Magento Forum

Page 2 of 2
Cross Site Scripting (XSS) Vulnerability - Magento v1.3.2.3? 
 
hydra
Guru
 
Avatar
Total Posts:  378
Joined:  2008-08-26
Amsterdam
 

Hi,
I think the new update 1.3.2.4 addresses this issue.
.

 
Magento Community Magento Community
Magento Community
Magento Community
 
amoko
Jr. Member
 
Total Posts:  20
Joined:  2009-07-07
 

I need to apply this patch manually without fully upgrading magento.

Which solution should I use…

.htaccess posted by narrowpath ?

Update the Customer.php solution, posted by b*rock ?

Or apply the code by ‘magento team’ in this bug tracker post: http://www.magentocommerce.com/bug-tracking/issue?issue=7417
....It is not clear if this is a fix or not?

Please advise....

 
Magento Community Magento Community
Magento Community
Magento Community
 
amoko
Jr. Member
 
Total Posts:  20
Joined:  2009-07-07
 
YoavKutner - 16 September 2009 10:20 PM

@canfone - we will release a public patch next week. You will be able to upgrade using the Magento Connect Manager, or implement the patch manually.

thanks

yoav

How do we implement the patch manually please?

 
Magento Community Magento Community
Magento Community
Magento Community
 
scjunkies
Member
 
Total Posts:  55
Joined:  2008-09-03
Houston, Texas, USA
 

amoko

Just download the files and merge them using a software to look up the differences. I use “Changes” for Mac.  Good luck.

 
Magento Community Magento Community
Magento Community
Magento Community
 
ShopGuy
Guru
 
Total Posts:  462
Joined:  2008-09-07
 

If you have not made any custom edit to your code, then you can just replace the changed files (there are three of them)

 
Magento Community Magento Community
Magento Community
Magento Community
 
amoko
Jr. Member
 
Total Posts:  20
Joined:  2009-07-07
 

Hi yeah, I have made changes to files so thats why I need to make the update manually.

What are the 3 files and how do I get hold them individually, as far as I understand I can’t obtain the files from Magento connect update or the DIFF file??

cheers

 
Magento Community Magento Community
Magento Community
Magento Community
 
amoko
Jr. Member
 
Total Posts:  20
Joined:  2009-07-07
 

Can someone please SEND me the 3 files???

If I need to I can then use merge / compare file software to update my current files.

How hard can it be?!

 
Magento Community Magento Community
Magento Community
Magento Community
 
marioc
Jr. Member
 
Total Posts:  2
Joined:  2010-01-07
 

Not 100% sure if this will fix everyones issues but this is what i did to get around the account creation xss issues in 1.3

*please remember to backup Customer.php before modifying it.

by modifying this file: app/code/core/Mage/Customer/Model/Customer.php

search for the function: “validate()”

right underneathe this code:

public function validate()
{
$errors = array();

add:

$actual_lengthFN = trim($this->getFirstname());
$stripped_lengthFN = strip_tags(trim($this->getFirstname()));
if ($actual_lengthFN != $stripped_lengthFN )
{
Zend_Validate::is(false);
}

$actual_lengthLN = trim($this->getLastname());
$stripped_lengthLN = strip_tags(trim($this->getLastname()));
if ($actual_lengthLN != $stripped_lengthLN )
{
Zend_Validate::is(false);
}

$actual_lengthEM = trim($this->getEmail());
$stripped_lengthEM = strip_tags(trim($this->getEmail()));
if ($actual_lengthEM != $stripped_lengthEM )
{
Zend_Validate::is(false);
}

$actual_lengthPW = trim($this->getPassword());
$stripped_lengthPW = strip_tags(trim($this->getPassword()));
if ($actual_lengthPW != $stripped_lengthPW )
{
Zend_Validate::is(false);
}

this solution is kinda crude, and maybe my code isnt the most optimized wink but it should not allow users to use any html codes in any field on the creation page

 
Magento Community Magento Community
Magento Community
Magento Community
 
jigneshthummar
Jr. Member
 
Avatar
Total Posts:  2
Joined:  2011-04-02
 

rewrite your AccountController.php
and sanitize $_POST variable before using it for loginPost, createPost, and editPost actions

rewrited controller file i used.

