AppSec Blog

Spot the Vuln - Banks - Cross Site Scripting

Details

Affected Software: PunBB

Fixed in Version: 1.3

Issue Type: Cross Site Scripting (XSS)

Original Code: Found Here

Description

Passwords, passwords, passwords. For some reason, developers sometimes assume passwords values are safe and do not need encoding. In this example, the developers chose to encode username values (line 87) however, they assumed password values would be safe. The incorrect assumption lead to an XSS vulnerability. In line 94 we see that the developers chose to echo a user supplied password value in the HTML markup without encoding. HTML rendered by the browser doesn't distinguish between parameters that are supposed to be passwords or other random values, resulting in XSS. The developers wisely chose to HTML encode the password value before using the value in HTML markup. When writing password values to the database, passwords should be hashed before inserted into a database. Hashing passwords before writing them into a database prevents most injection attacks (if the hashing algorithm consists of only alphanumeric characters) and also helps prevent disclosure if the database is compromised. Password values should also not be displayed in cleartext in HTML?

Developers Solution

...snip... <?php ($hook = get_hook('li_forgot_pass_end')) ? eval($hook) : null; $tpl_temp = forum_trim(ob_get_contents()); $tpl_main = str_replace('<!- forum_main ->', $tpl_temp, $tpl_main); ob_end_clean(); // END SUBST - <!- forum_main -> require FORUM_ROOT.'footer.php'; } if (!$forum_user['is_guest']) header('Location: '.forum_link($forum_url['index'])); // Setup form $forum_page['group_count'] = $forum_page['item_count'] = $forum_page['fld_count'] = 0; $forum_page['form_action'] = forum_link($forum_url['login']); $forum_page['hidden_fields'] = array( 'form_sent'=> '<input type="hidden" name="form_sent" value="1" />', 'redirect_url'=> '<input type="hidden" name="redirect_url" value="'.forum_htmlencode($forum_user['prev_url']).'" />', 'csrf_token'=> '<input type="hidden" name="csrf_token" value="'.generate_form_token($forum_page['form_action']).'" />' ); // Setup breadcrumbs $forum_page['crumbs'] = array( array($forum_config['o_board_title'], forum_link($forum_url['index'])), array(sprintf($lang_login['Login info'], $forum_config['o_board_title']), forum_link($forum_url['login'])) ); ($hook = get_hook('li_login_pre_header_load')) ? eval($hook) : null; define('FORUM_PAGE', 'login'); require FORUM_ROOT.'header.php'; // START SUBST - <!- forum_main -> ob_start(); ($hook = get_hook('li_login_output_start')) ? eval($hook) : null; ?> <div class="main-head"> <h2 class="hn"><span><?php echo sprintf($lang_login['Login info'], $forum_config['o_board_title']) ?></span></h2> </div> <div class="main-content main-frm"> <div class="content-head"> <p class="hn"><?php printf($lang_login['Login options'], '<a href="'.forum_link($forum_url['register']).'">'.$lang_login['register'].'</a>', '<a href="'.forum_link($forum_url['request_password']).'">'.$lang_login['Obtain pass'].'</a>') ?></p> </div> <?php // If there were any errors, show them if (!empty($errors)) { $forum_page['errors'] = array(); foreach ($errors as $cur_error) $forum_page['errors'][] = '<li class="warn"><span>'.$cur_error.'</span></li>'; ($hook = get_hook('li_pre_login_errors')) ? eval($hook) : null; ?> <div class="ct-box error-box"> <h2 class="warn hn"><?php echo $lang_login['Login errors'] ?></h2> <ul class="error-list"> <?php echo implode("\n\t\t\t\t", $forum_page['errors'])."\n" ?> </ul> </div> <?php } ?> <div id="req-msg" class="req-warn ct-box error-box"> <p class="important"><?php printf($lang_common['Required warn'], '<em>'.$lang_common['Required'].'</em>') ?></p> </div> <form id="afocus" class="frm-form" method="post" accept-charset="utf-8" action="<?php echo $forum_page['form_action'] ?>"> <div class="hidden"> <?php echo implode("\n\t\t\t\t", $forum_page['hidden_fields'])."\n" ?> </div> <?php ($hook = get_hook('li_login_pre_login_group')) ? eval($hook) : null; ?> <div class="frm-group group<?php echo ++$forum_page['group_count'] ?>"> <?php ($hook = get_hook('li_login_pre_username')) ? eval($hook) : null; ?> <div class="sf-set set<?php echo ++$forum_page['item_count'] ?>"> <div class="sf-box text required"> <label for="fld<?php echo ++$forum_page['fld_count'] ?>"><span><?php echo $lang_login['Username'] ?> <em><?php echo $lang_common['Required'] ?></em></span></label><br /> <span class="fld-input"><input type="text" id="fld<?php echo $forum_page['fld_count'] ?>" name="req_username" value="<?php echo isset($_POST['req_username']) ? forum_htmlencode($_POST['req_username']) : " ?>" size="35" maxlength="25" /></span> </div> </div> <?php ($hook = get_hook('li_login_pre_pass')) ? eval($hook) : null; ?> <div class="sf-set set<?php echo ++$forum_page['item_count'] ?>"> <div class="sf-box text required"> <label for="fld<?php echo ++$forum_page['fld_count'] ?>"><span><?php echo $lang_login['Password'] ?> <em><?php echo $lang_common['Required'] ?></em></span></label><br /> -<span class="fld-input"><input type="password" id="fld<?php echo $forum_page['fld_count'] ?>" name="req_password" value="<?php echo isset($_POST['req_password']) ? ($_POST['req_password']) : " ?>" size="35" /></span> +<span class="fld-input"><input type="password" id="fld<?php echo $forum_page['fld_count'] ?>" name="req_password" value="<?php echo isset($_POST['req_password']) ? forum_htmlencode($_POST['req_password']) : " ?>" size="35" /></span> </div> </div> <?php ($hook = get_hook('li_login_pre_remember_me_checkbox')) ? eval($hook) : null; ?> <div class="sf-set set<?php echo ++$forum_page['item_count'] ?>"> <div class="sf-box checkbox"> <span class="fld-input"><input type="checkbox" id="fld<?php echo ++$forum_page['fld_count'] ?>" name="save_pass" value="1" /></span> <label for="fld<?php echo $forum_page['fld_count'] ?>"><span><?php echo $lang_login['Remember me'] ?></span> <?php echo $lang_login['Persistent login'] ?></label> </div> </div> <?php ($hook = get_hook('li_login_pre_group_end')) ? eval($hook) : null; ?> </div> <?php ($hook = get_hook('li_login_group_end')) ? eval($hook) : null; ?> <div class="frm-buttons"> <span class="submit"><input type="submit" name="login" value="<?php echo $lang_login['Login'] ?>" /></span> </div> </form> </div> <?php ($hook = get_hook('li_end')) ? eval($hook) : null; $tpl_temp = forum_trim(ob_get_contents()); $tpl_main = str_replace('<!- forum_main ->', $tpl_temp, $tpl_main); ob_end_clean(); // END SUBST - <!- forum_main -> require FORUM_ROOT.'footer.php';

Post a Comment






Captcha


* Indicates a required field.