Outline ·
[ Standard ] ·
Linear+
PHP E-Mail notifications with alert("xssvuln"), Contact Form
TSMrLabuLabi
|
Sep 22 2015, 11:48 AM, updated 9y ago
|
New Member
|
Hi,
I've only just got this web plugin and i am very impressed so far.
One small problem - I'm getting lots of e-mail feedback forma all of a sudden with <script>alert("xssvuln")</script> in all of the fields
Am I doing something wrong or do I have some sort of virus/malware ?
Hack attempy maybe ?
Cheers
|
|
|
|
angch
|
Sep 22 2015, 12:06 PM
|
|
|
|
|
|
TSMrLabuLabi
|
Sep 22 2015, 12:35 PM
|
New Member
|
QUOTE(angch @ Sep 22 2015, 12:06 PM) sorry too complicated for me to understand is that mean the above result show that my website is secure?
|
|
|
|
angch
|
Sep 22 2015, 01:09 PM
|
|
Nope. Opposite. Just means you're XSS vulnerable. Insecure. Crap plugin. Don't be so easily impressed.
|
|
|
|
TSMrLabuLabi
|
Sep 22 2015, 01:25 PM
|
New Member
|
QUOTE(angch @ Sep 22 2015, 01:09 PM) Nope. Opposite. Just means you're XSS vulnerable. Insecure. Crap plugin. Don't be so easily impressed. perhaps can share with me how to resolve this issue? i'm not really strong on web security but i can go through the codes and repair any vulnerability as from the above issue how to strengthen the codes and make it hack proof website from any attacker?
|
|
|
|
angch
|
Sep 22 2015, 01:52 PM
|
|
|
|
|
|
wKkaY
|
Sep 22 2015, 03:12 PM
|
misutā supākoru
|
QUOTE(angch @ Sep 22 2015, 01:09 PM) Nope. Opposite. Just means you're XSS vulnerable. Insecure. Crap plugin. Don't be so easily impressed. I don't think his plugin is insecure. I think he's getting those junk mails because of scanners looking for vulnerable scripts. MrLabuLabi As for crap plugin - if this is a probem for you, you should get a plugin which includes captcha verification.
|
|
|
|
angch
|
Sep 22 2015, 07:19 PM
|
|
QUOTE(wKkaY @ Sep 22 2015, 03:12 PM) I don't think his plugin is insecure. I think he's getting those junk mails because of scanners looking for vulnerable scripts. MrLabuLabi As for crap plugin - if this is a probem for you, you should get a plugin which includes captcha verification. If his plugin accepts badly formed data, and then sends them in emails, then it's already problematic. Actual XSS is if and when that badly formed data is displayed, and that was what the scanners are looking for, true. Captcha stops bots and scanners, but doesn't stop an actual attack attempt. Bad code, no validation -- this is Codemasters after all.
|
|
|
|
TSMrLabuLabi
|
Sep 22 2015, 07:23 PM
|
New Member
|
QUOTE(wKkaY @ Sep 22 2015, 03:12 PM) I don't think his plugin is insecure. I think he's getting those junk mails because of scanners looking for vulnerable scripts. MrLabuLabi As for crap plugin - if this is a probem for you, you should get a plugin which includes captcha verification. Is that mean that the code is still safe from attacker/hacker? does implementing capcha verification and input validation can solve this issue? This post has been edited by MrLabuLabi: Sep 22 2015, 07:23 PM
|
|
|
|
wKkaY
|
Sep 23 2015, 04:36 PM
|
misutā supākoru
|
QUOTE(angch @ Sep 22 2015, 07:19 PM) If his plugin accepts badly formed data, and then sends them in emails, then it's already problematic. Actual XSS is if and when that badly formed data is displayed, and that was what the scanners are looking for, true. Captcha stops bots and scanners, but doesn't stop an actual attack attempt. Bad code, no validation -- this is Codemasters after all. Shrug. What's badly-formed in the case of free-form text? <script> tags are just words with punctuation. I think what's important is that the output gets formatted/escaped for the intended output (email in this case). And it seems to be doing that, judging from the TS seeing the tags instead of dialog popups.
|
|
|
|