Using the POST HTTP method, Site Scanner found that :
The following resources may be vulnerable to cross-site scripting (extended patterns) :
The 'email' parameter of the /customer/account/forgotpasswordpost/ CGI :
/customer/account/forgotpasswordpost/ [email=508 src=http://www.example.
com/exploit508.js]
As far I see code, Magento senitize the _GET/_POST. How can I get fixed this?
I guess this will depend on what version of Magento you are running. The default location for the template in question can be found at app/design/frontend/base/default/template/customer/form/forgotpassword.phtml. The only value that is user editable that is echo'd out to the screen is the e-mail address, certainly in Magento 1.6 this is being passed through the template blocks htmlEscape method, but it's worth checking that it is in your version of Magento.
<input type="text" name="email" alt="email" id="email_address" class="input-text required-entry validate-email" value="<?php echo $this->htmlEscape($this->getEmailValue()) ?>" />
If you find that it already is then it would be worth checking that this template isn't being overloaded in your current theme.
Related
I am trying from last 5-8 hours not getting solution for xss prevent in magento,
I have already installed all latest patch in my magento.
I am using this script in catalog search input box
"><img src=x onerror=prompt(1);>
and i am getting this output :-
xss result
I have also tried with some validation like htmlEscape , strip_tags but none of working for me.
Can someone please help me ?
I Made many themes in magneto 1.9 , and tested many xss scripts but script is not triggered.
1. <script>alert('hello')</script> even
2. In url www.yourwebsite.com?query=<script>alert('hello')</script> or
3. <img src=x onerror="alert('Pop-up window XSS infected');" in search box but every string is by default escaped by Magneto itself.
This can be happen if you made your own custom search and didn't followed magento standard to pass the data to controllers and back to fronted.
You can use value="<?php echo $this->htmlEscape(input_values_here) ?>"
Example: credit
Magento Xss Prevention
<li class="wide">
<label for="street_1" class="required"><em>*</em><?php echo $this->__('Street Address') ?></label>
<div class="input-box">
<input type="text" name="street[]" value="<?php echo $this->htmlEscape($this->getAddress()->getStreet(1)) ?>" title="<?php echo $this->__('Street Address') ?>" id="street_1" class="input-text required-entry" />
</div>
</li>
JUst for knowledge :
You can learn more about xss from
XSS Tutorial
You can even check is there any message from Magento in your admin panel or any patches .
Perform these basic tests on your application:
Interact with your custom form/search box. Insert strings that contain HTML and JavaScript match characters into all application inputs, such as forms, URL parameters, hidden fields(!), or cookie values.
If your form doesn't correctly escape this string, you will see an alert and will know that something went wrong.
Wherever your custom form handles user-supplied URLs, enter javascript:alert(0) or data:text/html,alert(0).
Create a test user profile with data similar to the test strings above. Use that profile to interact with your application. This can help identify stored XSS bugs.
I have a simple form of this type
<form name="keywords" action="www.mydomain.com:6161/articles" method="post">
<input type="text" name="keyword" />
<input type="submit" name="submit" value="Submit" />
</form>
The Express 4 routes for handling the form post, is as follows
app.post('/articles', routes.article.keyword);
The actual route file has the following
exports.keyword = function(req,res,next){
res.send(req.body.keyword);
};
Based on the above circumstances, when I post the form in the browser, I see a page “The address wasn’t understood”.
But, if I use relative URL in the form action i.e.,
It works perfect. Why so?
Because in reality, I sometimes may have to post data to a different domain or URL altogether.
I will post my comment as an answer as it helped.
In order for the action to work, you need to either specify full url, that include schema:
<form name="keywords" action="http://www.example.com/articles" method="post">
Or you can just use a relative url:
<form name="keywords" action="/articles" method="post">
a relative path is one not starting with a / (forward-slash)... generally, this will attempt to load from the current url's base dir (you can set this in html, though the browsers default to the 'dirname' of the url (e.g. 'img/something.gif' on a page at '/some/path/index.html' will fetch it from /some/path/img/something.gif').
an absolute path is one starting with a /. it will be loaded using the same schema, host and optionally, port,user, etc (full url syntax: scheme:[//[user:password#]host[:port]][/]path[?query][#fragment]... read more here: https://en.wikipedia.org/wiki/Uniform_Resource_Locator).
a full url is one starting with a schema (http/https/ftp,etc...)... however (this comes in handy): if you're going to be using the same schema (which keeps your site's security score high), you can skip it, along with the colon.
e.g.: while viewing a site from 'https://blah.net', and attempting to load a resource from google (analytics maybe), you can reference it as:
'//google.com/path/to/whatever'
this will use https if the page was loaded over https, or http if not... keeps you from having to determine the scheme that was used when rendering the page.
I'm building a site where staff will have their own section of the site: example.com/jones, example.com/smith, etc. jones and smith are template groups with the same templates inside (using Stash and Low Variables to keep it all DRY). Some users will have different needs for privacy. On one end their section will be public. On the other end some users will need to administer who can access their content (using Solspace friends).
However in the middle of that range are some who just want to protect against any random person seeing their content. I don't want to use members/member groups to manage this. I don't want visitors to need to register to see the content. A shared member account is an option, but we ruled that out because of other issues (what if the password is reset, comments being left under the same account, etc.
What we would like is to password protect the template group. The staff can let people know where to see their page, and let users know what the password is. This is all possible on a server level, but is is possible to allow the user to directly manage the password? Anything we can do to minimize how much we need to have hands on admin of this the better. A custom field and an add on that allows for this kind of security? I didn't see anything on Devot-ee and the methods on the forums don't do this. Bit of a longshot, but figured I'd ask.
Since you said you didn't want to be tied to actual member accounts and were OK with using a custom field to store an editable password...
I just recently did something similar that protected a group of entries using a custom field. It is similar to the approach outlined in this "Password Protected Content Made Simple" article. But instead of using PHP in the template I used Mo' Variables. And instead of using url_title I used a custom field (called client_password below).
In addition, I used the Session Variables plugin to check if the user was already "logged in" on subsequent page loads, preventing them having to enter the password again and again.
{!-- PASSWORD REQUIRED --}
{if client_password != ""}
{!-- if passed show content and set session --}
{if post:password == client_password}
{!-- protected content here --}
{!-- set session --}
{embed='embeds/_set_session' entry_id="{entry_id}"}
{!-- if session is valid show content --}
{if:elseif "{exp:session_variables:get name='logged_in'}" == "{entry_id}"}
{!-- protected content here --}
{!-- if failed show login --}
{if:elseif post:password != "" AND post:password != client_password}
<div id="protected">
<p>Incorrect password. Please try again.</p>
<br>
<form action="" method="post">
<strong>Password</strong><br />
<div>
<input name="password">
</div>
<input type="submit" class="submit" value="submit">
</form>
</div>
{!-- if first attempt show login and prompt --}
{if:else}
<div id="protected">
<p>This page is password protected. Please provide the password.</p>
<br>
<form action="" method="post">
<strong>Password</strong><br />
<div>
<input name="password">
</div>
<input type="submit" class="submit" value="submit">
</form>
</div>
{/if}
{!-- NO PASSWORD REQUIRED --}
{if:else}
{!-- protected content here --}
{/if}
I wanted to update this with the code I'm using to get htaccess and htpasswd working to protect by template group. It can be used in the same way as Alex's, but is an all or nothing approach. It has its own advantages, and disadvantages, but wanted to share it as an option.
First, I am using the native template behavior: example.com/group/template/url_title. I want to password protect some template groups, but outside of EE's members and member groups. ie a single user and password.
My htaccess file looks like this (from http://perishablepress.com/enable-file-or-directory-access-to-your-htaccess-password-protected-site/):
# We set some variables, matching URL's for which we do not wish to active
# the password protection
SetEnvIf Request_URI "^/privategroup.*$" private
# Setup the password protection
AuthName "Password Needed"
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile /Users/user/Sites/example/.htpasswd
Require valid-user
# Add the exceptions for matched URL's
Order Deny,Allow
Deny from env=private
Satisfy any
The htpasswd file should be above webroot, but for testing I left it in webroot. The AuthUserFile line tells Apache where to find the file with the usernames and passwords. This must...MUST be an absolute path. I was using relative and got 500 errors. You need to use terminal or some other tool to make this file. http://developer.apple.com/library/Mac/#documentation/Darwin/Reference/ManPages/man1/htpasswd.1.html
The result is that directory requires a username and password. Right now it will accept any valid user in my htpasswd file. However I can change that by specifying a specific user (require user john tim lisa) or groups.
There you have it. Keep people out of specific template groups without using any native EE functionality.
I will be honest, I'm not sure if this fits your needs or not. It's not clicking that it will though, I've never tried it before and would need to actually give it a go to know for sure that it does or does not fit.
I will post it just the same as it may help you or someone else down the road:
http://koivi.com/ee-entry-auth-dir/
Have you looked at using the HTTP Authentication option under Template Access Restrictions? It uses a member password for authentication, but doesn't require the member to actually be logged-in.
You say you "don't want to use members/member groups to manage this", but then that you want to "allow the user to directly manage the password" ... surely using the built-in member system is the easiest way?
I've read a couple of related questions on this, but they don't answer my question directly. Developer tools like Firebug allow anyone to see and manipulate form data before a form is sent. A good example of this is adjusting the value of a hidden "member ID" field so that the form submission is credited to another user.
What are the best ways to prevent this type of tampering? My research suggests moving sensitive form inputs to a server-side script, but are there any other options or considerations?
I'm familiar with PHP and jQuery, so my ideal solution would use one or both of those languages.
You can't use jQuery for security since it's all handled on the client side.
In your example just use a PHP session in staed of a hidden input field, because as you rightfully noted this can be manipulated.
Using sessions would look something like the following:
login page
<form action="login.php" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="submit" name="submit" value="submit">
</form>
login.php
// you have to include this on every page to be able to user sessions.
// also make sure that you include it before any output
session_start();
//Always sanitize the user input before doing any db actions.
//For example by using: `mysql_real_escape_string()` ( http://php.net/manual/en/function.mysql-real-escape-string.php ).
