Magento - Cross Site Scripting (XSS) Vulnerability - Magento v1.3.2.3? - Security - eCommerce Software for Growth

Log In

Username or Email

Password:

Forgot Password

or
Register

Skip to site navigation »
Skip to main content »
Skip to footer content »

Magento Forum

Cross Site Scripting (XSS) Vulnerability - Magento v1.3.2.3?

brock Total Posts:* 33 Joined: 2009-01-05 Ignore user	Hi, I just finished running a McAfee secure scan on my site (using a clean/default Magento v1.3.2.3 install), and I’m getting a cross site scripting (XSS) vulnerability. Is this a false positive, and if not, can someone suggest a fix? Thanks.
	Posted: August 12 2009 \| top

Gabriel Tagliani Total Posts: 23 Joined: 2009-07-06 Ignore user	can u post the name of the file? Signature Blog http://www.blogdelaweb.com.ar I’m sorry about my English xD ( yes in the signature )
	Posted: August 18 2009 \| top \| # 1

Philip the Wright Total Posts: 4 Joined: 2009-01-14 Ignore user	I am having this issue as well and I duplicated it on the demo site. If this code string is posted to /customer/account/createpost/ it will trigger the attached result. This is a live site so any help would be very much appreciated. `>"></title></iframe></script></form></td></tr><br><iFraMe+src=http://www.HackerSafe.com+width=900+height=1100></IfRamE>` All other fields get bogus information posted to them. Image Attachments Click thumbnail to see full-size image
	Posted: September 13 2009 \| top \| # 2

Gabriel Tagliani Total Posts: 23 Joined: 2009-07-06 Ignore user	i cant get it to work with the same version Image Attachments Click thumbnail to see full-size image Signature Blog http://www.blogdelaweb.com.ar I’m sorry about my English xD ( yes in the signature )
	Posted: September 14 2009 \| top \| # 3

Philip the Wright Total Posts: 4 Joined: 2009-01-14 Ignore user	here is code that will trigger it. Make yourself a blank .html file. load it in a browser and submit it. `<FORM METHOD=POST ACTION="https://demo.magentocommerce.com/customer/account/createpost/"> <input type="hidden" name=email value='>"></title></iframe></script></form></td></tr><br><iFraMe src=http://www.HackerSafe.com width=900 height=1100></IfRamE>'> <INPUT TYPE=submit VALUE="submit" style=button> </FORM>`
	Posted: September 14 2009 \| top \| # 4

Gabriel Tagliani Total Posts: 23 Joined: 2009-07-06 Ignore user	XSS confirmed Signature Blog http://www.blogdelaweb.com.ar I’m sorry about my English xD ( yes in the signature )
	Posted: September 15 2009 \| top \| # 5

YoavKutner Total Posts: 491 Joined: 2007-08-08 Ignore user	a patch will be releases early next week. thanks yoav
	Posted: September 15 2009 \| top \| # 6

canfone Total Posts: 3 Joined: 2008-10-02 Ignore user	I see that the status at http://www.magentocommerce.com/bug-tracking/issue?issue=7428 is marked as resolved. How does one go about updating this resolution into a store installation of Magento? Is this just a mater of using the auto-update capabilities in the software?
	Posted: September 17 2009 \| top \| # 7

YoavKutner Total Posts: 491 Joined: 2007-08-08 Ignore user	@canfone - we will release a public patch next week. You will be able to upgrade using the Magento Connect Manager, or implement the patch manually. thanks yoav
	Posted: September 17 2009 \| top \| # 8

canfone Total Posts: 3 Joined: 2008-10-02 Ignore user	I have found this temporary work around online for those who can’t wait for a patch to become available and need their application to pass PCI Certification: create an .htaccess and add the following rewrite rules ## enable rewrites Options +FollowSymLinks RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(HEAD\|TRACE\|DELETE\|TRACK) [NC,OR] RewriteCond %{THE_REQUEST} ^.(\\r\|\\n\| \| ). [NC,OR] RewriteCond %{HTTP_REFERER} ^(.)(<\|>\|’\| \| \|'\|<\|>\|). [NC,OR] RewriteCond %{HTTP_COOKIE} ^.(<\|>\|’\| \| \|'\|<\|>\|). [NC,OR] RewriteCond %{REQUEST_URI} ^/(,\|;\|:\|<\|>\|">\|"<\|/\|\\\.\.\\).{0,9999}.* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{HTTP_USER_AGENT} ^(java\|curl\|wget).* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.(winhttp\|HTTrack\|clshttp\|archiver\|loader\|email\|harvest\|extract\|grab\|miner). [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.(libwww-perl\|curl\|wget\|python\|nikto\|scan). [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.(<\|>\|’\| \| \|'\|<\|>\|). [NC,OR] RewriteCond %{QUERY_STRING} ^.(;\|<\|>\|’\|"\|\)\| \| \|"\|'\|<\|>\|).(/\\|union\|select\|insert\|cast\|set\|declare\|drop$ RewriteCond %{QUERY_STRING} ^.(localhost\|loopback\|127\.0\.0\.1).* [NC,OR] RewriteCond %{QUERY_STRING} ^.\.[A-Za-z0-9]. [NC,OR] RewriteCond %{QUERY_STRING} ^.(<\|>\|’\| \| \|'\|<\|>\|). [NC] RewriteRule ^(.*)$ badrequest.php the last line can direct to any file that you wish
	Posted: September 17 2009 \| top \| # 9

