Cross Site Scripting (Reflected)

  • Resolved grcwebteam

    (@grcwebteam)


    4 years, 8 months ago

    Hello,

    A security scan of one of our sites that uses MLA came back with an issue regarding potential cross-site scripting.

    Request:

    GET .../?mla_paginate_current=2&ak8tq%2522onmouseover%253d%2522alert%25281%2529%2522style%253d%2522position%253aabsolute%253bwidth%253a100%2525%253bheight%253a100%2525%253btop%253a0%253bleft%253a0%253b%2522yvx42=1 HTTP/1.1

    Response:

    <a class="prev page-numbers" href=".../?ak8tq"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"yvx42=1&mla_paginate_current=1">

    Inserting this into the query string echoes the input and causes a javascript popup. Is there any way to validate the query string input for MLA parameters?

    • This topic was modified 4 years, 8 months ago by grcwebteam.
    • This topic was modified 4 years, 8 months ago by grcwebteam.
Viewing 8 replies - 1 through 8 (of 8 total)
  • Thread Starter grcwebteam

    (@grcwebteam)

    We are also receiving warnings about client-side HTTP parameter pollution:

    Request:

    GET .../?mla_paginate_current=2&adm%26twb%3d1=1 HTTP/1.1

    Response:

    <a class="page-numbers" href=".../?hrr&kqj=1%3D1&mla_paginate_current=2">

    The resolution suggestion here is that URL input be encoded before being embedded in a URL.

    Plugin Author David Lingren

    (@dglingren)

    Thank you for your report; I always appreciate being alerted to security issues.

    I will investigate and post an update here when I have progress to report.

    Plugin Author David Lingren

    (@dglingren)

    Thanks again for alerting me to these two issues. I have resolved the first issue by removing query arguments with names containing embedded special characters. I have resolved the second issue by encoding the url input along the lines you suggested.

    I have uploaded a new MLA Development Version dated 20200729 that contains fixes for the issues you reported. To get the Development Version you can follow the instructions in this earlier topic:

    PHP Warning on media upload with Polylang

    It would be great if you can install the Development Version and let me know how it works for you.

    Thread Starter grcwebteam

    (@grcwebteam)

    Thanks David, we will be installing and testing it next week. I will report back with the results.

    Thread Starter grcwebteam

    (@grcwebteam)

    Hi David,

    We re-scanned our site with this development release and it was not flagged for XSS issues. Thank you very much for fixing this! Do you plan to formally release these plugin changes in the future?

    Plugin Author David Lingren

    (@dglingren)

    Thanks for taking the time to try the Development Version and for the good news about your results.

    I plan to update the official MLA version shortly after WordPress 5.5 goes out. If it is appropriate, you can continue to use the Development Version with confidence until the next MLA update automatically replaces it. I always do my best to ensure that any Development Version I post is of “release candidate” quality.

    Thread Starter grcwebteam

    (@grcwebteam)

    Excellent, thanks for the update!

    Plugin Author David Lingren

    (@dglingren)

    I have released MLA v2.84, which contains the new code resolving your two issues. I am marking this topic resolved, but please update it if you have any problems or further questions regarding the new option. Thanks for inspiring this MLA improvement.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Cross Site Scripting (Reflected)’ is closed to new replies.

Tags