Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    Regular Coder
    Join Date
    Aug 2010
    Posts
    133
    Thanks
    2
    Thanked 0 Times in 0 Posts

    XSS Vulnerability?

    Hello everyone.

    Someone contacted me saying that there was an XSS vulnerability in my code.
    I'm not very good with PHP, and I mainly followed advice/tutorials from members here on CodingForums to create my PHP pages.

    Could someone look over my validation for this page and tell me what I've done wrong? I greatly appreciate any help.

    Code:
    <?php
    session_start();
     $_SESSION["rewards"] = '';
     $value = '';
    
    if(isset($_GET['refid'])){
        setcookie("njfailREWARDsystem", $_GET['refid'], time()+604800);
    	$value = $_GET['refid'];
    
    }else if(isset($_COOKIE["njfailREWARDsystem"])){
        $value = $_COOKIE["njfailREWARDsystem"];
        $_SESSION["rewards"] = $value;
    }
    
    if(isset($_POST["msoft"]) && $_POST["msoft"] == 'junk')
    {
    	$errorMessage = "";
    	
    	if(empty($_POST['publishername']))
    	{
    		$errorMessage .= "<li>Please enter your name in the field below.</li>";
    	}
    	if(empty($_POST['publisheremail']))
    	{
    		$errorMessage .= "<li>Please enter your email in the field below.</li>";
    	}
    	if(empty($_POST['websitename']))
    	{
    		$errorMessage .= "<li>Please enter a name for your website.</li>";
    	}
    	if(empty($_POST['websiteurl']))
    	{
    		$errorMessage .= "<li>Please enter your website's URL.</li>";
    	}
    	if(empty($_POST['uniqueviews']))
    	{
    		$errorMessage .= "<li>Please enter an estimate of your website's monthly unique views.</li>";
    	}
    	if(empty($_POST['rawviews']))
    	{
    		$errorMessage .= "<li>Please enter an estimate of your website's monthly raw impressions.</li>";
    	}
    	if(empty($_POST['websitedescription']))
    	{
    		$errorMessage .= "<li>Please enter a description for your website.</li>";
    	}
    	
    	
    function dataCleansing($data){
    $data = strip_tags ($data); // remove HTML Tags
       // remove Incorrect encoding characters
    $data = preg_replace ( '/[^(\x20-\x7F)]*/', "", $data ); 
    $data = str_replace ( "\n", "", $data );//remove Enter
    $data = str_replace ( ",", "", $data );//remove Comma
    $data = str_replace ( "\t", "", $data );//remove TAB
    $data = str_replace ( "\r\n", "", $data );//remove Enter
    $data = trim($data);
    return $data;
    }
    	
    
    	$varpublishername = $_POST['publishername'];
    	$varpublisheremail = $_POST['publisheremail'];
    	$varwebsitename = $_POST['websitename'];
    	$varwebsiteurl = $_POST['websiteurl'];
    	$varuniqueviews = $_POST['uniqueviews'];
    	$varrawviews = $_POST['rawviews'];
    	$varwebsitedescription = $_POST['websitedescription'];
    
    
    	
    	if(empty($errorMessage)) 
    	{
    	
    //define the receiver of the email
    	$to = $_POST['publisheremail'];
    //define the subject of the email
    	$subject = 'ValueViewMedia Application Confirmation';
    //define the message to be sent. Each line should be separated with \n
    	$message = $_POST['publishername']. ",\n\nThank you for applying to become a ValueViewMedia publisher!\nWe will review your application, and contact you with the results within 48 hours.\n\nThank you,\nValueViewMedia";
    //define the headers we want passed. Note that they are separated with \r\n
    	$headers = "From: publishers@valueviewmedia.com\r\nReply-To: publishers@valueviewmedia.com";
    //send the email
    	$mail_sent = @mail( $to, $subject, $message, $headers );
    
    //define the receiver of the email
    	$to = "publishers@valueviewmedia.com";
    //define the subject of the email
    	$subject = 'New Publisher Application';
    //define the message to be sent. Each line should be separated with \n
    	$message = $_POST['publishername']. "\n" . $_POST['publisheremail']. "\n" . $_POST['websitename']. "\n" . $_POST['websiteurl']. "\n" . $_POST['uniqueviews']. "\n" . $_POST['rawviews']. "\n" . $_POST['websitedescription']. "\n";
    //define the headers we want passed. Note that they are separated with \r\n
    	$headers = "From: publishers@valueviewmedia.com\r\nReply-To: publishers@valueviewmedia.com";
    //send the email
    	$mail_sent = @mail( $to, $subject, $message, $headers );
    	
    	$varpublishername = dataCleansing($varpublishername);
    	$varpublisheremail = dataCleansing($varpublisheremail);
    	$varwebsitename = dataCleansing($varwebsitename);
    	$varwebsiteurl = dataCleansing($varwebsiteurl);
    	$varuniqueviews = dataCleansing($varuniqueviews);
    	$varrawviews = dataCleansing($varrawviews);
    	$varwebsitedescription = dataCleansing($varwebsitedescription);
    	$value = dataCleansing($value);
    
