Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Page 1 of 2
Cross Site Scripting (XSS) Vulnerability - Magento v1.3.2.3? 
 
b*rock
Member
 
Total Posts:  33
Joined:  2009-01-05
 

Hi,

I just finished running a McAfee secure scan on my site (using a clean/default Magento v1.3.2.3 install), and I’m getting a cross site scripting (XSS) vulnerability. 

Is this a false positive, and if not, can someone suggest a fix?

Thanks.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Gabriel Tagliani
Jr. Member
 
Total Posts:  23
Joined:  2009-07-06
 

can u post the name of the file?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Philip the Wright
Jr. Member
 
Total Posts:  4
Joined:  2009-01-14
 

I am having this issue as well and I duplicated it on the demo site.

If this code string is posted to /customer/account/createpost/ it will trigger the attached result. This is a live site so any help would be very much appreciated.

>"></title></iframe></script></form></td></tr><br><iFraMe+src=http://www.HackerSafe.com+width=900+height=1100></IfRamE>

All other fields get bogus information posted to them.

Image Attachments
magento1.jpg
 
Magento Community Magento Community
Magento Community
Magento Community
 
Gabriel Tagliani
Jr. Member
 
Total Posts:  23
Joined:  2009-07-06
 

i cant get it to work with the same version

Image Attachments
hack_try.png
 
Magento Community Magento Community
Magento Community
Magento Community
 
Philip the Wright
Jr. Member
 
Total Posts:  4
Joined:  2009-01-14
 

here is code that will trigger it. Make yourself a blank .html file. load it in a browser and submit it.

<FORM METHOD=POST
ACTION
="https://demo.magentocommerce.com/customer/account/createpost/">
<
input type="hidden" name=email value='>"></title></iframe></script></form></td></tr><br><iFraMe src=http://www.HackerSafe.com width=900 height=1100></IfRamE>'>
<
INPUT TYPE=submit VALUE="submit" style=button>
</
FORM>
 
Magento Community Magento Community
Magento Community
Magento Community
 
Gabriel Tagliani
Jr. Member
 
Total Posts:  23
Joined:  2009-07-06
 

XSS confirmed

 
Magento Community Magento Community
Magento Community
Magento Community
 
YoavKutner
Guru
 
Avatar
Total Posts:  491
Joined:  2007-08-08
 

a patch will be releases early next week.

thanks

yoav

 
Magento Community Magento Community
Magento Community
Magento Community
 
canfone
Jr. Member
 
Total Posts:  3
Joined:  2008-10-01
 

I see that the status at http://www.magentocommerce.com/bug-tracking/issue?issue=7428 is marked as resolved.  How does one go about updating this resolution into a store installation of Magento?  Is this just a mater of using the auto-update capabilities in the software?

 
Magento Community Magento Community
Magento Community
Magento Community
 
YoavKutner
Guru
 
Avatar
Total Posts:  491
Joined:  2007-08-08
 

@canfone - we will release a public patch next week. You will be able to upgrade using the Magento Connect Manager, or implement the patch manually.

thanks

yoav

 
Magento Community Magento Community
Magento Community
Magento Community
 
canfone
Jr. Member
 
Total Posts:  3
Joined:  2008-10-01
 

I have found this temporary work around online for those who can’t wait for a patch to become available and need their application to pass PCI Certification:

create an .htaccess and add the following rewrite rules

## enable rewrites
Options +FollowSymLinks
RewriteEngine on

RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|&#x0A;|&#x0D;).* [NC,OR]

RewriteCond %{HTTP_REFERER} ^(.*)(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC,OR]

RewriteCond %{QUERY_STRING} ^.*(;|<|>|’|"|\)|&#x0A;|&#x0D;|&#x22;|&#x27;|&#x3C;|&#x3E;|&#x00;).*(/\*|union|select|insert|cast|set|declare|drop$
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC]

RewriteRule ^(.*)$ badrequest.php

the last line can direct to any file that you wish

 
Magento Community Magento Community
Magento Community
Magento Community
 
gfxguru
Sr. Member
 
Total Posts:  186
Joined:  2008-11-20
 

yes very nice one, I figured this one out a while back and actually and had to add a couple other agents to that list.

 
Magento Community Magento Community
Magento Community
Magento Community
 
narrowpath
Jr. Member
 
Total Posts:  23
Joined:  2009-06-08
San Diego, CA
 

Nice.  Found one error in the code posted above. Use the corrected code below:

RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|&#x0A;|&#x0D;).* [NC,OR]

RewriteCond %{HTTP_REFERER} ^(.*)(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]

RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC,OR]

RewriteCond %{QUERY_STRING} ^.*(;|<|>|’|"|\)|&#x0A;|&#x0D;|&#x22;|&#x27;|&#x3C;|&#x3E;|&#x00;).*(/\*|union|select|insert|cast|set|declare|drop$).* [NC]
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|’|&#x0A;|&#x0D;|&#x27;|&#x3C;|&#x3E;|&#x00;).* [NC]

RewriteRule ^(.*)$ badrequest.php

 
Magento Community Magento Community
Magento Community
Magento Community
 
b*rock
Member
 
Total Posts:  33
Joined:  2009-01-05
 

Sorry for not posting sooner...I didn’t want to post the actual vulnerability before and just submitted to bug tracking… but here is the fix I came up with.

-----------
***
Fix*****
-----------
app/code/core/Mage/Customer/Model/Customer.php
line 674

-            if (!Zend_Validate::is($this->getEmail(), 'EmailAddress')) {
            $errors[] 
Mage::helper('customer')->__('Invalid email address "%s"'$this->getEmail());
        
}

+            if (!Zend_Validate::is($this->getEmail(), 'EmailAddress')) {
            $errors[] 
Mage::helper('customer')->__('Invalid email address "%s"'htmlentities($this->getEmail()));
        
}
 
Magento Community Magento Community
Magento Community
Magento Community
 
Chris Farley
Member
 
Total Posts:  43
Joined:  2008-03-09
 

Apart from PCI compliance issues, what are the security implications of this vulnerability? Magento won’t accept the malicious email address, right? Is this just a parlor trick right now? Or is this likely to be exploited by The Bad Guys very soon?

I’ll be patching my system ASAP, but I’m just curious to know how much sleep I should be losing over this.

 
Magento Community Magento Community
Magento Community
Magento Community
 
ogonkov
Guru
 
Total Posts:  582
Joined:  2009-03-25
Moscow, Russia
 

Does this XSS affect on 1.3.2.1?

 
Magento Community Magento Community
Magento Community
Magento Community
 
ShopGuy
Guru
 
Total Posts:  462
Joined:  2008-09-07
 

What exactly can be accomplished with this hack? Is it that urgent to fix today?

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top
Page 1 of 2