Reflected Cross-Site Scripting (XSS) Vulnerability
Reflected Cross-Site Scripting (XSS) Vulnerability
I had a security scan done on my FormaLMS and received a Reflected Cross-Site Scripting from the forgot password screen:
Evidence:
URL: https://24.106.122.83/index.php
Parameter: modname
Request: GET
/index.php?modname=<script>alert('TK000000BD')</script>&op=lostpwd
HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 24.106.122.83
Content-Type: text/html
Content-Length: 0
Response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.6.6
Set-Cookie: docebo_session=6j914tgd03dtbi556j2k3kdst4; path=/
X-Powered-By: ASP.NET
Date: Mon, 18 May 2015 13:56:40 GMT
Content-Length: 6835
Evidence: <script>alert('TK000000BD')</script>
Remediation:
Before accepting any user-supplied data, the application should
validate this data's format and reject any characters that are not explicitly
allowed (i.e. a white-list). This list should be as restrictive as possible.
Before using any data (stored or user-supplied) to generate web page
content, the application should escape all non alpha-numeric characters
(i.e. output-validation). This is particularly important when the original
source of data is beyond the control of the application. Even if the source of
the data isn't performing input-validation, output-validation will still prevent
XSS.
Can anyone address this? I am running FormaLMS 1.4
Evidence:
URL: https://24.106.122.83/index.php
Parameter: modname
Request: GET
/index.php?modname=<script>alert('TK000000BD')</script>&op=lostpwd
HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 24.106.122.83
Content-Type: text/html
Content-Length: 0
Response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.6.6
Set-Cookie: docebo_session=6j914tgd03dtbi556j2k3kdst4; path=/
X-Powered-By: ASP.NET
Date: Mon, 18 May 2015 13:56:40 GMT
Content-Length: 6835
Evidence: <script>alert('TK000000BD')</script>
Remediation:
Before accepting any user-supplied data, the application should
validate this data's format and reject any characters that are not explicitly
allowed (i.e. a white-list). This list should be as restrictive as possible.
Before using any data (stored or user-supplied) to generate web page
content, the application should escape all non alpha-numeric characters
(i.e. output-validation). This is particularly important when the original
source of data is beyond the control of the application. Even if the source of
the data isn't performing input-validation, output-validation will still prevent
XSS.
Can anyone address this? I am running FormaLMS 1.4
Re: Reflected Cross-Site Scripting (XSS) Vulnerability
I was not able to reproduce the vulnerability you found.
I try on
I think the issue can be related with your environment: php 5.6 (not supported for production, enabled for testing) and/or IIS web server .
Can you try with php 5.4 ? with apache 2.x ?
I try on
- linux server with apache 2.2 , php 5.3, 5.4 and 5.5
- Window 7 with apache 2.2 , php 5.3 and 5.4
I think the issue can be related with your environment: php 5.6 (not supported for production, enabled for testing) and/or IIS web server .
Can you try with php 5.4 ? with apache 2.x ?
Cercate nel forum le riposte prima di chiedere. Check the forum before posting
---------------
Claudio Anelli
Joint Technologies - Sistemi avanzati per l'information technology
http://www.joint-tech.com
---------------
---------------
Claudio Anelli
Joint Technologies - Sistemi avanzati per l'information technology
http://www.joint-tech.com
---------------
Re: Reflected Cross-Site Scripting (XSS) Vulnerability
I have down graded the php version and the scan still shows the same results:
Evidence:
URL: https://24.106.122.83/index.php
Parameter: modname
Request: GET
/index.php?modname=<script>alert('TK000000CD')</script>&op=lost
pwd HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 24.106.122.83
Content-Type: text/html
Content-Length: 0
Response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.4.42
Set-Cookie: docebo_session=tf39dme1mg0u57577iutrhokj7; path=/
X-Powered-By: ASP.NET
Date: Tue, 18 Aug 2015 13:57:33 GMT
Content-Length: 6837
Evidence: <script>alert('TK000000CD')</script>
Evidence:
URL: https://24.106.122.83/index.php
Parameter: modname
Request: GET
/index.php?modname=<script>alert('TK000000CD')</script>&op=lost
pwd HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 24.106.122.83
Content-Type: text/html
Content-Length: 0
Response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.4.42
Set-Cookie: docebo_session=tf39dme1mg0u57577iutrhokj7; path=/
X-Powered-By: ASP.NET
Date: Tue, 18 Aug 2015 13:57:33 GMT
Content-Length: 6837
Evidence: <script>alert('TK000000CD')</script>
-
- Newbie
- Posts: 7
- Joined: Mon Jan 29, 2018 5:11 pm
- Version: forma.lms 2.0
- Location: Mexico City, Mexico
Re: Reflected Cross-Site Scripting (XSS) Vulnerability
I get the same results, were you ever able to figure it out kentraub ?
I´m on an azure environment btw.
Thanks!
I´m on an azure environment btw.
Thanks!
Re: Reflected Cross-Site Scripting (XSS) Vulnerability
which tool is giving you this issue?
Per supporto GRATUITO contattatemi in privato qui
Re: Reflected Cross-Site Scripting (XSS) Vulnerability
Kentraub messages is very old, those vulerabilities have been fixed in later releases
Re: Reflected Cross-Site Scripting (XSS) Vulnerability
I confirm that with forma 2.0 we can't reproduce this vulnerability
In forma 1.x we fixed some vulnerabilities . please use last version 1.4.3 to be sure you are up to date
In forma 1.x we fixed some vulnerabilities . please use last version 1.4.3 to be sure you are up to date
Cercate nel forum le riposte prima di chiedere. Check the forum before posting
---------------
Claudio Anelli
Joint Technologies - Sistemi avanzati per l'information technology
http://www.joint-tech.com
---------------
---------------
Claudio Anelli
Joint Technologies - Sistemi avanzati per l'information technology
http://www.joint-tech.com
---------------
Re: Reflected Cross-Site Scripting (XSS) Vulnerability
I confirm Forma2 is affected from the vulnerability too, after login.
See attached screenshot.
See attached screenshot.
Per supporto GRATUITO contattatemi in privato qui