AppSec Blog

Spot the Vuln - Radical - Cross Site Scripting

Details

Affected Software: BezahlCode-Generator

Fixed in Version: 1.1

Issue Type: Cross Site Scripting (XSS)

Original Code: Found Here

Description

A couple straightforward XSS bugs. $_REQUEST will create an associative array which contains the contents of $_GET, $_POST, and $_COOKIE which are all user/attacker controllable. These variables are then used to create HTML markup. Security bugs are caused by many different reasons. When auditing code for security issues, if you come across issues like the ones shown below its highly likely that the developer simply doesn't understand the security risk they created. It might be a good idea to review other change lists associated with this developer as they will likely contain similar code symptoms. This type of issue is also indicative of lack of security awareness. The developer here could use some security education about various security issues along with some tips on preventing these types of security issues in the future.

Developers Solution

<?php if ($data!=") { ?> <img src="/generator/?generate=<?php echo urlencode($data)?>"/> <?php } ?> </div><br/> <form action="/generator/" name="wizard" method="post" class="BezahlCodeForm"> <label for="singlepayment"><input type="radio" id="singlepayment" name="gen_type" value="singlepayment" <?php if($_REQUEST['gen_type']=="singlepayment" || empty($_REQUEST['gen_type'])) echo 'checked="checked"'?> /> &Uuml;berweisung</label><br /> <label for="singlepaymentspende"><input type="radio" id="singlepaymentspende" name="gen_type" value="singlepaymentspende" <?php if($_REQUEST['gen_type']=="singlepaymentspende") echo 'checked="checked"'?>/> Spendenzahlung</label><br /> <label for="singledirectdebit"><input type="radio" id="singledirectdebit" name="gen_type" value="singledirectdebit" <?php if($_REQUEST['gen_type']=="singledirectdebit") echo 'checked="checked"'?>/> Lastschrift</label><br /> -Name:<br /><input type="text" tooltipText="Format: DTAUS Text" id="gen_name" onblur="checkInput(this, 'dtaus')" name="gen_name" maxlength="27" value="<?= isset($_REQUEST['gen_name'])?$_REQUEST['gen_name']:""?>"> +Name:<br /><input type="text" tooltipText="Format: DTAUS Text" id="gen_name" onblur="checkInput(this, 'dtaus')" name="gen_name" maxlength="27" value="<?= isset($_REQUEST['gen_name'])?htmlspecialchars($_REQUEST['gen_name']):""?>"> <br /> -Kontonummer:<br /><input type="text" tooltipText="Format: Ganzzahl z.B. 1234" id="gen_account" onblur="checkInput(this, 'ganzzahl')" name="gen_account" value="<?= isset($_REQUEST['gen_account'])?$_REQUEST['gen_account']:""?>" > +Kontonummer:<br /><input type="text" tooltipText="Format: Ganzzahl z.B. 1234" id="gen_account" onblur="checkInput(this, 'ganzzahl')" name="gen_account" value="<?= isset($_REQUEST['gen_account'])?htmlspecialchars($_REQUEST['gen_account']):""?>" > <br /> -BLZ:<br /><input type="text" tooltipText="Format: Ganzzahl z.B. 1234" id="gen_BNC" onblur="checkInput(this, 'ganzzahl')" name="gen_BNC" value="<?= isset($_REQUEST['gen_BNC'])?$_REQUEST['gen_BNC']:""?>" > +BLZ:<br /><input type="text" tooltipText="Format: Ganzzahl z.B. 1234" id="gen_BNC" onblur="checkInput(this, 'ganzzahl')" name="gen_BNC" value="<?= isset($_REQUEST['gen_BNC'])?htmlspecialchars($_REQUEST['gen_BNC']):""?>" > <br /> -Betrag in Euro (z.B. 1234,50) <br /><input type="text" tooltipText="Format: Dezimalzahl z.B. 1234,50" onblur="checkInput(this, 'dezimalzahl')" id="gen_amount" name="gen_amount" value="<?= isset($_REQUEST['gen_amount'])?$_REQUEST['gen_amount']:""?>" > +Betrag in Euro (z.B. 1234,50) <br /><input type="text" tooltipText="Format: Dezimalzahl z.B. 1234,50" onblur="checkInput(this, 'dezimalzahl')" id="gen_amount" name="gen_amount" value="<?= isset($_REQUEST['gen_amount'])?htmlspecialchars($_REQUEST['gen_amount']):""?>" > <br /> -Verwendungszweck:<br /><input type="text" id="gen_reason" tooltipText="Format: DTAUS Text" onblur="checkInput(this, 'dtaus')" name="gen_reason" maxlength="54" value="<?= isset($_REQUEST['gen_reason'])?$_REQUEST['gen_reason']:""?>" > +Verwendungszweck:<br /><input type="text" id="gen_reason" tooltipText="Format: DTAUS Text" onblur="checkInput(this, 'dtaus')" name="gen_reason" maxlength="54" value="<?= isset($_REQUEST['gen_reason'])?htmlspecialchars($_REQUEST['gen_reason']):""?>" > <br/> <input type="button" value="Erstellen" onclick='javascript:generateImage();'> </form> <?php if(!(get_option("bezahlcode_showlink") == "hidden")) {?> <br /> <span class="bezahlCodeLink">Weitere Informationen: <a href="http://www.bezahlcode.de" title="BezahlCode - Schnell, einfach und sicher bezahlen" target="_blank">www.bezahlcode.de</a></span> <?php } ?> </div> <script type="text/javascript"> var tooltipObj = new DHTMLgoodies_formTooltip(); tooltipObj.initFormFieldTooltip(); </script>

Post a Comment






Captcha


* Indicates a required field.