gfxguru Total Posts: 185 Joined: 2008-11-20 Ignore user	yes very nice one, I figured this one out a while back and actually and had to add a couple other agents to that list.
	Posted: September 17 2009 \| top \| # 10

narrowpath Total Posts: 23 Joined: 2009-06-08 San Diego, CA Ignore user	Nice. Found one error in the code posted above. Use the corrected code below: RewriteCond %{REQUEST_METHOD} ^(HEAD\|TRACE\|DELETE\|TRACK) [NC,OR] RewriteCond %{THE_REQUEST} ^.(\\r\|\\n\| \| ). [NC,OR] RewriteCond %{HTTP_REFERER} ^(.)(<\|>\|’\| \| \|'\|<\|>\|). [NC,OR] RewriteCond %{HTTP_COOKIE} ^.(<\|>\|’\| \| \|'\|<\|>\|). [NC,OR] RewriteCond %{REQUEST_URI} ^/(,\|;\|:\|<\|>\|">\|"<\|/\|\\\.\.\\).{0,9999}.* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^$ [OR] RewriteCond %{HTTP_USER_AGENT} ^(java\|curl\|wget).* [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.(winhttp\|HTTrack\|clshttp\|archiver\|loader\|email\|harvest\|extract\|grab\|miner). [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.(libwww-perl\|curl\|wget\|python\|nikto\|scan). [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^.(<\|>\|’\| \| \|'\|<\|>\|). [NC,OR] RewriteCond %{QUERY_STRING} ^.(;\|<\|>\|’\|"\|\)\| \| \|"\|'\|<\|>\|).(/\\|union\|select\|insert\|cast\|set\|declare\|drop$). [NC] RewriteCond %{QUERY_STRING} ^.(localhost\|loopback\|127\.0\.0\.1). [NC,OR] RewriteCond %{QUERY_STRING} ^.\.[A-Za-z0-9]. [NC,OR] RewriteCond %{QUERY_STRING} ^.(<\|>\|’\| \| \|'\|<\|>\|). [NC] RewriteRule ^(.)$ badrequest.php Signature Wallace Miller Narrowpath Design* 760-990-1151 (ph) sales at narrowpathdesign dot com
	Posted: September 17 2009 \| top \| # 11

brock Total Posts:* 33 Joined: 2009-01-05 Ignore user	Sorry for not posting sooner...I didn’t want to post the actual vulnerability before and just submitted to bug tracking… but here is the fix I came up with. ----------- *Fix*** ----------- app/code/core/Mage/Customer/Model/Customer.php line 674 - if (!Zend_Validate::is($this->getEmail(), 'EmailAddress')) { $errors[] = Mage::helper('customer')->__('Invalid email address "%s"', $this->getEmail()); } + if (!Zend_Validate::is($this->getEmail(), 'EmailAddress')) { $errors[] = Mage::helper('customer')->__('Invalid email address "%s"', htmlentities($this->getEmail())); }
	Posted: September 19 2009 \| top \| # 12

Chris Farley Total Posts: 43 Joined: 2008-03-09 Ignore user	Apart from PCI compliance issues, what are the security implications of this vulnerability? Magento won’t accept the malicious email address, right? Is this just a parlor trick right now? Or is this likely to be exploited by The Bad Guys very soon? I’ll be patching my system ASAP, but I’m just curious to know how much sleep I should be losing over this.
	Posted: September 24 2009 \| top \| # 13

ogonkov Total Posts: 582 Joined: 2009-03-26 Moscow, Russia Ignore user	Does this XSS affect on 1.3.2.1? Signature Поддержи Magento, протестируй полный Русский перевод!
	Posted: September 24 2009 \| top \| # 14

ShopGuy Total Posts: 462 Joined: 2008-09-07 Ignore user	What exactly can be accomplished with this hack? Is it that urgent to fix today? Signature Monthly Clubs
	Posted: September 24 2009 \| top \| # 15

Magento Community

Magento Community

Back to top

SSL issue on checkout with by two languages

Any idea what caused this? <solved by reinstall and restore from backup>