    
    		$fs = fopen("publisherapps.csv","a");
    		fwrite($fs,$varpublishername . ", " . $varpublisheremail . ", " . $varwebsitename . ", " . $varwebsiteurl . ", " . $varuniqueviews . ", " . $varrawviews . ", " . $varwebsitedescription . ", " . $value . "\n");
    		fclose($fs);
    		
    		header("Location: /publishers/success/");
    		exit;
    	}
    }
    ?>
    
    <!DOCTYPE html>
    <html>
    	<head>
    		<link type="text/css" href="/style.css" rel="stylesheet">
    		<link type="text/css" href="/publishers/apply/applystyle.css" rel="stylesheet">
    		<meta content="width=device-width, initial-scale=1.0" name="viewport">
    		<title>Publisher Application</title>
    		<meta name="keywords" content="ad network, publisher, publisher network, advertising, cpm, cpm network, adsense alternative">
    		<meta name="description" content="Apply to become a publisher on the ValueViewMedia advertising network.">
    		<link rel="icon" type="image/png" href="/vvmfavicon16.png">
    	</head>
    	<body>
    		<div id="headerWrapper">
    			<div id="header">
    				<div id="networkname">
    					<h1><a href="/"><img alt="ValueViewMedia" src="/valueviewmedia.png"></a></h1>
    				</div>
    				<nav class="topbar" id="usernav">
    					<ul>
    						<li class="menu"><a class="menu" name="Settings" title="Log in to your ValueViewMedia Publisher or Advertiser account." href="http://manage.valueviewmedia.com/">Log in</a></li>
    						<li><a title="Talk with a support representative." href="/contactus/">Contact Us</a></li>
    					</ul>
    				</nav>
    			</div>
    		</div>
    		<div class="navtabsWrapper">
    			<nav id="navtabs">
    				<ul>
    					<li id="tab-dashboard"><a title="Home Page." href="/">Home</a></li>
    					<li id="tab-campaigns" class="selected"><a title="Information on becoming a ValueViewMedia Publisher." href="/publishers/">Publishers</a></li>
    					<li id="tab-sites"><a title="Learn about advertising on the ValueViewMedia network." href="/advertisers/">Advertisers</a></li>
    				</ul>
    			</nav>
    		</div>
    		<div class="imageNavContainer">
    		</div>
    		<div id="maincontent">
    			<div class="contentHeader">
    				<h2>Publisher Application</h2>
    			</div>
    			<div class="applicationcontainer">
    				<?php
    					if(!empty($errorMessage)) 
    					{
    						echo("<div class='errormessages'>\n");
    						echo("<p>There was an error with your application:</p>\n");
    						echo("<ul>" . $errorMessage . "</ul>\n");
    						echo("</div>\n");
    					} 
    				?>
    				<div id="stylized" class="myform">
    					<form id="form" name="form" method="post" action="#">
    					<input type="hidden" name="msoft" value="junk" />
    					<input type="hidden" id="refidsession" name="refidsession" value="<?php echo $value; ?>" />
    					<h1>Please fill out the form below.</h1>
    					<p>After you submit this form, a ValueViewMedia representative will review your website(s), and email you within 48 hours to discuss the results and help you get started with our network.</p>
    					<label>Full Name
    						<span class="small">First Name Last Name</span>
    					</label>
    					<input type="text" value="<?php echo $varpublishername; ?>" name="publishername" id="publishername" />
    					<label>Email Address
    						<span class="small">This is how we will contact you</span>
    					</label>
    					<input type="text" value="<?php echo $varpublisheremail; ?>" name="publisheremail" id="publisheremail" />
    					<label>Company Name
    						<span class="small">Leave blank if you are not representing a company</span>
    					</label>
    					<input type="text" name="publishercompanyname" id="publishercompanyname" />
    					<label>Website Name
    						<span class="small">Title of your website</span>
    					</label>
    					<input type="text" value="<?php echo $varwebsitename; ?>" name="websitename" id="websitename" />
    					<div class="helpicon">
    						<div class="help">
    							<img src="/help.png">
    							<div>
    								This information will not be used to market your site, so please do not load it with keywords. If you have multiple sites, you can separate the titles using a backslash /.
    							</div>
    						</div>
    					</div>
    					<label>Website URL
    						<span class="small">http://example.com</span>
    					</label>
    					<input type="text" value="<?php echo $varwebsiteurl; ?>" name="websiteurl" id="websiteurl" />
    					<div class="helpicon">
    						<div class="help">
    							<img src="/help.png">
    							<div>
    								If you have multiple websites, you can separate them using a backslash /.
    								Example: http://example.com  /  http://other.com
    							</div>
    						</div>
    					</div>
    					<label>Unique Visitors Per Month
    						<span class="small">Your average unique views</span>
    					</label>
    					<input type="text" value="<?php echo $varuniqueviews; ?>" name="uniqueviews" id="uniqueviews" />
    					<div class="helpicon">
    						<div class="help">
    							<img src="/help.png">
    							<div>
    								If you have multiple websites, please list your site's URL and then the views for that site. Then list your next website's URL and list the views for that site. Example: example.com 22000 other.com 15000
    							</div>
    						</div>
    					</div>
    					<label>Raw Impressions Per Month
    						<span class="small">Your average overall impressions per month</span>
    					</label>
    					<input type="text" value="<?php echo $varrawviews; ?>" name="rawviews" id="rawviews" />
    					<label>Website Description
    						<span class="small">Describe your website to us</span>
    					</label>
    					<textarea type="text" value="<?php echo $varwebsitedescription; ?>" rows=5 name="websitedescription" id="websitedescription"></textarea>
    					<div class="helpicon">
    						<div class="help">
    							<img src="/help.png">
    							<div>
    								Use this field to describe your website to us or enter any other comments you may have. Tell us things like where your website's content comes from, what kind of content it has, where your traffic comes from, the quality traffic you have, etc. This field will help our ValueViewMedia review your website and determine if you are accepted or denied into our network.
    							</div>
    						</div>
    					</div>
    					<div class="submitcenter">
    						<input class="submitappbutton" type="submit" name="pubformsubmit" value="Submit" />
    					</div>
    					<div class="spacer"></div>
    					</form>
    				</div>
    				<div class="footerx">
    					<a href="/privacypolicy/">Privacy Policy</a>
    					<a style="margin-left:60px;margin-right:60px;" href="/termsofservice/">Terms of Service</a>
    					<a href="/contactus/">Contact Us</a>
    					<a style="margin-left:60px;" href="/ourphilosophy/">Our Philosophy</a>
    					<div class="copyrightx">Copyright &copy; 2013, Value View Media Inc.</div>
    				</div>
    			</div>
    		</div>
    	</body>

