Hello Everyone,
I was hoping to get some help on patching a possible security vulnerability.
I use a service called SiteLock to secure my site. During one of their scans, the search page is being flagged for a cross-site scripting vulnerability. See below:
URL: http://**********/search?=Search&adv=1&cid=1&isc=1&mid=1&pf=1&pt=1&q=1&sid=1
Description: ,adv,cid,isc,mid,pf,pt,q,sid
I am comfortable editing the source code, but I'm not sure where to begin to ecape the vulnerable string. Could someone please advise on what I should read/steps to patching this error?
Thank you
Possible Cross Site Scripting Vulnerability on Search Page
Team Member
- 138
- 1640
- 4/2/2018
- Armenia
In fact, this is a false positive, there is no XSS vulnerability in this, because we do not represent the values from the query string directly in the html. When invalid values are present in the URL string, we handle this situation by returning default values according to the passed model. You can see more details in this commit.
- 6
- 30
- 8/3/2020
- United States
Thank you Dmitriy,
I looked at the InputTagHelper.cs class in my source code and since I'm using 4.3 it doesn't match the github code you've provided. I used 4.3 because the theme(NopPavilion) I'm using on my site does not support 4.4 yet.
I will make these changes myself and republish the code and let you know the result. Once again, thank you for your help.
Michael
I looked at the InputTagHelper.cs class in my source code and since I'm using 4.3 it doesn't match the github code you've provided. I used 4.3 because the theme(NopPavilion) I'm using on my site does not support 4.4 yet.
I will make these changes myself and republish the code and let you know the result. Once again, thank you for your help.
Michael
- 6
- 30
- 8/3/2020
- United States
Hello Dmitriy,
I have been working on this issue and I wanted to provide an update.
Using the NopCommerce GitHub repo I created a local copy of the 4.3 Release branch. I tried to use the Develop branch but the recent Async commit is not currently compatible with the theme and plugins I have installed. I made the changes to the InputTagHelper classfrom your commit in my local copy for testing, and am preparing to upload the patch to my production server. After uploading I will rescan and report the results.
I also need to elaborate on some possible issues I left out in my initial question. I am using NopTheme: Pavilion on my site. This theme has separate controllers from NopCommerce out-of-the-box solution. Could this be an issue? When I run a search, I do see unfiltered search terms on the page, although I cannot find the text in Page Source. See below image:
Please stand by while I finish the patch and report scan results. Also, I want to thank you for your help. Y'all have been very helpful and the NopCommerce github repo is a beautiful source for someone like me who is trying to learn C# and asp.net core development. Thank you!
Michael
I have been working on this issue and I wanted to provide an update.
Using the NopCommerce GitHub repo I created a local copy of the 4.3 Release branch. I tried to use the Develop branch but the recent Async commit is not currently compatible with the theme and plugins I have installed. I made the changes to the InputTagHelper classfrom your commit in my local copy for testing, and am preparing to upload the patch to my production server. After uploading I will rescan and report the results.
I also need to elaborate on some possible issues I left out in my initial question. I am using NopTheme: Pavilion on my site. This theme has separate controllers from NopCommerce out-of-the-box solution. Could this be an issue? When I run a search, I do see unfiltered search terms on the page, although I cannot find the text in Page Source. See below image:
Please stand by while I finish the patch and report scan results. Also, I want to thank you for your help. Y'all have been very helpful and the NopCommerce github repo is a beautiful source for someone like me who is trying to learn C# and asp.net core development. Thank you!
Michael
- 6
- 30
- 8/3/2020
- United States
Dmitriy,
I checked the scanner after updating my NopCommerce application with the commit you link to above. I'm pleased to announce (and of course you already knew) my site how is not listed as vulnerable to XSS.
Although this was a false positive, I want to personally thank you for offering me guidance for patching this issue. Thank you for your time, and Merry Chirstmas!
I checked the scanner after updating my NopCommerce application with the commit you link to above. I'm pleased to announce (and of course you already knew) my site how is not listed as vulnerable to XSS.
Although this was a false positive, I want to personally thank you for offering me guidance for patching this issue. Thank you for your time, and Merry Chirstmas!