Disable Cross-site scripting (XSS) in mysource matrix search function

gregsimmons · February 27, 2009, 3:30pm

Hi All,

I’m new to the forum but have a bit of an issue. I have recently take over an install of MySource Matrix and I have been doing some penetration testing.

I have found the following issue when using the search feature on our website.

[codebox]http://www.website.com/search_results?mode=results&queries_all_query=111-222-1933email@address.com&search_page_292_submit_button=Submit&current_result_page=0&results_per_page=20&submitted_search_category=>"><script %0A%0D>alert(“XSS”)%3B</script>[/codebox]

This allows an attacker to run arbitary javascript on a users web browser in this case an attacker would need to get the victim to click on a fake link probably sent via email but it could look like it was a valid link within our domain. Normally this would be done to either steal session cookies or clear session cookies and redirect to a fake login page in order to log credentials as the user logs in. It can be made to look as though the user is still actually using our domain as well.

I haven’t had much time to look at the code but I was wondering if anyone had a quick fix for me to disable such searches ? I was thinking of using something like php strip tags, or something along the lines of http://kallahar.com/smallprojects/php_xss_filter_function.php. Can anyone point me in the correct direction?

This is Squiz MySource v3.10.2 (Matrix). I know its old!

Any help would be appreciated.

Many Thank!

Greg

Justin_Cormack · February 27, 2009, 4:18pm

Please update your system! This is not only really old, but not even the last of the 3.10.X series. There are a lot of fixes since then, including the fix for this one. I cant remember offhand when this was patched, but it was some years ago.

I hope you have patched your OS, web server and so on - if nothing has been updated this is unlikely to be the worst of your security issues.

gsherwood · February 27, 2009, 8:39pm

If I remember correctly, the workaround for this is to not use the keyword that printed the current user's search term. If you are using that keyword to print something like "Your search for xyz return no results" then just change that message until you can upgrade.

gregsimmons · March 2, 2009, 10:13am

Hi Guys,

Thank you both for the help.

Our systems are all patched and hardened so we should not have any real issue there. This was a quick work around as Greg suggested. I removed the keyword and this fixed the issue. This will serve us while I plan the upgrade.

Thank you both again!