  • #2
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,474
    Thanks
    63
    Thanked 537 Times in 524 Posts
    It's not so much that it's wrongly coded as it is that there's no protection against automated processes and xss attacks. An xss attack is anything that causes a remote system to target your site. It could be a hidden iframe in a webpage which has a form and submits it when the main page loads or it could be an image tag that calls your webpage. The point is that if you get enough people stumbling onto this page your server could be flooded with form submissions / spam etc or it could face several million page requests etc.

    You could use a key set in the session to check that the form being submitted was one generated by your site. That will put a stop to a lot of automated submissions.

    You only need to worry about xss attacks against pages where people can change their passwords, send emails etc. IF you look at this forum you'll see that on the password change page it asks for your existing password. If it didn't, an attacker could use the iframe technique to change your password and log you out before calling another page to email your new password to them.

    There are probably many more complex attacks too..
    I can't really think of anything to write here now...

  • #3
    Regular Coder
    Join Date
    Aug 2010
    Posts
    133
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Thanks for that info. I googled xss, and was still a little confused on what an xss vulnerability was.

    Can I ask, how would I prevent an xss attack for this particular form?
    It is an 'application' and there is no account. Users just submit their email / website info. There are no passwords. The form is at http://valueviewmedia.com/publishers/apply/

  • #4
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,474
    Thanks
    63
    Thanked 537 Times in 524 Posts
    As I said, generate a key before outputting the form and store it in the session. Also put it in the form in a hidden field. This will at least stop many automated bots from submitting the form (though some are smart and will scrape your form for this key every time they visit).

    To be honest, I wouldn't class this as xss vulnerable. While it can indeed be the recipient of xss targetting, your script isn't really 'attackable' in the sense that it can allow someone to hack the server etc. Well not that I know of anyway..
    I can't really think of anything to write here now...

  • #5
    New to the CF scene
    Join Date
    Jul 2013
    Posts
    8
    Thanks
    0
    Thanked 1 Time in 1 Post
    Take for example

    PHP Code:
    $varpublishername $_POST['publishername']; 
    and

    PHP Code:
    <input type="text" value="<?php echo $varpublishername?>" name="publishername" id="publishername" />
    You are taking the value of publishername from POST and echoing it back in the html without doing an htmlentities over it. This can allow a hacker to inject some html/js code in the page.

  • #6
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,474
    Thanks
    63
    Thanked 537 Times in 524 Posts
    Quote Originally Posted by silver_moon View Post
    This can allow a hacker to inject some html/js code in the page.
    But thats only temporary and for that one user. Unless this data is made publically available (eg on a guestbook) then this won't affect other users of the site.

    For that matter the use of strip_tags() would be more appropriate.
    I can't really think of anything to write here now...


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •