AppSec Blog

Spot the Vuln - Invincible - Cross Site Scripting


Affected Software: WPhone Plug-in

Fixed in Version: 1.5.2

Issue Type: Cross Site Scripting (XSS)

Original Code: Found Here


This bug is a straightforward XSS bug. Once again, we see the familiar $_SERVER['PHP_SELF'] variable being echoed back to the user without any encoding. The fix is simple, remove the value for the ACTION form attribute completely. This removes the need for any type of sanitization and ensures the form is POSTed to the URL that is hosting the form.

On a side note, many developers reduce the testing/defenses implemented in web pages designed for mobile clients. For some reason, it's tempting to assume web pages designed for mobile applications have less exposure. Less exposure is obviously not the case; web pages designed for mobile clients have just as much exposure as web pages designed for normal web browsers. Please ensure your security diligence and security test cases cover your mobile attack surface. Just because the devices are smaller, that doesn't make your attack surface is smaller too!

Developers Solution

<?php # Visit this file in your browser to simulate a mobile device's screensize via an <iframe> $devices = array( 'iphone_p' => array( 'type' => 'iPhone: portrait (320×480)', 'width' => 320, 'height' => 480 ), 'iphone_l' => array( 'type' => 'iPhone: landscape (480×320)', 'width' => 480, 'height' => 320 ), 'moto' => array( 'type' => 'Motorola phone/browser (RAZR, v551, etc)', 'width' => 176, 'height' => 220 ), 'n80' => array( 'type' => 'Nokia N80 (N60WebKit)', 'width' => 352, 'height' => 416 ) ); if ( (int) $_REQUEST['w'] && (int) $_REQUEST['h'] ) { $choice = array( 'type' => "Custom size ({$_REQUEST['w']}x{$_REQUEST['h']})", 'width' => $_REQUEST['w'], 'height' => $_REQUEST['h'] ); } elseif ( $devices[$_REQUEST['d']] ) $choice = $devices[$_REQUEST['d']]; else $choice = $devices['iphone_p']; ?> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" ""> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>WPhone iFramer test tool: <?php echo $choice['type']; ?></title> </head> <body> -<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="get"> + <form action="" method="get"> <label for="h">CHOOSE</label> <select name="d" id="d"> <option></option> <?php foreach ( $devices as $this_d_key => $this_d ) { $selected = ( $_REQUEST['d'] == $this_d_key ) ? 'selected' : "; echo '<option value="' . $this_d_key . '" ' . $selected . '>' . $this_d['type'] . '</option>' . "\n\t\t\t"; } echo "\n"; ?> </select> <br />OR INPUT <label for="w">Width</label> <input type="text" name="w" id="w" value="" size="5" /> x <label for="h">Height</label> <input type="text" name="h" id="h" value="" size="5" /> <br /> <input type="submit" name="submit" value="view" /> </form> <h2><?php echo $choice['type']; ?></h2> <iframe src="../../../wp-login.php" width="<?php echo $choice['width']; ?>" height="<?php echo $choice['height']; ?>">your browser does not support iframes.</iframe> </body> </html>


Posted March 25, 2011 at 3:55 PM | Permalink | Reply


also vulnerable to xss are the h and w request params which are assigned to the $choice array without any validation and the values indexed as type, width and height are echo'd without encoding (type into the html title and height and width into the iframe attributes of the same names).

Post a Comment


* Indicates a required field.