Project

General

Profile

Cross Site Scripting (XSS) attacks in index.php

Added by Hanung Febrianto almost 4 years ago

Dear everyone! I have a problem with my Extplorer (webbased file manager), the pentest system at my office has detected a high risk of attack Cross Site Scripting (XSS) in index.php. Is there anyone can help me? Would you please give the solution to the above problem? Thanks!

Cross Site Scripting

Severity High
Type Validation
Reported by module Scripting (XSS_in_URI.script)

/index.php
Details
URI was set to 957266"():;988165
The input is reflected inside <script> tag between double quotes.
Request headers
GET /index.php/957266%22():;988165 HTTP/1.1
Cookie: eXtplorer=MKCO3s0cmVG8cB5ERO6gtsFC73uVoU9W
Host: filesbilateral.bilateral.go.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*

Description

This script is possibly vulnerable to Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.

Impact

Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

Affected items

/index.php
Details
URI was set to ö" onmouseover=prompt(930630) //
The input is reflected inside a tag parameter between double quotes.
Request headers
GET /index.php/%F6%22%20onmouseover=prompt(930630)%20// HTTP/1.1
Cookie: eXtplorer=MKCO3s0cmVG8cB5ERO6gtsFC73uVoU9W
Host: filesbilateral.bilateral.go.id
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*

URL: http://filesbilateral.bilateral.go.id/
Vulnerabilities has been identified for this URL
No input(s) found for this URL

URL: http://filesbilateral.bilateral.go.id/scripts/extjs3/resources/css/xtheme-blue.css
Vulnerabilities has been identified for this URL
No input(s) found for this URL

URL: http://filesbilateral.bilateral.go.id/scripts/extjs3/resources/css/ext-all.css
Vulnerabilities has been identified for this URL
No input(s) found for this URL

URL: http://filesbilateral.bilateral.go.id/scripts/extjs3/adapter/
Vulnerabilities has been identified for this URL
No input(s) found for this URL

Acunetix Website Audit 17
URL: http://filesbilateral.bilateral.go.id/scripts/extjs3/ext-all.js
Vulnerabilities has been identified for this URL
No input(s) found for this URL

URL: http://filesbilateral.bilateral.go.id/index.php
Vulnerabilities has been identified for this URL
3 input(s) found for this URL
Inputs

URL: http://filesbilateral.bilateral.go.id/changelog.txt
Vulnerabilities has been identified for this URL
No input(s) found for this URL

URL: http://filesbilateral.bilateral.go.id/readme.txt
Vulnerabilities has been identified for this URL
No input(s) found for this URL


Replies (1)

RE: Cross Site Scripting (XSS) attacks in index.php - Added by Sören Eberhardt-Biermann almost 4 years ago

To fix this problem please open the file /include/init.php and add the following code on line 35, right before

// Vars

so it looks like this:

 * This file initializes most of the variables and constants we need in eXtplorer
 */
if (isset ($_SERVER['ORIG_PATH_INFO']) && $_SERVER['ORIG_PATH_INFO'] != $_SERVER['PHP_SELF']) {
    $_SERVER['PATH_INFO'] = $_SERVER['ORIG_PATH_INFO'];
}

// Security measure, to avoid XSS exploit.
if (!empty ($_SERVER['PATH_INFO']) && strrpos ($_SERVER['PHP_SELF'], $_SERVER['PATH_INFO'])) {
    $_SERVER['PHP_SELF'] = substr ($_SERVER['PHP_SELF'], 0, -(strlen ($_SERVER['PATH_INFO'])));
}
// Vars

That fixes the XSS vulnerability. Please test it on your system.

ciao, Sören

    (1-1/1)