<?php

require_once \\\’Mage/Customer/controllers/AccountController.php\\\’;
class Namespace_Modulename_Customer_AccountController extends Mage_Customer_AccountController //Mage_Core_Controller_Front_Action
{

public function createPostAction()
{

if(isset($_POST) && !empty($_POST)){
foreach($_POST as $_KEY => $_VALUE){
if(!is_array($_VALUE)){
$_POST[$_KEY] = htmlspecialchars($_VALUE);
}
}
}

if ($this->_getSession()->isLoggedIn()) {
$this->_redirect(\\\’*/*/\\\’);
return;
}
if ($this->getRequest()->isPost()) {
$errors = array();

if (!$customer = Mage::registry(\\\’current_customer\\\’)) {
$customer = Mage::getModel(\\\’customer/customer\\\’)->setId(null);
}

foreach (Mage::getConfig()->getFieldset(\\\’customer_account\\\’) as $code=>$node) {
if ($node->is(\\\’create\\\’) && ($value = $this->getRequest()->getParam($code)) !== null) {
$customer->setData($code, $value);
}
}

if ($this->getRequest()->getParam(\\\’is_subscribed\\\’, false)) {
$customer->setIsSubscribed(1);
}

/**
* Initialize customer group id
*/
$customer->getGroupId();

if ($this->getRequest()->getPost(\\\’billing\\\’)) {
$address = Mage::getModel(\\\’customer/address\\\’)
->setData($this->getRequest()->getPost(\\\’billing\\\’))
->setIsDefaultBilling(true)
//->setIsDefaultShipping(true)
->setId(null);
$customer->addAddress($address);
$website_id = Mage::app()->getStore()->getWebsiteId();
if($website_id == 4){
$customer->setStatus(2);
}
else{
$customer->setStatus(1);
}
$errors = $address->validate();
if (!is_array($errors)) {
$errors = array();
}
}

if ($this->getRequest()->getPost(\\\’shipping\\\’)) {
$address = Mage::getModel(\\\’customer/address\\\’)
->setData($this->getRequest()->getPost(\\\’shipping\\\’))
//->setIsDefaultBilling(true)
->setIsDefaultShipping(true)
->setId(null);
$customer->addAddress($address);
$website_id = Mage::app()->getStore()->getWebsiteId();
if($website_id == 4){
$customer->setStatus(2);
}
else{
$customer->setStatus(1);
}
$errors = $address->validate();
if (!is_array($errors)) {
$errors = array();
}
}

try {
$validationCustomer = $customer->validate();
if (is_array($validationCustomer)) {
$errors = array_merge($validationCustomer, $errors);
}
$validationResult = count($errors) == 0;

if (true === $validationResult) {
$customer->save();
if ($customer->isConfirmationRequired()) {
$customer->sendNewAccountEmail(\\\’confirmation\\\’, $this->_getSession()->getBeforeAuthUrl());
$this->_getSession()->addSuccess($this->__(\\\’Account confirmation is required. Please, check your e-mail for confirmation link. To resend confirmation email please <a href=\\\"%s\\\">click here</a>.\\\’,
Mage::helper(\\\’customer\\\’)->getEmailConfirmationUrl($customer->getEmail())
));
$this->_redirectSuccess(Mage::getUrl(\\\’*/*/index\\\’, array(\\\’_secure\\\’=>true)));
return;
}
else if($customer->getStatus() == 2){
$this->_getSession()->addSuccess($this->__(\\\’Please wait for your account to be activated\\\’));
$this->_redirectSuccess(Mage::getUrl(\\\’customer/account/login\\\’, array(\\\’_secure\\\’=>true)));
return;
}
else {
$this->_getSession()->setCustomerAsLoggedIn($customer);
$url = $this->_welcomeCustomer($customer);
$this->_redirectSuccess($url);
return;
}
} else {
$this->_getSession()->setCustomerFormData($this->getRequest()->getPost());
if (is_array($errors)) {
foreach ($errors as $errorMessage) {
$this->_getSession()->addError($errorMessage);
}
}
else {
$this->_getSession()->addError($this->__(\\\’Invalid customer data\\\’));
}
}
}
catch (Mage_Core_Exception $e) {
$this->_getSession()->addError($e->getMessage())
->setCustomerFormData($this->getRequest()->getPost());
}
catch (Exception $e) {
$this->_getSession()->setCustomerFormData($this->getRequest()->getPost())
->addException($e, $this->__(\\\’Can\\\\\\\’t save customer\\\’));
}
}
/**
* Protect XSS injection in user input
*/
$this->_getSession()->setEscapeMessages(true);
$this->_redirectError(Mage::getUrl(\\\’*/*/create\\\’, array(\\\’_secure\\\’=>true)));
}


public function loginPostAction()
{
if ($this->_getSession()->isLoggedIn()) {
$this->_redirect(\\\’*/*/\\\’);
return;
}
$session = $this->_getSession();

