Cross-site Scripting Attack Security Issue: Sanitize Input

4 posts by 2 authors in: Forums > CMS Builder
Last Post: March 26, 2014   (RSS)

By clowden - March 24, 2014 - edited: March 24, 2014

A client of mine has reviewed multiples of theirs that I have done and came back with a few security concerns of theirs. One relating to a calendar and the other to a search. Both websites are on version 2.53.

The 'title_keyword=' parameter on the affected page does not properly sanitize input before returning it back into the clients browser, resulting in a non-persistent Cross-Site Scripting attack.

Change this website such that all input is validated and escaped before rendering it in an HTML page. To prevent this attack, transform HTML metacharacters (such as "<" and ">") into entities (such as "&lt;" and "$gt;").

There is also a calendar on their website that they are saying has some issues with the year parameter.

The 'year' URL parameter on the affected page does not properly sanitize input before returning it back into the clients browser, resulting in a non-persistent Cross-Site Scripting attack.

Change this website such that all input is validated and escaped before rendering it in an HTML page. To prevent this attack, transform HTML metacharacters (such as "<" and ">") into entities (such as "&lt;" and "$gt;").

Any help and/or direction is greatly appreciated and I can provide code for anyone that would need it.

Thank you.

By Damon - March 24, 2014

Hi clowden,

We take Cross-Site Scripting security very seriously here. We explicitly sanitize inputs in the CMS Builder admin panel, in code generated by the Code Generator for front end websites, and in code we post here on the forums for people to use in their front ends.

We'd like to check and make sure your client's not exposed. Can you provide us with more details on how to replicate these problems?

Please send in a Supoprt Request with details:
https://www.interactivetools.com/support/email_support_form.php?priority=free&message=http://www.interactivetools.com/forum/forum-posts.php?Cross-site-Scripting-Attack-Security-Issue-Sanitize-Input-79388

Don't post any sensitive details in the forum.
Thanks!

Cheers,
Damon Edis - interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/

By Damon - March 26, 2014

Hi,

Thanks for sending in the site details.

Chris reviewed both and updated the code to be secure. I will email you directly with the more details.

The main security issue for both was that you were accepting queries from the URL but not filtering them in any way.

When outputting variables that you are getting from the URL, add htmlspecialchars() to prevent someone from entering code and being able to execute it.

Cheers,
Damon Edis - interactivetools.com

Hire me! Save time by getting our experts to help with your project.
http://www.interactivetools.com/consulting/