Cross site scripting report on Acunetix vulnerability scanner tool

Events happening in the community are now at Drupal community events on www.drupal.org.
navaneeth_r's picture

I got the report from Acunetix tool that site have more than 50 cross site scripting possibilities through url. The tool is reporting the following urls. They are changing urls like /nodeprompt("hi") ; and reporting cross site scripting possibilities. How to solve this in Drupal. Please suggest any one. I post the fix once identified.

/_vti_bin
/content
/misc
/modules
/modules/node
/modules/system
/modules/user
/node
/sites
/sites/all
/sites/all/modules
/sites/all/modules/addthis
/sites/all/modules/cck
/sites/all/modules/cck/modules
/sites/all/modules/cck/modules/fieldgroup
/sites/all/modules/cck/theme
/sites/all/modules/connector
/sites/all/modules/ctools
/sites/all/modules/ctools/css
/sites/all/modules/ctools/images
/sites/all/modules/date
/sites/all/modules/date/date_popup
/sites/all/modules/date/date_popup/themes
/sites/all/modules/fb
/sites/all/modules/fbconnect
/sites/all/modules/fckeditor
/sites/all/modules/fckeditor/plugins
/sites/all/modules/fckeditor/plugins/imgassist
/sites/all/modules/filefield
/sites/all/modules/google_analytics
/sites/all/modules/nice_menus
/sites/all/modules/nice_menus/superfish
/sites/all/modules/nice_menus/superfish/js
/sites/all/modules/popups
/sites/all/modules/views
/sites/all/modules/views/css
/sites/all/modules/views/images
/sites/all/modules/views_slideshow
/sites/all/modules/views_slideshow/contrib
/sites/all/modules/views_slideshow/contrib/views_slideshow_singleframe
/sites/all/modules/views_slideshow/contrib/views_slideshow_thumbnailhover
/sites/all/modules/views_slideshow/js
/sites/all/themes
/sites/all/themes/zen-classic
/sites/all/themes/zen-classic/images
/sites/default
/sites/default/files
/userfiles
/cgi-bin
/modules/upload
/sites/all/modules/cck/tests
/sites/all/modules/custom
/sites/all/modules/views_slideshow/js
/themes/garland/images

Thanks
R. Navaneethakrishnan.
http://navaneethakrishnan-drupal.blogspot.com/

Comments

Automated tools like Acunetix

themselves's picture

Automated tools like Acunetix are frequently wrong. Build the example URLs yourself, and test them in your browser. If you discover XSS behaviour, then you know there is a problem. If not, the testing tool is reporting a false positive.

Thanks for your comment. I

navaneeth_r's picture

Thanks for your comment.
I just tried using http://localhost/drupal7/node/alert("hi");. It result in empty page instead of page not f. I think that the haker may inject script to get cookie values and can send script to delete a file. For this we need to disallow the script in the url.

I just tried that exact line

themselves's picture

I just tried that exact line on a couple of D7 sites we've built, and a D6 site - they all worked as expected and returned a 404. I don't think this is an issue with Drupal, I think you have broken your installation.

Ya. You are correct. When I

navaneeth_r's picture

Ya. You are correct. When I moved files to the my production server, the server response is not working as expected as in the local server. I have tried the following.

I have added the following line inside in the .htaccess file which is located in project root folder.

# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).script.(>|%3E) [NC,OR]

This also works in local server. But no luck in the production server. :(

Result page in local is forbidden. And in production server the result is empty page. FYI the production server we have installed wamp server.

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: