possibillity of Crosssite scripting (XSS)

[Bug]

I received this from a company that did a security-test on a wb website (standard installation 2.

when they place

Code:

?--></script><script>alert(32018)</script>

behing the page-address an alert popup comes up...

they told me

Code:

1. Encode output based on input parameters
Encode data that is received as input when you write it out as HTML. This technique is
effective on data that was not validated for some reason during input. By using
techniques such as URLEncode and HTMLEncode, you can prevent malicious script
from executing.
2. Filter input parameters for special characters
Filtering input works by removing some or all special characters from your input.
Special characters are characters that enable script to be generated within an HTML
stream. Special characters include the following: < > " ' % ; ) ( & + -
3. Filter output based on input parameters for special characters

anyone know what to do now?

[Ruud]

Did they tell you on what page this was happening?

Did you verify this yourself? (see the popup?)

[BlackBird]

Tried this with 2.8.1, but nothing happens. Do you mean an URI like this?

http : / /xxx/wb28/pages/test.php?--></script><script>alert(32018)</script>

(Inserted some blanks to avoid linking)

[Bug]

yes I saw the popup

tried it on the  server and I saw the popup ( only does that with ie6 & ie7 )

on many other hosts I have access to it did not respond

I saw the report and they have been able to alter stuff ...

[Xagone]

i could not replicate, maybe it's a plugin?

[Ruud]

yes I saw the popup
tried it on byte.nl server and I saw the popup ( only does that with ie6 & ie7 )

Can you email or PM me a link so I can have a look?

[Bug]

As it now seemed the server settings had to be adjusted, it all works well now

[Xagone]

i'vee been contaminated by Facebook, As soon as i've read the last post about being a server problem I was searching the "like" button

[Bug]

[Ruud]

i'vee been contaminated by Facebook

Can we help with that?
Do you know exactly what has happened?

[Bug]

What happened is that everyone, including xagone these days is facebookhooked amd approached real life as is was facebook, hell last week someone gave me a 'like' sticker!

[BlackBird]

Can you tell us WHAT server settings had to be changed?

[NorHei]

Some more Details please.

[Bug]

No I cannot, I am not the one serving the server...

I do not have a f*******************ng clue what was wrong and what had to be changed

[BlackBird]

Too bad.

[noname8]

Could this be magic quotes in the server ? (that should not be on these days, but it is sometimes) or perhaps globals? (they should NOT be on)

Every possible security issue must be taken seriously. 

How about if your template echoed the current page name / query string etc. somewhere and that was it ?

[Bug]

I wonder ....

the formx module... I use it a lot

as I put in <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>and press send ...

at first sight nothing happend but as I went to the admin edit page / form / and clicked the sumbitted formdata underneath the formfields I get a stinking javascript popup ...

How can this be prevented?

info on xss:
http://ha.ckers.org/xss.html

[BlackBird]

You may should "upgrade" to an alternative form module.

[Bug]

Mp form is save regarding the xss stuff?

[Bug]

as it now seems mp form does not respond to the xss stuff..

any confirmation or extra knowledge about this is very much appriciated

[BlackBird]

I don't know how safe MPForm is, but I know FrankH is more interested in security than many other modules authors (and did some security tweaking in this module), so I think it should be quite safe.