When I test my website with Netsparker, I see result lines like below:

mydrupalsite/print/nodeID/%22ns=%22alert(0x00C8DF) (URI-BASED)

When we checked those results, they look like false positive. But Netsparker says, "Netsparker is the only False-positive-free web application security scanner." in their website.

Can somebody check this security alert?

Comments

jcnventura’s picture

jcnventura CreditAttribution: jcnventura commented
Status: Active » Postponed (maintainer needs more info)

Depends if your already updated to 7.x-1.x-dev is current or not.

You're describing SA-CONTRIB-2012-057 which was fixed about a year ago.

Orkut Murat Yılmaz’s picture

Orkut Murat Yılmaz
Primary language Turkish
Location Istanbul
CreditAttribution: Orkut Murat Yılmaz commented

I'm using print module version: 7.x-1.x-dev date: 2012-Sep-20

jcnventura’s picture

jcnventura CreditAttribution: jcnventura commented

Then it must be a false positive. Have you tried the above in your site? Does the alert pop-up?

Orkut Murat Yılmaz’s picture

Orkut Murat Yılmaz
Primary language Turkish
Location Istanbul
CreditAttribution: Orkut Murat Yılmaz commented

Yes, I tried and alert didn't work.

And I also asked to some guys from Netsparker. They said that, "if it's marked as possible, it may be a false positive. but if it's marked as confirmed, it's positive".

Actually tests had done by some other team, now I'm mailing with them. If they'll inform me, I'll share the last situation here.

Orkut Murat Yılmaz’s picture

Orkut Murat Yılmaz
Primary language Turkish
Location Istanbul
CreditAttribution: Orkut Murat Yılmaz commented

Ok now we have diagnosed what's been going on.

Test team sent us a much more detailed report.

If we go to the URL I pasted below, aler works.

mydrupalsite/print/nodeID/%22%20onmouseover=%22javascript:alert%28%27XSS%27%29%22

So we have checked the node and have seen that the node contains a views slideshow. So that XSS gets activated with onmouseover behaviour.

Now, we have deactivated printing for those nodetypes. Actually nobody needs printing support for slideshows in our scenario.

So, should this bug need to be fixed?

Netsparker did a good job. I congratulate them for this reports.

jcnventura’s picture

jcnventura CreditAttribution: jcnventura commented

At this point, I'm not sure where the problem is.. The module filters out that type of attack, so this shouldn't be possible anymore.. And you're telling me that it only happens on Views Slideshow pages.. Might be some weird interaction print and views_slideshows.

Does the XSS injection also work on those pages when you use the same url, but with node instead of print?

Orkut Murat Yılmaz’s picture

Orkut Murat Yılmaz
Primary language Turkish
Location Istanbul
CreditAttribution: Orkut Murat Yılmaz commented

Well I tried on the node pages, XSS didn't work. But it's still happening at the print pages.

I agree that interact print and views_slideshows is weird (and we disabled print support for slideshows). For that reason I'm not sure about this issue. Is it still a bug or security issue?

jcnventura’s picture

jcnventura CreditAttribution: jcnventura commented
Title: XSS Risk » Problem with Views Slideshow interaction
Status: Postponed (maintainer needs more info) » Closed (duplicate)

Honestly, at this moment I'd have to reproduce it. And I can't.

I've created a security issue with the security team (which is what you should done to begin with, but that's moot now). Maybe we'll be able to understand what type of conditions can trigger this.

Closing this as a duplicate of the security issue.

Orkut Murat Yılmaz’s picture

Orkut Murat Yılmaz
Primary language Turkish
Location Istanbul
CreditAttribution: Orkut Murat Yılmaz commented

Thanks for your help.

  • Commit c0db58c on 6.x-1.x by jcnventura: 
    Issue #1940732: apply filters to the in-page anchor tags.
  • Commit 16393f0 on 7.x-1.x by jcnventura:
    Issue #1940732: apply filters to the in-page anchor tags.
  • Commit 2b7a361 on 7.x-2.x by jcnventura:
    Issue #1940732: apply filters to the in-page anchor tags.
alexandrezia’s picture

alexandrezia CreditAttribution: alexandrezia commented
Version: 7.x-1.x-dev » 7.x-2.x-dev
Issue summary: View changes
Status: Closed (duplicate) » Needs work

Sorry for re-openning this issue, but I have a problem with this commit: 2b7a3610f75a2c62a8b0ceabf1a01b0ddc92b44d
It broke putting an image on generated PDF file.

In my module:

function HOOK_preprocess_entity(&$variables)
{
  $file = file_load(3);
  $variables['logo_uri'] = $file->uri;
}

In my template:

<td width=200><img src="<?php print $logo_uri; ?>" typeof="foaf:Image" />

One commit behind, the image shows OK!
But on this commit, the image can't load.

Thanks in advance

Orkut Murat Yılmaz’s picture

Orkut Murat Yılmaz
Primary language Turkish
Location Istanbul
CreditAttribution: Orkut Murat Yılmaz commented
Status: Needs work » Closed (outdated)