prepare_input does this by changing the  < > and + characters .

So for the person who is not a programer you end up having to rely on those that are to do an audit. Most likely cre won't do much with the 6.2 since for them it's at its end of life and they want people to upgrade to 6.3

Q: Is any one else doing an audit for cross site scripting ?

A: Yes, an audit has been started it has taken about 15 hours to check the files in the root directory a lone. But there is still a ways to go. So there is not yet a projected completion time.

[inetbiz]

You can decompile trace and stack from the apache compiled install. The rewrite rule works well and should not bog down the server at all so long as you are not under attack. More advanced firewall rules could be written in such a case. The reference to the rewrite is on page 2

[David M. Graham]

This problem exists in the base CRE Loaded code, not in Chemo's SEO URL's.

The issue appears to be a vulnerabilty but is not.  Though the protection is thin.