2

I have a client that keeps getting reports from godaddy's "websiteprotection.com" stating how the website is insecure.

Your website contains pages that do not properly sanitize visitor‑provided input to make sure it contains no malicious content or scripts. Cross‑site scripting vulnerabilities let malicious users execute arbitrary HTML or script code in another visitor's browser.

Output:

The request string used to detect this flaw was : /cross_site_scripting.​nasl.asp The output was : HTTP/1.1 404 Not Found\r Date: Wed, 21 Mar 2012 08:12:02 GMT\r Server: Apache\r X-Pingback:http://​CLIENTSWEBSITE.com/​xmlrpc.php\r Expires: Wed, 11 Jan 1984 05:00:00 GMT\r Cache-Control: no-cache, must-revalidate, max-age=0\r Pragma: no-cache\r Set-Cookie: PHPSESSID=​1jsnhuflvd59nb4trtquston50; path=/\r Last-Modified: Wed, 21 Mar 2012 08:12:02 GMT\r Keep-Alive: timeout=15, max=100\r Connection: Keep-Alive\r Transfer-Encoding: chunked\r Content-Type: text/html; charset=UTF-8\r \r

<div id="contact-form" class="widget"><form action="http://​CLIENTSWEBSITE.c
     om/<script>cross_site_​scripting.nasl</script>.asp" id="contactForm"
     meth od="post">

It looks like it has an issue with the contact form. All the contact form does is posts an ajax request to the same page, and than a PHP script mails the data (no database stuff).

Is there any a security issues here? Any ideas on how I can satisfy the security scanner?

Here is the form and script:

<form action="<?php echo $this->getCurrentUrl(); ?>" id="contactForm" method="post">
    <input type="text" name="Name" id="Name" value="" class="txt requiredField name" />
    //Some more text inputs

    <input type="hidden" name="sendadd" id="sendadd" value="<?php echo $emailadd ; ?>" />
    <input type="hidden" name="submitted" id="submitted" value="true" /><input class="submit" type="submit" value="Send" />
    </form>
    // Some initial JS validation, if that passes an ajax post is made to the script below

    //If the form is submitted
    if(isset($_POST['submitted'])) {

    //Check captcha 
if (isset($_POST["captchaPrefix"])) {

$capt = new ReallySimpleCaptcha();
$correct = $capt->check( $_POST["captchaPrefix"], $_POST["Captcha"] );
if( ! $correct ) { echo false; die(); } else {
$capt->remove( $_POST["captchaPrefix"] );
}

}


$dateon = $_POST["dateon"]; 
$ToEmail = $_POST["sendadd"]; 
$EmailSubject = 'Contact Form Submission from ' . get_bloginfo('title'); 
$mailheader = "From: ".$_POST["Email"]."\r\n"; 
$mailheader .= "Reply-To: ".$_POST["Email"]."\r\n"; 
$mailheader .= "Content-type: text/html; charset=iso-8859-1\r\n"; 

$MESSAGE_BODY = "Name: ".$_POST["Name"]."<br>"; 

$MESSAGE_BODY .= "Email Address: ".$_POST["Email"]."<br>"; 

$MESSAGE_BODY .= "Phone: ".$_POST["Phone"]."<br>"; 

if ($dateon == "on") {$MESSAGE_BODY .= "Date: ".$_POST["Date"]."<br>";}

$MESSAGE_BODY .= "Message: ".$_POST["Comments"]."<br>"; 

mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader) or die ("Failure"); 

echo true; die(); 


}
4

3 回答 3

1

I'm not sure I understand what's going on here, but are they complaining about the data going from the form to the "http://website/script.asp" without being checked?

Because, if so, then that's just ridiculous because even if you chose to do some JavaScript / other client-side checking, one should never rely on it. All the sanitisation should be done server side, which I presume it is?

Could you post the original script for clarity?

于 2012-03-22T15:47:57.807 回答
0

It's a security risk because it's possible to type <script>cross_site_​scripting.nasl</script>.asp into a form (or a hidden element), and have it appear on your pages. That lets other websites inject arbitary code into your website. If you're just using a contact form and have no user login or cookies, then this is just a spam risk.

(Post the HTML/PHP which generates the form, and this may become clearer)

于 2012-03-22T15:49:06.213 回答
0

Your script is immediately at risk because you're blindly using $_POST for your email headers. This could allow a person to manipulate the header of the email to send to a wildcard email address, or simply use your form on your server to send spam to others.

With a content type of HTML, you should run htmlentities() on the user input ( Assuming you don't really want them to have HTML fire off in an email viewer as mentioned).

Additionally, look into filter_input() to ensure the email address they're entering is valid and not header injection.

http://us2.php.net/manual/en/function.filter-input.php

于 2012-05-01T14:06:39.107 回答