opencats
XSS Vulnerabilities: Careers Portal
a scan of the careers portal for demo.opencats.org shows;
Summary Overall risk level: HIGH Risk ratings:High: Medium: 1 Vulnerable Page Vulnerable Parameter Method Attack Vector /careers/index.php email POST http://demo.opencats.org/careers/index.php?ID=56&m=careers&p=applyToJob POST Data: email="> /careers/index.php lastName POST http://demo.opencats.org/careers/index.php?ID=56&m=careers&p=applyToJob POST Data: lastName="> /careers/index.php zip POST http://demo.opencats.org/careers/index.php?ID=56&m=careers&p=applyToJob POST Data: zip=">
XSS Mitigation needs to be investigated
Mitigation: enable HttpOnly Cookie; https://geekflare.com/httponly-secure-cookie-apache/ (Note: See also https://www.garron.me/en/bits/enable-mod-headers-apache-2.html)
Also need to look at input field validation... I assume htmlspecialchars or similar.
Looks like this can be added to /lib/UserInterface.php line 384;
return trim(htmlspecialchars ($request[$key]), ENT_QUOTES)
Already changed on demo.opencats.org... I will make a PR and see if all the unit tests pass.
I enabled mod headers module on Apache 2 and set session.cookie_httponly = True, however when I added return trim(htmlspecialchars ($request[$key]), ENT_QUOTES) to line number 384, I get "This page isn’t working" HTTP ERROR 500 on chrome for all pages. When I remove that line things get back to normal.
I've enabled HTMLspecialchars but not htmlonly cookies and it works on the demo site. Can you try?
Looks like this can be added to /lib/UserInterface.php line 384;
return trim(htmlspecialchars ($request[$key]), ENT_QUOTES)Already changed on demo.opencats.org... I will make a PR and see if all the unit tests pass.
Russ,
Just wanted to say that this caused some issues with my install.
It seemed to strip HTML from any field, and that lead to problems.
IE. If a user put an & in a field, it would turn to ;amp on save.
I just tried it on the demo site and it does the same. Also see what happened to the 'Sources' list on the demo site. That is due to the bug above as well http://demo.opencats.org/index.php?m=candidates&a=show&candidateID=2057
Thanks for the feedback - I understand that it should change and ampersand to ;amp.. but what's the issue with a list?
Click on "Edit" Candidate -> "Sources" It keeps duplicating the "Sources" list on save and keeps adding additional length to it (https://i.imgur.com/TYhoRdI.png). Leading to some DB errors as well due to length of the field.
And this is what I'm talking about on the ;amp/& issue https://i.imgur.com/2i8nnt3.png - see current employer.
ahh yes - it's replacing the brackets so we could replace (none) with none and there wouldn't be a problem. So not as simple as first thought. We could still use htmlspecialchars to strip from input, but then recreate them using htmlspecialchars_decode before they're displayed. Damn! Ahh well that'll have to wait
Ideally, this would only be selectively deployed on external facing forms (i.e. career portal)
Okay, so we duplicate the library, retain the htmlspecialcharacters feature and call it ExternalUserInterface.php. Only call ExternalUerInterface.php on the public-facing external portal.
Okay, so we duplicate the library, retain the htmlspecialcharacters feature and call it ExternalUserInterface.php. Only call ExternalUerInterface.php on the public-facing external portal.
I just realized, that for some reason, this is Truncating the number '3' if it is at the beginning of a field.
So I have this in my 'CareersUI.php'
$zip = $this->getSanitizedInput('zip', $_POST);
And this in my 'UserInterface.php'
protected function getSanitizedInput($key, $request)
{
if (isset($request[$key]))
{
return trim(htmlspecialchars ($request[$key]), ENT_QUOTES);
}
return '';
}
Many of my zip codes and phone numbers begin with '3' - so if a candidate enters their ZIP code as 32708, it's actually stored in the DB as 2708. If they enter their zip code as 33333, nothing is stored, and if they enter 33433, then 433 is stored.
If I revert back to the 'getTrimmedInput' , the '3' does no get truncated. Any ideas?
Dominic
The bracket is in the wrong place:
return trim(htmlspecialchars ($request[$key]), ENT_QUOTES);
Should be
return trim(htmlspecialchars($request[$key], ENT_QUOTES));
