I got the report from Acunetix tool that site have more than 50 cross site scripting possibilities through url. The tool is reporting the following urls. They are changing urls like /nodeprompt("hi") ; and reporting cross site scripting possibilities. How to solve this in Drupal. Please suggest any one. I post the fix once identified.
/_vti_bin
/content
/misc
/modules
/modules/node
/modules/system
/modules/user
/node
/sites
/sites/all
/sites/all/modules
/sites/all/modules/addthis
/sites/all/modules/cck
/sites/all/modules/cck/modules
/sites/all/modules/cck/modules/fieldgroup
/sites/all/modules/cck/theme
/sites/all/modules/connector
/sites/all/modules/ctools
/sites/all/modules/ctools/css
/sites/all/modules/ctools/images
/sites/all/modules/date
/sites/all/modules/date/date_popup
/sites/all/modules/date/date_popup/themes
/sites/all/modules/fb
/sites/all/modules/fbconnect
/sites/all/modules/fckeditor
/sites/all/modules/fckeditor/plugins
/sites/all/modules/fckeditor/plugins/imgassist
/sites/all/modules/filefield
/sites/all/modules/google_analytics
/sites/all/modules/nice_menus
/sites/all/modules/nice_menus/superfish
/sites/all/modules/nice_menus/superfish/js
/sites/all/modules/popups
/sites/all/modules/views
/sites/all/modules/views/css
/sites/all/modules/views/images
/sites/all/modules/views_slideshow
/sites/all/modules/views_slideshow/contrib
/sites/all/modules/views_slideshow/contrib/views_slideshow_singleframe
/sites/all/modules/views_slideshow/contrib/views_slideshow_thumbnailhover
/sites/all/modules/views_slideshow/js
/sites/all/themes
/sites/all/themes/zen-classic
/sites/all/themes/zen-classic/images
/sites/default
/sites/default/files
/userfiles
/cgi-bin
/modules/upload
/sites/all/modules/cck/tests
/sites/all/modules/custom
/sites/all/modules/views_slideshow/js
/themes/garland/images
Thanks
R. Navaneethakrishnan.
http://navaneethakrishnan-drupal.blogspot.com/
Comments
Automated tools like Acunetix
Automated tools like Acunetix are frequently wrong. Build the example URLs yourself, and test them in your browser. If you discover XSS behaviour, then you know there is a problem. If not, the testing tool is reporting a false positive.
Thanks for your comment. I
Thanks for your comment.
I just tried using http://localhost/drupal7/node/alert("hi");. It result in empty page instead of page not f. I think that the haker may inject script to get cookie values and can send script to delete a file. For this we need to disallow the script in the url.
I just tried that exact line
I just tried that exact line on a couple of D7 sites we've built, and a D6 site - they all worked as expected and returned a 404. I don't think this is an issue with Drupal, I think you have broken your installation.
Ya. You are correct. When I
Ya. You are correct. When I moved files to the my production server, the server response is not working as expected as in the local server. I have tried the following.
I have added the following line inside in the .htaccess file which is located in project root folder.
# Block out any script that includes a <script> tag in URLRewriteCond %{QUERY_STRING} (<|%3C).script.(>|%3E) [NC,OR]
This also works in local server. But no luck in the production server. :(
Result page in local is forbidden. And in production server the result is empty page. FYI the production server we have installed wamp server.