Reflected Cross-Site Scripting (XSS) Vulnerability

Please report here problems and bugs
Post Reply
kentraub
Newbie
Posts: 18
Joined: Wed Dec 12, 2012 9:35 pm

Reflected Cross-Site Scripting (XSS) Vulnerability

Post by kentraub » Tue May 19, 2015 10:14 pm

I had a security scan done on my FormaLMS and received a Reflected Cross-Site Scripting from the forgot password screen:

Evidence:
URL: https://24.106.122.83/index.php
Parameter: modname
Request: GET
/index.php?modname=<script>alert('TK000000BD')</script>&op=lostpwd
HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 24.106.122.83
Content-Type: text/html
Content-Length: 0
Response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.6.6
Set-Cookie: docebo_session=6j914tgd03dtbi556j2k3kdst4; path=/
X-Powered-By: ASP.NET
Date: Mon, 18 May 2015 13:56:40 GMT
Content-Length: 6835
Evidence: <script>alert('TK000000BD')</script>
Remediation:
Before accepting any user-supplied data, the application should
validate this data's format and reject any characters that are not explicitly
allowed (i.e. a white-list). This list should be as restrictive as possible.
Before using any data (stored or user-supplied) to generate web page
content, the application should escape all non alpha-numeric characters
(i.e. output-validation). This is particularly important when the original
source of data is beyond the control of the application. Even if the source of
the data isn't performing input-validation, output-validation will still prevent
XSS.

Can anyone address this? I am running FormaLMS 1.4

User avatar
canelli
FormaLms Guru
Posts: 457
Joined: Thu Nov 08, 2012 12:21 pm
Version: forma.lms 2.0
Contact:

Re: Reflected Cross-Site Scripting (XSS) Vulnerability

Post by canelli » Thu May 21, 2015 2:28 pm

I was not able to reproduce the vulnerability you found.

I try on
  • linux server with apache 2.2 , php 5.3, 5.4 and 5.5
  • Window 7 with apache 2.2 , php 5.3 and 5.4
forma.lms since version 1.0 has implemented a check and cleanup of input parameters ( GET and POST ) to prevent Cross-site Scripting ( XSS )

I think the issue can be related with your environment: php 5.6 (not supported for production, enabled for testing) and/or IIS web server .
Can you try with php 5.4 ? with apache 2.x ?
Cercate nel forum le riposte prima di chiedere. Check the forum before posting
---------------
Claudio Anelli
Joint Technologies - Sistemi avanzati per l'information technology

http://www.joint-tech.com
---------------

kentraub
Newbie
Posts: 18
Joined: Wed Dec 12, 2012 9:35 pm

Re: Reflected Cross-Site Scripting (XSS) Vulnerability

Post by kentraub » Tue Aug 18, 2015 5:49 pm

I have down graded the php version and the scan still shows the same results:
Evidence:
URL: https://24.106.122.83/index.php
Parameter: modname
Request: GET
/index.php?modname=<script>alert('TK000000CD')</script>&op=lost
pwd HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 24.106.122.83
Content-Type: text/html
Content-Length: 0
Response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.4.42
Set-Cookie: docebo_session=tf39dme1mg0u57577iutrhokj7; path=/
X-Powered-By: ASP.NET
Date: Tue, 18 Aug 2015 13:57:33 GMT
Content-Length: 6837
Evidence: <script>alert('TK000000CD')</script>

jrgilo
Newbie
Posts: 6
Joined: Mon Jan 29, 2018 5:11 pm
Version: forma.lms 2.0
Location: Mexico City, Mexico

Re: Reflected Cross-Site Scripting (XSS) Vulnerability

Post by jrgilo » Tue Sep 04, 2018 5:32 pm

I get the same results, were you ever able to figure it out kentraub ?
I´m on an azure environment btw.
Thanks!

alfa24
FormaLms Expert
Posts: 186
Joined: Fri Nov 24, 2017 8:45 am
Version: forma.lms 1.4.2

Re: Reflected Cross-Site Scripting (XSS) Vulnerability

Post by alfa24 » Tue Sep 04, 2018 6:45 pm

which tool is giving you this issue?
I'm Jasmines, the One

User avatar
alberto
FormaLms Guru
Posts: 858
Joined: Fri Mar 02, 2012 9:18 am
Contact:

Re: Reflected Cross-Site Scripting (XSS) Vulnerability

Post by alberto » Thu Sep 06, 2018 12:30 am

Kentraub messages is very old, those vulerabilities have been fixed in later releases
--------------------------------------------------
Become a CONTRIBUTOR

Support the project for FREE!
www.Elearnit.net

User avatar
canelli
FormaLms Guru
Posts: 457
Joined: Thu Nov 08, 2012 12:21 pm
Version: forma.lms 2.0
Contact:

Re: Reflected Cross-Site Scripting (XSS) Vulnerability

Post by canelli » Thu Sep 06, 2018 12:10 pm

I confirm that with forma 2.0 we can't reproduce this vulnerability

In forma 1.x we fixed some vulnerabilities . please use last version 1.4.3 to be sure you are up to date
Cercate nel forum le riposte prima di chiedere. Check the forum before posting
---------------
Claudio Anelli
Joint Technologies - Sistemi avanzati per l'information technology

http://www.joint-tech.com
---------------

alfa24
FormaLms Expert
Posts: 186
Joined: Fri Nov 24, 2017 8:45 am
Version: forma.lms 1.4.2

Re: Reflected Cross-Site Scripting (XSS) Vulnerability

Post by alfa24 » Wed Sep 12, 2018 11:56 am

I confirm Forma2 is affected from the vulnerability too, after login.
See attached screenshot.
xss.jpg
I'm Jasmines, the One

Post Reply