Web Application Cross Site Scripting, Found scanalert help

[HoosierWeb]

You will find yourself arguing until you just give up with a lot of the scan sites.. we have used many more powerful scanners and have never seen this come up

[David M. Graham]

Yslow is a Fire Fox addon from Yahoo.  http://developer.yahoo.com/yslow/

David

[tegralens]

Try this .htaccess file. Then, run your site through Yslow

What do you mean by Yslow ?  I don't know what that is.

[inetbiz]

they can't enable it on their server but said that I can add this to the htaccess on the root.

but putting this.

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

Try this .htaccess file. Then, run your site through Yslow

[tegralens]

I'm wondering if this may not be a false positive, but we are going to have to do some testing to find out - likely with AND without Ultimate SEO URL's.



David

How do we test this?  But I don't think its a false positive because scan alert says its not I tried false positive.  So what do we do?

[David M. Graham]

I'm wondering if this may not be a false positive, but we are going to have to do some testing to find out - likely with AND without Ultimate SEO URL's.



David

[tegralens]

Does your host supply a mod_security installation? I can link you to a mailing group that will assist you create a rule which will disallow <script> tags in the URL

they can't enable it on their server but said that I can add this to the htaccess on the root.

but putting this.

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

[tegralens]

Is this site equipped with Chemo's SEO URL's ??

David

Yes

[inetbiz]

Does your host supply a mod_security installation? I can link you to a mailing group that will assist you create a rule which will disallow <script> tags in the URL

[David M. Graham]

Is this site equipped with Chemo's SEO URL's ??

David

[tegralens]

View the attachmnt nd post the results of the detail view

Here it is. But the problem might be somewhere in the catagories. Because all the ones that are shown are from the catalogies.  I hope this is what you mean. The only thing I did not put was the page source.

Vulnerability Detail
Device   www.domain.com
Vulnerability   Web Application Cross Site Scripting
Port   80/tcp
Scan Date   14-SEP-2008 04:19


URL
Protocol   http   Port   80   Read Timeout   10000   Method   GET   Demo
Path   /store/>"><script>alert(123)</script><"-certificate-c-26.html
Headers   Referer=http%3A%2F%2Fwww.domain.com%3A80%2Fstore%2F%3F%2522Xx%253CXaXaXXaXaX%253ExX%3Ddebug

    HTTP/1.1 200 OK
Date   Sun, 14 Sep 2008 09:20:41 GMT
Server   Apache
X-Powered-By   PHP/5.2.6
Transfer-Encoding   chunked
Content-Type   text/html

URL
Protocol   http   Port   80   Read Timeout   10000   Method   GET   Demo
Path   /store/gift->"><script>alert(123)</script><"-c-26.html
Headers   Referer=http%3A%2F%2Fwww.domain.com%3A80%2Fstore%2F%3F%2522Xx%253CXaXaXXaXaX%253ExX%3Ddebug

Protocol   http   Port   80   Read Timeout   10000   Method   GET   Demo
Path   /store/>"><script>alert(123)</script><"-c-2.html
Headers   Referer=http%3A%2F%2Fwww.domain.com%3A80%2Fstore%2F%3F%2522Xx%253CXaXaXXaXaX%253ExX%3Ddebug

Protocol   http   Port   80   Read Timeout   10000   Method   GET   Demo
Path   /store/>"><script>alert(123)</script><"-c-1.html
Headers   Referer=http%3A%2F%2Fwww.domain.com%3A80%2Fstore%2F%3F%2522Xx%253CXaXaXXaXaX%253ExX%3Ddebug

Protocol   http   Port   80   Read Timeout   10000   Method   GET   Demo
Path   /store/>"><script>alert(123)</script><"-various-c-22.html
Headers   Referer=http%3A%2F%2Fwww.domain.com%3A80%2Fstore%2F%3F%2522Xx%253CXaXaXXaXaX%253ExX%3Ddebug

Protocol   http   Port   80   Read Timeout   10000   Method   GET   Demo
Path   /store/groups->"><script>alert(123)</script><"-c-22.html
Headers   Referer=http%3A%2F%2Fwww.domain.com%3A80%2Fstore%2F%3F%2522Xx%253CXaXaXXaXaX%253ExX%3Ddebug

Protocol   http   Port   80   Read Timeout   10000   Method   GET   Demo
Path   /store/>"><script>alert(123)</script><"-c-21.html
Headers   Referer=http%3A%2F%2Fwww.domain.com%3A80%2Fstore%2F%3F%2522Xx%253CXaXaXXaXaX%253ExX%3Ddebug

Protocol   http   Port   80   Read Timeout   10000   Method   GET   Demo
Path   /store/>"><script>alert(123)</script><"-c-21.html
Headers   Referer=http%3A%2F%2Fwww.domain.com%3A80%2Fstore%2F%3F%2522Xx%253CXaXaXXaXaX%253ExX%3Ddebug

Protocol   http   Port   80   Read Timeout   10000   Method   GET   Demo
Path   /store/>"><script>alert(123)</script><"-c-29.html
Headers   Referer=http%3A%2F%2Fwww.domain.com%3A80%2Fstore%2F%3F%2522Xx%253CXaXaXXaXaX%253ExX%3Ddebug

Protocol   http   Port   80   Read Timeout   10000   Method   GET   Demo
Path   /store/>"><script>alert(123)</script><"-c-24.html
Headers   Referer=http%3A%2F%2Fwww.domain.com%3A80%2Fstore%2F%3F%2522Xx%253CXaXaXXaXaX%253ExX%3Ddebug

[inetbiz]

I received this email from mcafee scanalert and do not know how to fix this. Can someone help me? Thanks

View the attachmnt nd post the results of the detail view

[David M. Graham]

It would help to know which if any URL's they gave as the location of the issue.

Looks like something which would be fixed with patch 13.2, which involved casting lPath to int in links.php and links_submit.php file in the cart root.

David

[tegralens]

I received this email from mcafee scanalert and do not know how to fix this. Can someone help me?

Web Application Cross Site Scripting
The remote web application appears to be vulnerable to cross-site scripting (XSS).

The cross-site scripting attack is one of the most common, yet overlooked, security problems facing web developers today. A web site is vulnerable if it displays user-submitted content without sanitizing user input.

The target of cross-site scripting attacks is not the server itself, but the users of the server. By finding a page that does not properly sanitize user input the attacker submits client-side code to the server that will then be rendered by the client. It is important to note that websites that use SSL are just as vulnerable as websites that do not encrypt browser sessions.

The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload onto their computer via browser.

The pages listed in the vulnerability output will display embedded javascript with no filtering back to the user.


When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the client.

Ensure that parameters and user input are sanitized by doing the following:
# Remove < input and replace with &lt;
# Remove > input and replace with >
# Remove ' input and replace with &apos;
# Remove " input and replace with &#x22;
# Remove ) input and replace with &#x29;
# Remove ( input and replace with &#x28;

If you need more info let me know I have posted this on creloaded but no one it still able to help.  Thanks