if(isset($_POST) && !empty($_POST)){
foreach($_POST as $_KEY => $_VALUE){
if(!is_array($_VALUE)){
$_POST[$_KEY] = htmlspecialchars($_VALUE);
}
}
}
if ($this->getRequest()->isPost()) {
$login = $this->getRequest()->getPost(\\\’login\\\’);
if (!empty($login[\\\’username\\\’]) && !empty($login[\\\’password\\\’])) {
try {
$session->login($login[\\\’username\\\’], $login[\\\’password\\\’]);
if ($session->getCustomer()->getIsJustConfirmed()) {
$this->_welcomeCustomer($session->getCustomer(), true);
}
}
catch (Exception $e) {
switch ($e->getCode()) {
case Mage_Customer_Model_Customer::EXCEPTION_EMAIL_NOT_CONFIRMED:
$message = Mage::helper(\\\’customer\\\’)->__(\\\’This account is not confirmed. <a href=\\\"%s\\\">Click here</a> to resend confirmation email.\\\’,
Mage::helper(\\\’customer\\\’)->getEmailConfirmationUrl($login[\\\’username\\\’])
);
break;
case Mage_Customer_Model_Customer::EXCEPTION_INVALID_EMAIL_OR_PASSWORD:
$message = $e->getMessage();
break;
default:
$message = $e->getMessage();
}
$session->addError($message);
$session->setUsername($login[\\\’username\\\’]);
}
} else {
$session->addError($this->__(\\\’Login and password are required\\\’));
}
}

$this->_loginPostRedirect();
}
public function createPostAction()
{
//ECHO \\\"DDDDDDDD\\\";EXIT;
if ($this->_getSession()->isLoggedIn()) {
$this->_redirect(\\\’*/*/\\\’);
return;
}

if(isset($_POST) && !empty($_POST)){
foreach($_POST as $_KEY => $_VALUE){
if(!is_array($_VALUE)){
$_POST[$_KEY] = htmlspecialchars($_VALUE);
}
}
}
if ($this->getRequest()->isPost()) {
$errors = array();

if (!$customer = Mage::registry(\\\’current_customer\\\’)) {
$customer = Mage::getModel(\\\’customer/customer\\\’)->setId(null);
}

foreach (Mage::getConfig()->getFieldset(\\\’customer_account\\\’) as $code=>$node) {
if ($node->is(\\\’create\\\’) && ($value = $this->getRequest()->getParam($code)) !== null) {
$customer->setData($code, $value);
}
}

if ($this->getRequest()->getParam(\\\’is_subscribed\\\’, false)) {
$customer->setIsSubscribed(1);
}

/**
* Initialize customer group id
*/
$customer->getGroupId();

if ($this->getRequest()->getPost(\\\’create_address\\\’)) {
$address = Mage::getModel(\\\’customer/address\\\’)
->setData($this->getRequest()->getPost())
->setIsDefaultBilling($this->getRequest()->getParam(\\\’default_billing\\\’, false))
->setIsDefaultShipping($this->getRequest()->getParam(\\\’default_shipping\\\’, false))
->setId(null);
$customer->addAddress($address);

$errors = $address->validate();
if (!is_array($errors)) {
$errors = array();
}
}

try {
$validationCustomer = $customer->validate();
if (is_array($validationCustomer)) {
$errors = array_merge($validationCustomer, $errors);
}
$validationResult = count($errors) == 0;

if (true === $validationResult) {
$customer->save();

if ($customer->isConfirmationRequired()) {
$customer->sendNewAccountEmail(\\\’confirmation\\\’, $this->_getSession()->getBeforeAuthUrl());
$this->_getSession()->addSuccess($this->__(\\\’Account confirmation is required. Please, check your e-mail for confirmation link. To resend confirmation email please <a href=\\\"%s\\\">click here</a>.\\\’,
Mage::helper(\\\’customer\\\’)->getEmailConfirmationUrl($customer->getEmail())
));
$this->_redirectSuccess(Mage::getUrl(\\\’*/*/index\\\’, array(\\\’_secure\\\’=>true)));
return;
}
else {
$this->_getSession()->setCustomerAsLoggedIn($customer);
$url = $this->_welcomeCustomer($customer);
$this->_redirectSuccess($url);
return;
}
} else {
$this->_getSession()->setCustomerFormData($this->getRequest()->getPost());
if (is_array($errors)) {
foreach ($errors as $errorMessage) {
$this->_getSession()->addError($errorMessage);
}
}
else {
$this->_getSession()->addError($this->__(\\\’Invalid customer data\\\’));
}
}
}
catch (Mage_Core_Exception $e) {
$this->_getSession()->addError($e->getMessage())
->setCustomerFormData($this->getRequest()->getPost());
}
catch (Exception $e) {
$this->_getSession()->setCustomerFormData($this->getRequest()->getPost())
->addException($e, $this->__(\\\’Can\\\\\\\’t save customer\\\’));
}
}
/**
* Protect XSS injection in user input
*/
$this->_getSession()->setEscapeMessages(true);
$this->_redirectError(Mage::getUrl(\\\’*/*/create\\\’, array(\\\’_secure\\\’=>true)));
}

}

hope this helps someone.

Thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
Ben Marks
Moderator
 
Avatar
Total Posts:  452
Joined:  2008-10-09
Charleston, SC
 

...or upgrade…

 
Magento Community Magento Community
Magento Community
Magento Community
 
point4design
Sr. Member
 
Total Posts:  104
Joined:  2008-07-31
 

I’m running magento 1.5.1 and still getting this same xss warning from mcafee scanner for this path: /customer/account/editPost/

Can anyone tell me how to stop this?

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top
Page 2 of 2