Reflected Cross-Site Scripting (XSS) Vulnerability

Please report here problems and bugs
Post Reply
kentraub
Newbie
Posts: 18
Joined: Wed Dec 12, 2012 9:35 pm

Reflected Cross-Site Scripting (XSS) Vulnerability

Post by kentraub » Tue May 19, 2015 10:14 pm

I had a security scan done on my FormaLMS and received a Reflected Cross-Site Scripting from the forgot password screen:

Evidence:
URL: https://24.106.122.83/index.php
Parameter: modname
Request: GET
/index.php?modname=<script>alert('TK000000BD')</script>&op=lostpwd
HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 24.106.122.83
Content-Type: text/html
Content-Length: 0
Response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.6.6
Set-Cookie: docebo_session=6j914tgd03dtbi556j2k3kdst4; path=/
X-Powered-By: ASP.NET
Date: Mon, 18 May 2015 13:56:40 GMT
Content-Length: 6835
Evidence: <script>alert('TK000000BD')</script>
Remediation:
Before accepting any user-supplied data, the application should
validate this data's format and reject any characters that are not explicitly
allowed (i.e. a white-list). This list should be as restrictive as possible.
Before using any data (stored or user-supplied) to generate web page
content, the application should escape all non alpha-numeric characters
(i.e. output-validation). This is particularly important when the original
source of data is beyond the control of the application. Even if the source of
the data isn't performing input-validation, output-validation will still prevent
XSS.

Can anyone address this? I am running FormaLMS 1.4

User avatar
canelli
FormaLms Guru
Posts: 440
Joined: Thu Nov 08, 2012 12:21 pm
Version: forma.lms 2.0
Contact:

Re: Reflected Cross-Site Scripting (XSS) Vulnerability

Post by canelli » Thu May 21, 2015 2:28 pm

I was not able to reproduce the vulnerability you found.

I try on
  • linux server with apache 2.2 , php 5.3, 5.4 and 5.5
  • Window 7 with apache 2.2 , php 5.3 and 5.4
forma.lms since version 1.0 has implemented a check and cleanup of input parameters ( GET and POST ) to prevent Cross-site Scripting ( XSS )

I think the issue can be related with your environment: php 5.6 (not supported for production, enabled for testing) and/or IIS web server .
Can you try with php 5.4 ? with apache 2.x ?
Cercate nel forum le riposte prima di chiedere. Check the forum before posting
---------------
Claudio Anelli
Joint Technologies - Sistemi avanzati per l'information technology

http://www.joint-tech.com
---------------

kentraub
Newbie
Posts: 18
Joined: Wed Dec 12, 2012 9:35 pm

Re: Reflected Cross-Site Scripting (XSS) Vulnerability

Post by kentraub » Tue Aug 18, 2015 5:49 pm

I have down graded the php version and the scan still shows the same results:
Evidence:
URL: https://24.106.122.83/index.php
Parameter: modname
Request: GET
/index.php?modname=<script>alert('TK000000CD')</script>&op=lost
pwd HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 24.106.122.83
Content-Type: text/html
Content-Length: 0
Response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.4.42
Set-Cookie: docebo_session=tf39dme1mg0u57577iutrhokj7; path=/
X-Powered-By: ASP.NET
Date: Tue, 18 Aug 2015 13:57:33 GMT
Content-Length: 6837
Evidence: <script>alert('TK000000CD')</script>

jrgilo
Newbie
Posts: 6
Joined: Mon Jan 29, 2018 5:11 pm
Version: forma.lms 2.0
Location: Mexico City, Mexico

Re: Reflected Cross-Site Scripting (XSS) Vulnerability

Post by jrgilo » Tue Sep 04, 2018 5:32 pm

I get the same results, were you ever able to figure it out kentraub ?
I´m on an azure environment btw.
Thanks!

alfa24
FormaLms Expert
Posts: 144
Joined: Fri Nov 24, 2017 8:45 am
Version: forma.lms 1.4.2

Re: Reflected Cross-Site Scripting (XSS) Vulnerability

Post by alfa24 » Tue Sep 04, 2018 6:45 pm

which tool is giving you this issue?
I'm Jasmines, the One

User avatar
alberto
FormaLms Guru
Posts: 854
Joined: Fri Mar 02, 2012 9:18 am
Contact:

Re: Reflected Cross-Site Scripting (XSS) Vulnerability

Post by alberto » Thu Sep 06, 2018 12:30 am

Kentraub messages is very old, those vulerabilities have been fixed in later releases
--------------------------------------------------
Become a CONTRIBUTOR

Support the project for FREE!
www.Elearnit.net

User avatar
canelli
FormaLms Guru
Posts: 440
Joined: Thu Nov 08, 2012 12:21 pm
Version: forma.lms 2.0
Contact:

Re: Reflected Cross-Site Scripting (XSS) Vulnerability

Post by canelli » Thu Sep 06, 2018 12:10 pm

I confirm that with forma 2.0 we can't reproduce this vulnerability

In forma 1.x we fixed some vulnerabilities . please use last version 1.4.3 to be sure you are up to date
Cercate nel forum le riposte prima di chiedere. Check the forum before posting
---------------
Claudio Anelli
Joint Technologies - Sistemi avanzati per l'information technology

http://www.joint-tech.com
---------------

alfa24
FormaLms Expert
Posts: 144
Joined: Fri Nov 24, 2017 8:45 am
Version: forma.lms 1.4.2

Re: Reflected Cross-Site Scripting (XSS) Vulnerability

Post by alfa24 » Wed Sep 12, 2018 11:56 am

I confirm Forma2 is affected from the vulnerability too, after login.
See attached screenshot.
xss.jpg
You do not have the required permissions to view the files attached to this post.
I'm Jasmines, the One

Post Reply