Hikashop filters - cross-site scripting attacks

  • Posts: 1
  • Thank you received: 0
11 years 4 months ago #80480

Hello, we have a client who we installed hikashop for (version 1.6.0 Business) and they have their domain with godaddy and they also have a site security check with godaddy that checks for vulnerabilities on the site and ever since we installed hikashop the scan has been showing a warning saying that the filters from hikashop are prone to cgi cross site scripting attacks (see below for the complete output of the scan) and we want to know how this can be fixed since the scan sends the client an email almost everyday saying that the site has security issues. has this happened to anyone else? please help

Godaddy SiteScanner report:

Status:
Not yet addressed

Synopsis:
The remote web server is prone to cross-site scripting attacks.

Description:
The remote web server hosts cgi scripts that fail to adequately sanitize parameters name of
malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and
script code to be executed in a user's browser within the security context of the affected site.

See Also:
en.wikipedia.org/wiki/Cross_site_scripting
capec.mitre.org/data/definitions/86.html
projects.webappsec.org/Cross-Site+Scripting

Risk Factor:
Medium / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

Solution:
Contact the vendor for a patch or upgrade.


Output:
Using the GET HTTP method, Site Scanner found that :
+ The following resources may be vulnerable to XSS (on parameters names) :
/bands-and-settings/category/371-all-ring-settings/limit_hikashop_catego
ry_information_module_223_371-0/limitstart_hikashop_category_information
_module_223_371-0/filter_order_hikashop_category_information_module_223_
371-a.ordering/filter_order_Dir_hikashop_category_information_module_223
_371-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'
314>>>>>=1

request
GET /bands-and-settings/category/371-all-ring-settings/limit_hikashop_category_information_module_223_371-0/limitstart_hikashop_category_information_module_223_371-0/filter_order_hikashop_category_information_module_223_371-a.ordering/filter_order_Dir_hikashop_category_information_module_223_371-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
output

[...] bd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
/engagement-rings/category/366-antique-engagement-rings/limit_hikashop_c
ategory_information_module_222_366-25/limitstart_hikashop_category_infor
mation_module_222_366-0/filter_order_hikashop_category_information_modul
e_222_366-a.ordering/filter_order_Dir_hikashop_category_information_modu
le_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<fo
o"bar'314>>>>>=1
request
GET /engagement-rings/category/366-antique-engagement-rings/limit_hikashop_category_information_module_222_366-25/limitstart_hikashop_category_information_module_222_366-0/filter_order_hikashop_category_information_module_222_366-a.ordering/filter_order_Dir_hikashop_category_information_module_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
output

[...] bd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
/engagement-rings/category/366-antique-engagement-rings/limit_hikashop_c
ategory_information_module_222_366-25/limitstart_hikashop_category_infor
mation_module_222_366-0/filter_order_hikashop_category_information_modul
e_222_366-a.ordering/filter_order_Dir_hikashop_category_information_modu
le_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-rss?<<<<<<<<<<foo
"bar'314>>>>>=1
request
GET /engagement-rings/category/366-antique-engagement-rings/limit_hikashop_category_information_module_222_366-25/limitstart_hikashop_category_information_module_222_366-0/filter_order_hikashop_category_information_module_222_366-a.ordering/filter_order_Dir_hikashop_category_information_module_222_366-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-rss?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
output

[...] abd44a6ec-1/type-rss?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
/engagement-rings/category/50-estate-engagement-rings/limit_hikashop_cat
egory_information_module_222_50-0/limitstart_hikashop_category_informati
on_module_222_50-0/filter_order_hikashop_category_information_module_222
_50-a.ordering/filter_order_Dir_hikashop_category_information_module_222
_50-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'3
14>>>>>=1
request
GET /engagement-rings/category/50-estate-engagement-rings/limit_hikashop_category_information_module_222_50-0/limitstart_hikashop_category_information_module_222_50-0/filter_order_hikashop_category_information_module_222_50-a.ordering/filter_order_Dir_hikashop_category_information_module_222_50-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
output

