phpxsscode-injection

Determining XSS Attack Vulnerabilities


I am experiencing a relentless XSS attack that I can't seem to prevent. I've got three total input forms on my site - one is for the uploading of images, one for adding comments to a page, and a third that sends an email via php. I am protecting all of them in one way or another, but somehow the vulnerability is still there.

My comments code:

for($j = 0; $j < 3 ; $j++)
                    {
                            $s = $styles[array_rand($styles)];
                            if($song_arr[$k] != '' && $artist_arr[$k] != '' && $name_arr[$k] != '')
                            {
                            echo '<td>';    
                            echo '<div class="'.$s.'" style="clear:left" >';
                                echo '<p class="rendom">';
                                    echo 'Song:&nbsp;'.htmlspecialchars($song_arr[$k]).'<br>Artist:&nbsp;'.htmlspecialchars($artist_arr[$k]).'<br>Submitted By:&nbsp;'.htmlspecialchars($name_arr[$k]);
                                echo '</p>';
                            echo '</div>';
                            echo '</td>';
                            }
                        $k++;
                    }

Upload form:

    if ((($_FILES["userfile"]["type"] == "image/jpg")
|| ($_FILES["userfile"]["type"] == "image/jpeg")
|| ($_FILES["userfile"]["type"] == "image/pjpeg"))
&& ($_FILES["userfile"]["size"] < 20000)) {
    if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
        if (move_uploaded_file ($_FILES['userfile']['tmp_name'],'userfile.jpg')) {
            $image = new SimpleImage();
            $image->load('userfile.jpg');
            $image->resize(29,136);
            $image->save('userfile.jpg');
            ?>
            <img src="img/text/uploadSuccess.jpg" alt="Image uploaded successfully." /><br />
                    <br />
                    <img src="userfile.jpg?rand=<? echo rand(1,10000); ?>" />
            <?
        } else {
            echo 'Moving uploaded file failed';
        }
    } else {
        echo 'File upload failed';
    }
} else {
echo 'Invalid Filetype';
}

Email Form:

<?php
// Process input variables (trim, stripslash, reformat, generally prepare for email)
    $recipients = trim($_POST['recipients']);
    $sender_email = trim($_POST['sender_email']);
    $sender_name = stripslashes(trim($_POST['sender_name']));
    $subject = stripslashes(str_replace(array("\r\n", "\n", "\r"), " ", trim($_POST['subject'])));
    $message = stripslashes(str_replace(array("\r\n", "\n", "\r"), "<br />", trim($_POST['message'])));

// Check email addresses for validity
    // Explode the comma-separated list of recipients + the sender email address into an array. Even if there is only one recipient, this will check for validity.
    $addresses = explode("," , $recipients.",".$sender_email);
    // For each email address specified...
    foreach ($addresses as $address) {
        // If the email address doesn't match the RFC8622 spec regex, assume invalid 
        if (!(preg_match("~^[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+(?:[A-Z]{2}|com|org|net|uk|edu|jp|de|br|ca|gov|au|info|nl|fr|us|ru|it|cn|ch|tw|es|se|be|dk|pl|at|il|tv|nz|biz)$~i", trim($address)))) {
            // Output error message for invalid email address and end script.
            echo '"' . $address . '" is not a valid email address. Please try again.';
            return;
        }
    }

// Check other vars are not empty
    if ((empty($sender_name)) OR (empty($subject)) OR (empty($message))) {
        // Output error message and end script.
        echo 'Please complete all form fields and try again.';
        return;
    }

// Send HTML email
    $headers = "MIME-Version: 1.0\r\nContent-type:text/html;charset=iso-8859-1\r\nFrom: ". $sender_name ." <". $sender_email ."> \n\n";
    if (mail($recipients,$subject,$message,$headers)) {
        // Mail successfully sent, output success message and end script
        echo 'Message sent. We will be in touch with you shortly.';
        return;
    } else {
        // Something unknown went wrong. =(
        echo 'Something went wrong which the little worker monkeys could not fix. Please try again.';
        return;
    }
?>

The XSS keeps showing up at the absolute bottom of my index page, in which i include() all of the three above files whose contents are in different files.

Any ideas?


Solution

  • In the e-mail form, you echo back invalid e-mail addresses that were submitted without escaping them. Change this line:

     echo '"' . $address . '" is not a valid email address. Please try again.';
    

    to

     echo '"' . htmlspecialchars($address) . '" is not a valid email address. Please try again.';