xss alert

[klopus]

scanning the site for possible security holes using the program
Acunetix WVS 8 I can detect this vulnerability to XSS

Code: Select all

<meta http-equiv="REFRESH" content="0;url=./index.php?page=login&act=forgotpass&user=" onmouseover=prompt(915367) bad="&msg=invalid_captcha">

onmouseover=prompt(915367) this in particular

I'm no security expert and is the first time I use this program,
But I want to know a lamer (medium level), might affect my site using the script?

thanks in advance and sorry for my bad english

[SamEA]

How would that line of code open doors for XSS exploits, if you don't mind me asking?

[klopus]

sorry i dont understand the question... maybe I have badly explained....

I used this program to give me an idea, but these things I do not understand much.

a week ago my site (which uses a different script) was sent down
by a lamer.

so I decided to use your script (much better)
but I would not want it to happen again, so I tried to inform me and I found this program (Acunetix WVS 8)that seems very much appreciated.
who found an error (or possible error) in the request for security forgotten password ...

I just wanted to know if it's a false alarm? or whether, if the bug could be resolved?

I am a noob in these things


ps: I enclose the results of the scan:

Code: Select all

POST /dfh/index.php?act=forgotpass&page=login HTTP/1.1
Content-Length: 88
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=403eajkni8ckc0rj84rg80hfu3
Host:
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - Free Edition)
Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED
Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm
Accept: */*

security_code=94102&submit=Invia&user=%22%20onmouseover%3dprompt%28989101%29%20bad%3d%22Response
HTTP/1.1 200 OK
Date: Mon, 02 Apr 2012 16:15:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 3994

This vulnerability affects /dfh/index.php.
Discovered by: Scripting (XSS.script).
Attack details
URL encoded POST input user was set to " onmouseover=prompt(989101) bad="
The input is reflected inside a tag parameter between double quotes.


[SamEA]

Hmm.. But I still don't see how <meta http-equiv="REFRESH" content="0;url=./index.php?page=login&act=forgotpass&user=" onmouseover=prompt(915367) bad="&msg=invalid_captcha"> can cause a XSS exploit.