Welcome! Log In Create A New Profile

Advanced

Security ISSUE with Sphider!!!!!

Posted by ejb5oh 
Security ISSUE with Sphider!!!!!
January 11, 2012 10:55PM
I ran a security audit from an independent company. I was told that I have this issue with Sphider's search script:

Description:
Your website contains pages that do not properly sanitize visitor-provided input to make sure it contains no malicious content or scripts. Cross-site scripting vulnerabilities let malicious users execute arbitrary HTML or script code in another visitor'
s browser.

See Also:
http://en.wikipedia.org/wiki/Cross_site_scripting#Non-persistent http://jeremiahgrossman.blogspot.com/2009/06/results-unicode-leftright-pointing.html http://projects.webappsec.org/Cross-Site+Scriptin http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#Escaping_.28aka_Output_Encoding.29

Risk Factor:
Medium / CVSS Base Score : 4.3(CVSS2#AV:N/AC:M/Au:N/C:N/Itongue sticking out smiley/A:N)

Solution:
Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade


Output:
Using the GET HTTP method, Site Scanner found that :
+ The following resources may be vulnerable to cross-site scripting (quick test) :
+ The 'query' parameter of the /search/search.php CGI :
/search/search.php?query=--><script>alert(112)</script>
-------- output --------
<table><tr><td>
<div align="left">
<input type="text" name="query" id="query" size="40" value="--><script>a
lert(112)</script>">
</div> </td>
<td>
------------------------
Clicking directly on these URLs should exhibit the issue :
(you will probably need to read the HTML source)
http://MYSITE.com/search/search.php?query=--><script>alert(112)</script>
Other references : CWE:79, CWE:80, CWE:81, CWE:83, CWE:20, CWE:74, CWE:442, CWE:712, CWE:722, CWE:725, CWE:811, CWE:751, CWE:801, CWE:116, CWE:692, CWE:86



Is there a fix for it??



Edited 1 time(s). Last edit at 01/11/2012 10:57PM by ejb5oh.
Re: Security ISSUE with Sphider!!!!!
January 12, 2012 10:25AM
I believe that one possible fix can be:

Open search.php

Find on line 11
//extract(getHttpVars());
Add after, on a new line:
function htmlspecialchars($t){
    return array_map("htmlspecialchars",$t);
}
$_GET = htmlspecialchars($_GET);

Mind you, I am not an expert and am curiously waiting the opinion of someone with more knowledge.



Edited 2 time(s). Last edit at 01/12/2012 11:34AM by Willy.
Re: Security ISSUE with Sphider!!!!!
January 12, 2012 11:42PM
does this not address that?
[url=http://blog.wapreview.com/5493/]search php updated[/url]
t-p
Re: Security ISSUE with Sphider!!!!!
January 13, 2012 12:37AM
This is something I use:

In search.php,

replace this

if (isset($_GET['query']))
	$query = $_GET['query'];
if (isset($_GET['search']))
	$search = $_GET['search'];
if (isset($_GET['domain'])) 
	$domain = $_GET['domain'];
if (isset($_GET['type'])) 
	$type = $_GET['type'];
if (isset($_GET['catid'])) 
	$catid = $_GET['catid'];
if (isset($_GET['category'])) 
	$category = $_GET['category'];
if (isset($_GET['results'])) 
	$results = $_GET['results'];
if (isset($_GET['start'])) 
	$start = $_GET['start'];
if (isset($_GET['adv'])) 
	$adv = $_GET['adv'];


With this

if (isset($_GET['query']))
	$query = mysql_real_escape_string($_GET['query']); 
if (isset($_GET['search']))
	$search = mysql_real_escape_string($_GET['search']);
if (isset($_GET['domain'])) 
	$domain = mysql_real_escape_string($_GET['domain']); 
if (isset($_GET['type'])) 
	$type = mysql_real_escape_string($_GET['type']); 
if (isset($_GET['catid'])) 
	$catid = mysql_real_escape_string($_GET['catid']);
if (isset($_GET['category'])) 
	$category = mysql_real_escape_string($_GET['category']); 
if (isset($_GET['results'])) 
	$results = mysql_real_escape_string($_GET['results']); 
if (isset($_GET['start'])) 
	$start = mysql_real_escape_string($_GET['start']); 
if (isset($_GET['adv'])) 
	$adv = mysql_real_escape_string($_GET['adv']);


As Willy said, I am not expert in this stuff either. Perhaps someone who is more knowledgable can chime in and tell if this right or wrong.

@ejb5oh, try this and see if the issue goes away.



Edited 1 time(s). Last edit at 01/13/2012 02:03AM by t-p.
Sorry, only registered users may post in this forum.

Click here to login