// check user credentials against db
$_SESSION['user'] = $dbresult['username'];
page-where-userid-is-required.php
session_start();
if (!isset($_SESSION['user'])) {
// user is not logged in!
} else {
// use user info to place order for example
}
The session will be active until the user closes his browser / until the session expires (which is a PHP setting)
The above is just some sample code to give you an idea.
It works smaller projects, however as projects get more complex I would suggest going for the MVC (Model, View, Controller) way. ( http://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller )
But that's just a whole other story :)
Here are a few basic suggestions:
You need to validate form inputs using a server-side (PHP) script.
Instead of relying on sensitive pieces of information, such as member ID, from the form you could instead cache such data in your server session. That way there is no way for a malicious user to change the data on the fly.
You can still use jQuery validation as a convenience to catch basic input problems, but you can only trust data that is validated using server-side code.
How does form autofill work in modern web browsers? Which are the most common techniques used in browsers that implement automatic form filling?
-- EDIT --
The question is not about autocomplete, is about form autofilling, which cares not only about the previously inputted values but also considers the meaning and structure of the field to be completed. Google Chrome implementation, for example, tries to parse the inputted fields to guess their type and structure. Or at least is that what I understood from the code linked above.
Take a look over at this answer by kmote.
Highlight is that the browser looks at the field's name tag and makes an educated guess at what sort of data would go there (regex matching is a good naive way to do this). Chrome is working to get some sort of standardization so that this isn't quite as hit-or-miss.
Different technologies and browsers use various methods to both calculate what to display as well as how they display it, but some sources to check out are:
Google's high-level description
How to implement it with jQuery (note that there is a jQuery autocomplete plugin as well).
If you are looking into implementing it (or just using it) yourself, I would highly recommend taking a look at the plugin.
The first element of answer is simply the non standard HTML form's autocomplete attribute that was introduced with Internet Explorer a few years ago.
Ironically, you can read a good history an introduction on mozilla site here: The autocomplete attribute and web documents using XHTML
This question is pretty old but I have an updated answer for 2017!
In order to trigger autocomplete, all you have to do is name it right.
The following answer is from my original answer from here: https://stackoverflow.com/a/41965106/1696153
Here's a link to the official current WHATWG HTML Standard for enabling autocomplete.
Google wrote a pretty nice guide for developing web applications that are friendly for mobile devices. They have a section on how to name the inputs on forms to easily use auto-fill. Eventhough it's written for mobile, this applies for both desktop and mobile!
How to Enable AutoComplete on your HTML forms
Here are some key points on how to enable autocomplete:
Use a <label> for all your <input> fields
Add a autocomplete attribute to your <input> tags and fill it in using this guide.
Name your name and autocomplete attributes correctly for all <input> tags
Example:
<label for="frmNameA">Name</label>
<input type="text" name="name" id="frmNameA"
placeholder="Full name" required autocomplete="name">
<label for="frmEmailA">Email</label>
<input type="email" name="email" id="frmEmailA"
placeholder="name#example.com" required autocomplete="email">
<!-- note that "emailC" will not be autocompleted -->
<label for="frmEmailC">Confirm Email</label>
<input type="email" name="emailC" id="frmEmailC"
placeholder="name#example.com" required autocomplete="email">
<label for="frmPhoneNumA">Phone</label>
<input type="tel" name="phone" id="frmPhoneNumA"
placeholder="+1-555-555-1212" required autocomplete="tel">
How to name your <input> tags
In order to trigger autocomplete, make sure you correctly name the name and autocomplete attributes in your <input> tags. This will automatically allow for autocomplete on forms. Make sure also to have a <label>! This information can also be found here.
Here's how to name your inputs:
Name
Use any of these for name: name fname mname lname
Use any of these for autocomplete:
name (for full name)
given-name (for first name)
additional-name (for middle name)
family-name (for last name)
Example: <input type="text" name="fname" autocomplete="given-name">
Email
Use any of these for name: email
Use any of these for autocomplete: email
Example: <input type="text" name="email" autocomplete="email">
Address
Use any of these for name: address city region province state zip zip2 postal country
Use any of these for autocomplete:
For one address input:
street-address
For two address inputs:
address-line1
address-line2
address-level1 (state or province)
address-level2 (city)
postal-code (zip code)
country
Phone
Use any of these for name: phone mobile country-code area-code exchange suffix ext
Use any of these for autocomplete: tel
Credit Card
Use any of these for name: ccname cardnumber cvc ccmonth ccyear exp-date card-type
Use any of these for autocomplete:
cc-name
cc-number
cc-csc
cc-exp-month
cc-exp-year
cc-exp
cc-type
Usernames
Use any of these for name: username
Use any of these for autocomplete: username
Passwords
Use any of these for name: password
Use any of these for autocomplete:
current-password (for sign-in forms)
new-password (for sign-up and password-change forms)
Resources
Current WHATWG HTML Standard for autocomplete.
"Create Amazing Forms" from Google. Seems to be updated almost daily. Excellent read.
"Help Users Checkout Faster with Autofill" from Google in 2015.