Live Helper Chat support forum.. Forum is locked. New place for questions - Github Discussions
You are not logged in.
- Topics: Active | Unanswered
Announcement
Pages: 1
#1 2016-03-22 08:21:11
- UnknowUser
- Member
- Registered: 2016-03-22
- Posts: 3
XSS vulnerabilities
Hello,
I actually wanted to install LHC on my website but i saw XSS vulnerabilities when i used a scan tools.
The scan report :
150001 Reflected Cross-Site Scripting (XSS) Vulnerabilities
Finding # 2663615(210496192) First Time Detected 21 Mar 2016 15:51 GMT+0100
Group Cross-Site Scripting Last Time Detected 21 Mar 2016 15:51 GMT+0100
CWE CWE-79 Last Time Tested 21 Mar 2016 15:51 GMT+0100
OWASP A3 Cross-Site Scripting (XSS) Times Detected 1
WASC WASC-8 Cross-Site Scripting
CVSS Base 4.3 CVSS Temporal3.9
Details
Threat
XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application
might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain
characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web
browser.
The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered
by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.
Impact
XSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web
application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via
XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML,
JavaScript, Flash and Java applets) can be used to as a part of a compromise.
Solution
Filter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers.
Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element
or JavaScript.
Detection Information
Parameter It has been detected by exploiting the parameter UserNick of the form located in URL https://.../index.php/chat/editnick/65/
fc90e9393dfc33470436ccfd7801a888f096e7b3?_=1458571869459
The payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, no authentication has been required.
have you got any solution ? Maybe in a next version ?
Thanks for your work !
Offline
#2 2016-03-22 08:22:38
- PeopleInside
- Administrator
- From: Italy
- Registered: 2014-04-10
- Posts: 4,046
- Website
Re: XSS vulnerabilities
Hi UnknowUser,
what a good nick !? Little strange ^_^
What scanner are you using?
Thank you.
PeopleInside - Live helper chat - free limited forum support!
For commercial support or GitHub [see FAQ here]
If you want to support this open source project, just donate [see support page]
Something wrong with the forum? [contact a superhero]
Offline
#3 2016-03-22 08:23:09
- remdex
- Administrator
- From: Lithuania
- Registered: 2012-09-23
- Posts: 3,661
- Website
Re: XSS vulnerabilities
Sorry, but this report does not make any sense. And does not tell exactly what exactly it exploits 
Sorry, but your report is invalid.
Offline
#4 2016-03-22 08:33:49
- UnknowUser
- Member
- Registered: 2016-03-22
- Posts: 3
Re: XSS vulnerabilities
Yes, i didn't know what to use as nickname 
the Scanner, Qualys Enterprise : https://www.qualys.com/enterprises/qualysguard/
*** : Why my report does not make any sense ?
Offline
#5 2016-03-22 08:34:40
- remdex
- Administrator
- From: Lithuania
- Registered: 2012-09-23
- Posts: 3,661
- Website
Re: XSS vulnerabilities
It does not tell what exactly is wrong it's like reporting you have a problem, but figure-out yourself where is the problem 
Offline
#6 2016-03-22 09:38:54
- GrumpyUnixAdmin
- Member
- Registered: 2016-03-15
- Posts: 13
Re: XSS vulnerabilities
Yes, I have to admit that just posting scan results without understanding how it relates to the software in question is pretty unhelpful.
However, I did notice this a while go and the issue seems to relate to the fact that LHC is prone to clickjacking. A good workaround is to set the X-Frame-Options option in Apache's http.conf but make sure you specify ALLOW-FROM with your uri rather than SAMEORIGIN as most admins do by default.
I was going to give LHC a complete security audit but I'm having problems with co-browsing so it only makes sense to do that after I've got everything working.
Offline
#7 2016-03-22 09:56:55
- UnknowUser
- Member
- Registered: 2016-03-22
- Posts: 3
Re: XSS vulnerabilities
Thanks Grumpy, this was the second security alert, but as it was a configuration issue, we planned to solve it on our side.
Concerning the XSS vulnerability
My understanding is that a chat user can put a javascript as NickName and, as the nickname is reused in the chat, the code would be interpreted on an admin page.... but I am not a security expert, far from it
I saw the following code in the chat :
if ($form->hasValidData( 'UserNick' ))
{
$chat->nick = $form->UserNick;
}
I may be wrong, but I wonder if we could add for exemple an HTML encode in the assignment.
I leave this post to you, experts 
Offline
#8 2016-03-22 10:41:28
- GrumpyUnixAdmin
- Member
- Registered: 2016-03-15
- Posts: 13
Re: XSS vulnerabilities
No worries, glad you've managed to get yourself secured
The hasValidData method:
if ($form->hasValidData( 'UserNick' ))
{
$chat->nick = $form->UserNick;
}
calls a class in the ezCompents library which filters data to ensure that only valid data is passed:
public function hasValidData( $fieldName )
{
if ( isset( $this->properties[$fieldName] ) && $this->properties[$fieldName] === ezcInputForm::VALID )
{
return true;
}
return false;
}
so I'd be surprised if JS is going through. However, with anything security related, make sure you thoroughly test it yourself and I'd recommend using mod_security with Apache
Offline
#9 2016-03-22 11:02:02
- PeopleInside
- Administrator
- From: Italy
- Registered: 2014-04-10
- Posts: 4,046
- Website
Re: XSS vulnerabilities
Yes, i didn't know what to use as nickname
the Scanner, Qualys Enterprise : https://www.qualys.com/enterprises/qualysguard/
*** : Why my report does not make any sense ?
This is a good scanner.
Please maybe ask also to Qualys support as you are customer for verify what can be wrong.
Thank you!
PeopleInside - Live helper chat - free limited forum support!
For commercial support or GitHub [see FAQ here]
If you want to support this open source project, just donate [see support page] Something wrong with the forum? [contact a superhero]
Offline
Pages: 1