I have a client that keeps getting reports from godaddy's "websiteprotection.com" stating how the website is insecure.
Your website contains pages that do not properly sanitize visitor‑provided input to make sure it contains no malicious content or scripts. Cross‑site scripting vulnerabilities let malicious users execute arbitrary HTML or script code in another visitor's browser.
Output:
The request string used to detect this flaw was : /cross_site_scripting.nasl.asp The output was : HTTP/1.1 404 Not Found\r Date: Wed, 21 Mar 2012 08:12:02 GMT\r Server: Apache\r X-Pingback:http://CLIENTSWEBSITE.com/xmlrpc.php\r Expires: Wed, 11 Jan 1984 05:00:00 GMT\r Cache-Control: no-cache, must-revalidate, max-age=0\r Pragma: no-cache\r Set-Cookie: PHPSESSID=1jsnhuflvd59nb4trtquston50; path=/\r Last-Modified: Wed, 21 Mar 2012 08:12:02 GMT\r Keep-Alive: timeout=15, max=100\r Connection: Keep-Alive\r Transfer-Encoding: chunked\r Content-Type: text/html; charset=UTF-8\r \r
<div id="contact-form" class="widget"><form action="http://CLIENTSWEBSITE.c
om/<script>cross_site_scripting.nasl</script>.asp" id="contactForm"
meth od="post">
It looks like it has an issue with the contact form. All the contact form does is posts an ajax request to the same page, and than a PHP script mails the data (no database stuff).
Is there any a security issues here? Any ideas on how I can satisfy the security scanner?
Here is the form and script:
<form action="<?php echo $this->getCurrentUrl(); ?>" id="contactForm" method="post">
<input type="text" name="Name" id="Name" value="" class="txt requiredField name" />
//Some more text inputs
<input type="hidden" name="sendadd" id="sendadd" value="<?php echo $emailadd ; ?>" />
<input type="hidden" name="submitted" id="submitted" value="true" /><input class="submit" type="submit" value="Send" />
</form>
// Some initial JS validation, if that passes an ajax post is made to the script below
//If the form is submitted
if(isset($_POST['submitted'])) {
//Check captcha
if (isset($_POST["captchaPrefix"])) {
$capt = new ReallySimpleCaptcha();
$correct = $capt->check( $_POST["captchaPrefix"], $_POST["Captcha"] );
if( ! $correct ) { echo false; die(); } else {
$capt->remove( $_POST["captchaPrefix"] );
}
}
$dateon = $_POST["dateon"];
$ToEmail = $_POST["sendadd"];
$EmailSubject = 'Contact Form Submission from ' . get_bloginfo('title');
$mailheader = "From: ".$_POST["Email"]."\r\n";
$mailheader .= "Reply-To: ".$_POST["Email"]."\r\n";
$mailheader .= "Content-type: text/html; charset=iso-8859-1\r\n";
$MESSAGE_BODY = "Name: ".$_POST["Name"]."<br>";
$MESSAGE_BODY .= "Email Address: ".$_POST["Email"]."<br>";
$MESSAGE_BODY .= "Phone: ".$_POST["Phone"]."<br>";
if ($dateon == "on") {$MESSAGE_BODY .= "Date: ".$_POST["Date"]."<br>";}
$MESSAGE_BODY .= "Message: ".$_POST["Comments"]."<br>";
mail($ToEmail, $EmailSubject, $MESSAGE_BODY, $mailheader) or die ("Failure");
echo true; die();
}