Cross site scripting possible?

edited August 2008 in Everything else
I'm new to the world of php/scripting so I'm not sure if this is a huge issue or a problem on my part/something I am doing wrong.

I have been trying to be careful on checking for vulnerabilities so I will not run into any problems down the road. I do not know that much about this so I am hoping someone will be gracious enough to explain to me if this is a problem or not, or help me correct a mistake I might have made. I used Paros to scan though my beta site for problems, and this showed up:


http://myurl.com/minishowcase/libraries/ajax.gateway.php?cpaint_function=get_thumbs&cpaint_argument%5B%5D=venezuela&cpaint_argument%5B%5D=0&cpaint_argument%5B%5D=5&cpaint_response_type=%3CSCRIPT%3Ealert(Paros);%3C/SCRIPT%3E

Parameter

cpaint_response_type=alert(Paros);

URL

http://myurl.com/minishowcase/libraries/ajax.gateway.php?cpaint_function=get_galleries&cpaint_response_type=%3CSCRIPT%3Ealert(Paros);%3C/SCRIPT%3E

Parameter

cpaint_response_type=alert(Paros);

Thank you for your time!

Information:
Server: Apache/1.3.33 Server
PHP Version 4.4.0
MSC: v08b92
Scan Tool: Paros V. 3.2.13
O.S. XP pro
FF 3.0.1

Comments

  • though i don't understand which vulnerability is reported, it has to do with the CPaint AJAX engine i'm using, so there's little i can do about it.

    however, i've been porting the whole minishowcase to the more evolved, lighter, stronger mootools library, so in the next release that problem (whatever it is) should not be present.

    anyone understands the output posted by joeb?
  • Hello.

    As far as I understand the topic, cross site scripting allows to steal relevant information from the user, amongst others.

    I have no clue whether the identified call can or not be exploited, but meanwhile I removed this particular hole by editing the function return_data() in libraries/cpaint2.inc.php:

    change
    default:
                echo 'ERROR: invalid response type "'.($this->response_type).'"';
    
    to
    default:
                echo 'ERROR: invalid response type';
    


    Victor, you mentionned a change in library... when is this new version scheduled?

    thanks for minishowcase, I just like it... as does my wife ;o)
    B.
  • as soon as i get it done :)

    right now i'm moving to new york city, so it might be delayed again. i'll let you know on the announcement list once i do port it to mootools.
  • Thanks for the help guys, I appreciate the time and effort!
Sign In or Register to comment.