Scripting (XSS_in_URI_File.script)

M

mirceat

Member
Hello,

I rolled a scan with Acunetix and the report shows this kind of message for every list created with Fabrik (website name/links has been changed for security purpose) :

URI was set to "onmouseover='QnuT(9107)'bad="
The input is reflected inside a tag parameter between double quotes.

GET /myfabriklist?"onmouseover='QnuT(9107)'bad=" HTTP/1.1
Referer: https://mywebsite.com
Cookie: b5193a03dc5dbf6ad7e975ae415c7d52=g45k0t0rhba93b546im37uvvm7; joomla_user_state=logged_in
Host: mywebsite.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Acunetix-Product: WVS/11.0 (Acunetix - WVSE)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*
Click to expand...

Can you please confirm/deny this issues?

Thank you
 
As far as I can tell, it only gets "reflected" in href's, as part of the base URL. Which (as far as I know) isn't dangerous.

-- hugh
 
Can i take your response as official or you will do more tests/scans? I'm asking you because i can't launch a new website without the "OK" from the Security department and one of their request was about these messages with the Fabrik lists.
 
Hello,

Sorry to bother you, but a new scan reveal a new possible issue, this time with Fabrik list. Btw, the previous issue has been solved with your modification.

URL encoded POST input fabrik___filter[list_47_com_fabrik_47][value][1][1] was set to 1<WU4YKC>4ZIUH[!+!] </WU4YKC>
The input is reflected inside a text element
Click to expand...

The list have 3 filters: id (field, internalid), date_time (range, datetime), company (autocomplete, field)

POST /apps?clearfilters=0&clearordering=0&resetfilters=0

25b507a6bcf69b7cb5d8e911c1ba3575=1&auto- complete7313=Acunetix&checkAll=on&fabrik_listplugin_name=1&fabrik_listplugin_options=1&fabri k_listplugin_renderOrder=1&fabrik_referrer=1&fabrik___filter[list_47_com_fabrik_47] [condition][0]==&fabrik___filter[list_47_com_fabrik_47][condition]
[1]==&fabrik___filter[list_47_com_fabrik_47][condition] [2]=contains&fabrik___filter[list_47_com_fabrik_47][elementid] [0]=355&fabrik___filter[list_47_com_fabrik_47][elementid] [1]=356&fabrik___filter[list_47_com_fabrik_47][elementid] [2]=7313&fabrik___filter[list_47_com_fabrik_47][eval] [0]=0&fabrik___filter[list_47_com_fabrik_47][eval] [1]=0&fabrik___filter[list_47_com_fabrik_47][eval] [2]=0&fabrik___filter[list_47_com_fabrik_47][full_words_only] [0]=0&fabrik___filter[list_47_com_fabrik_47][full_words_only] [1]=0&fabrik___filter[list_47_com_fabrik_47][full_words_only] [2]=0&fabrik___filter[list_47_com_fabrik_47][grouped_to_previous] [0]=0&fabrik___filter[list_47_com_fabrik_47][grouped_to_previous] [1]=0&fabrik___filter[list_47_com_fabrik_47][grouped_to_previous] [2]=0&fabrik___filter[list_47_com_fabrik_47][hidden] [0]=0&fabrik___filter[list_47_com_fabrik_47][hidden] [1]=0&fabrik___filter[list_47_com_fabrik_47][hidden] [2]=0&fabrik___filter[list_47_com_fabrik_47][join] [0]=AND&fabrik___filter[list_47_com_fabrik_47][join] [1]=AND&fabrik___filter[list_47_com_fabrik_47][join] [2]=AND&fabrik___filter[list_47_com_fabrik_47][key] [0]=`contract_tool`.`id`&fabrik___filter[list_47_com_fabrik_47][key] [1]=`contract_tool`.`date_time`&fabrik___filter[list_47_com_fabrik_47][key] [2]=`contract_tool_companies`.`company`&fabrik___filter[list_47_com_fabrik_47][match] [0]=1&fabrik___filter[list_47_com_fabrik_47][match] [1]=1&fabrik___filter[list_47_com_fabrik_47][match] [2]=1&fabrik___filter[list_47_com_fabrik_47][search_type] [0]=normal&fabrik___filter[list_47_com_fabrik_47][search_type] [1]=normal&fabrik___filter[list_47_com_fabrik_47][search_type] [2]=normal&fabrik___filter[list_47_com_fabrik_47][value] [0]=1&fabrik___filter[list_47_com_fabrik_47][value][1] [0]=1&fabrik___filter[list_47_com_fabrik_47][value][1][1]=1<WU4YKC>4ZIUH[!%2b!] </WU4YKC>&fabrik___filter[list_47_com_fabrik_47][value] [2]=1&filter=Go&format=html&incfilters=1&Itemid=126&limitstart47=0&listid=47&listref=47_c om_fabrik_47&option=com_fabrik&orderby=1&orderdir=1&packageId=0&task=1&view=list
Click to expand...

Joomla 3.7.5, Fabrik github version

Can you please take a look?

Thank you
 
Last edited:
I'm not sure when I'll get time, but I'll take a look. However, this is similar to the last one. the reflected value is inside a URL, it's not actually dangerous as it's not executable. I understand why your scanner picks up on it, but it's not actually an XSS issue. And the problem is, I can't code everything to meet the extremely strict standards you need for one specific scanner your security auditors use. If you have a deadline, we may have to look at doing this as hourly billed work, if you need me to code to your auditor's standards.

-- hugh
 
You must log in or register to reply here.

Useful links

  • Create a Fabrik Account (Downloads)
  • Create a Forum Account
  • Fabrik Wiki
  • Fabrik 4 Changelog /Install /Upgrade
    • We are in need of some funding.
    More details.

    Thank you.

    Members online

    Total: 92 (members: 1, guests: 91)
    Back
    Top