[...] bd44a6ec-1/type-atom?<<<<<<<<<<foo"bar'314>>>>>=1" method="post" name="ad [...]
<div class="hikashop_products_pagination hikashop_products_paginat [...]
/engagement-rings/category/50-estate-engagement-rings/limit_hikashop_cat
egory_information_module_222_50-0/limitstart_hikashop_category_informati
on_module_222_50-0/filter_order_hikashop_category_information_module_222
_50-a.ordering/filter_order_Dir_hikashop_category_information_module_222
_50-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-rss?<<<<<<<<<<foo"bar'31
4>>>>>=1
request
GET /engagement-rings/category/50-estate-engagement-rings/limit_hikashop_category_information_module_222_50-0/limitstart_hikashop_category_information_module_222_50-0/filter_order_hikashop_category_information_module_222_50-a.ordering/filter_order_Dir_hikashop_category_information_module_222_50-ASC/688ae9879a2df0fc5b840aeabd44a6ec-1/type-rss?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1\r
Host: www.doverjewelry.com\r
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\r
Accept-Language: en\r
Connection: Close\r
Cookie: 7eedc822c6dd39ecf3c8ab00003d56f9=764a229107bda6b48c2863965f50ca03\r
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; MSIE 6.0; Site Scanner Bot; +http://www.websiteprotection.com) Firefox/2.0.0.3\r
Pragma: no-cache\r
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
output

Please Log in or Create an account to join the conversation.

  • Posts: 81540
  • Thank you received: 13071
  • MODERATOR
11 years 4 months ago #80555

That has already been corrected. Please update to the latest version of HikaShop and you won't have that anymore.

Please Log in or Create an account to join the conversation.

  • Posts: 5
  • Thank you received: 0
11 years 4 months ago #80898

Hello Nicolas,

Thank you for your quick response. Is there any way to solve this problem without having to upgrade? see the thing is that we have already made some major modifications to the current hikashop set up so we don't want to lose those changes we have made, is there something we can modify or something we can do that doesnt affect the modifications we made?. Any help would be greatly appriciated. thanks in advance.

Please Log in or Create an account to join the conversation.

  • Posts: 26008
  • Thank you received: 4004
  • MODERATOR
11 years 4 months ago #81020

Hi,

If you have just made modifications of views thanks to the HikaShop backend, you would be able to update without any problem.
Modifying HikaShop core files are not recommended and we can't provide such patch because a lot of files have been modified for HikaShop 2.0 and the Joomla 3.0 support.

Regards,

Jerome - Obsidev.com
HikaMarket & HikaSerial developer / HikaShop core dev team.

Also helping the HikaShop support team when having some time or couldn't sleep.
By the way, do not send me private message, use the "contact us" form instead.

Please Log in or Create an account to join the conversation.

  • Posts: 5
  • Thank you received: 0
11 years 4 months ago #82411

Hi Jerome,

Thank you for your response, we know it is not recommended to make changes directly on the code :whistle:. But it was a very difficult client that we needed to make some custom stuff for so we just wanted to make some quick changes and didn't really think about it. Is it possible to extract a filters folder or files from the new version of hikashop and replace them on our current hikashop install? or is there ANY OTHER :( suggestion you might have to solve this problem? we only have 1 search filter on the entire site, which is what we think is causing this problem. is there anything we can do to this filter to make sure we do not get this error?

Please Log in or Create an account to join the conversation.

  • Posts: 81540
  • Thank you received: 13071
  • MODERATOR
11 years 4 months ago #82694

Hi,

The problem doesn't come from the filters. It comes from the pagination. If you deactivate the pagination you won't have the problem.

As a quick fix, you can edit the files listing_div of the views category and product via the menu Display->Views and change the code:
hikashop_currentURL()

with:
preg_replace('#[a-z0-9_-?:/&]#i','',hikashop_currentURL())

Note that code is twice in each file.

The correct fix has to be done on several files throughout HikaShop which were heavily modified for HikaShop 2.0 so you wouldn't be able to replace them as that would just make HikaShop crash.

HikaShop has been developed to be extendable. Anything in it can be extended/overridden with template overrides or plugins. You should make sure that you properly extend/override HikaShop in order to be able to easily update next time you need to.

Please Log in or Create an account to join the conversation.

Time to create page: 0.084 seconds
Powered by Kunena Forum