Author Topic: Cross Site Scripting with main Module, help  (Read 2848 times)

tesla

  • Jr. Member
  • **
  • Posts: 68
Cross Site Scripting with main Module, help
« on: September 16, 2008, 00:02:00 am »
I have hackersafe/ MCafeesecure.com and i have been having a cross site scripting problem. code is not being stripped out of the login.

I have joomla 1.0.15 and virtuemart 1.0 and 1.1 (test site) and it happens on both.  is there a fix for this i have looked all over.


Below is the from hackersafe site:

Description
The remote web application appears to be vulnerable to cross-site scripting (XSS).

The cross-site scripting attack is one of the most common, yet overlooked, security problems facing web developers today. A web site is vulnerable if it displays user-submitted content without sanitizing user input.

The target of cross-site scripting attacks is not the server itself, but the users of the server. By finding a page that does not properly sanitize user input the attacker submits client-side code to the server that will then be rendered by the client. It is important to note that websites that use SSL are just as vulnerable as websites that do not encrypt browser sessions.

The damage caused by such an attack can range from stealing session and cookie data from your customers to loading a virus payload onto their computer via browser.

The pages listed in the vulnerability output will display embedded javascript with no filtering back to the user.


General Solution
When accepting user input ensure that you are HTML encoding potentially malicious characters if you ever display the data back to the client.

Ensure that parameters and user input are sanitized by doing the following:
# Remove < input and replace with &lt;
# Remove > input and replace with &gt;
# Remove ' input and replace with &apos;
# Remove " input and replace with "
# Remove ) input and replace with )
# Remove ( input and replace with (

tesla

  • Jr. Member
  • **
  • Posts: 68
Re: Cross Site Scripting with main Module, help
« Reply #1 on: September 23, 2008, 14:10:01 pm »
I think this may be related to sh404sef... i turned it off on my test site and ran the scan and the alert went away...