Possible XSS vulnerability?
19 views
Skip to first unread message
Ruben
Jan 2, 2023, 11:00:37 AM1/2/23
to Xataface
Hello
Is there any way to further mitigate possible XSS attacks? at this moment there seems to be a vulnerability in the -tables variable in the url.
ex.
https://www.doctorwhofans.be/adm/index.php?--id=global.js-d7fd933d2b2482d953d43a6af6da8145<video><source onerror="javascript:alert('OpenBugBounty')">&-action=js&v=
and
https://www.doctorwhofans.be/adm/index.php?-action=forgot_password&-cursor=0&-limit=30&-mode=list&-redirect=&-skip=0&-submit=Submit&-table=content__items"><script>alert(/OpenBugBounty/)</script>
My code hase the updated ini.php file already in place.
Steve Hannah
Jan 2, 2023, 12:06:13 PM1/2/23
to xata...@googlegroups.com
Both of these occur in PHP error pages which show the content of the input. On production you should set display_errors=off so that errors are not printed to the browser.
--
You received this message because you are subscribed to the Google Groups "Xataface" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xataface+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/xataface/ead6681b-c695-47fe-88e2-b4f23620efd3n%40googlegroups.com.
Steve Hannah
Web Lite Solutions Corp.
Ruben
Jan 2, 2023, 12:26:46 PM1/2/23
to Xataface
Unfortunately the error keeps appearing, even when display_errors is off. However, could the fact that the popup is still triggered mean there is still a risk I should be aware of, even if that error gets thrown further down the line?
Op maandag 2 januari 2023 om 18:06:13 UTC+1 schreef st...@weblite.ca:
Steve Hannah
Jan 2, 2023, 12:53:11 PM1/2/23
to xata...@googlegroups.com
If "display errors" is off and it still shows the errors in the browser, then configuration option is being overridden somewhere. You will need to hunt down where this is being overridden. When display errors is "off", you should just get a blank white screen on those pages.
To view this discussion on the web visit https://groups.google.com/d/msgid/xataface/dd97af21-4cdd-484b-a133-debb27ea0c0cn%40googlegroups.com.
Steve Hannah
Jan 2, 2023, 12:55:04 PM1/2/23
to xata...@googlegroups.com
E.g. Try adding the following to your index.php file:
ini_set('display_errors', 'off');
Ruben
Jan 2, 2023, 1:03:30 PM1/2/23
to Xataface
This worked by throwing a 500 error for the second link, and a blank page with the first.
I only hope that is enough to keep XSS out ;)
Op maandag 2 januari 2023 om 18:55:04 UTC+1 schreef st...@weblite.ca:
Steve Hannah
Jan 2, 2023, 1:15:42 PM1/2/23
to xata...@googlegroups.com
Yes, this will be sufficient. This is an example of why it is recommended to have display errors off on any production system. It is a possible vector for XSS attacks, not to mention, it exposes information about your system that could be used to launch other types of attacks on your server.
To view this discussion on the web visit https://groups.google.com/d/msgid/xataface/701ff9bb-d5f3-4b8b-8a4d-6f8b9ad38526n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages