Reflected Cross-Site Scripting (XSS) Vulnerability

[kentraub]

I had a security scan done on my FormaLMS and received a Reflected Cross-Site Scripting from the forgot password screen:

Evidence:
URL: https://24.106.122.83/index.php
Parameter: modname
Request: GET
/index.php?modname=<script>alert('TK000000BD')</script>&op=lostpwd
HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 24.106.122.83
Content-Type: text/html
Content-Length: 0
Response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.6.6
Set-Cookie: docebo_session=6j914tgd03dtbi556j2k3kdst4; path=/
X-Powered-By: ASP.NET
Date: Mon, 18 May 2015 13:56:40 GMT
Content-Length: 6835
Evidence: <script>alert('TK000000BD')</script>
Remediation:
Before accepting any user-supplied data, the application should
validate this data's format and reject any characters that are not explicitly
allowed (i.e. a white-list). This list should be as restrictive as possible.
Before using any data (stored or user-supplied) to generate web page
content, the application should escape all non alpha-numeric characters
(i.e. output-validation). This is particularly important when the original
source of data is beyond the control of the application. Even if the source of
the data isn't performing input-validation, output-validation will still prevent
XSS.

Can anyone address this? I am running FormaLMS 1.4

[canelli]

I was not able to reproduce the vulnerability you found.

I try on

• linux server with apache 2.2 , php 5.3, 5.4 and 5.5
• Window 7 with apache 2.2 , php 5.3 and 5.4

forma.lms since version 1.0 has implemented a check and cleanup of input parameters ( GET and POST ) to prevent Cross-site Scripting ( XSS )

I think the issue can be related with your environment: php 5.6 (not supported for production, enabled for testing) and/or IIS web server .
Can you try with php 5.4 ? with apache 2.x ?

[kentraub]

I have down graded the php version and the scan still shows the same results:
Evidence:
URL: https://24.106.122.83/index.php
Parameter: modname
Request: GET
/index.php?modname=<script>alert('TK000000CD')</script>&op=lost
pwd HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 24.106.122.83
Content-Type: text/html
Content-Length: 0
Response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.4.42
Set-Cookie: docebo_session=tf39dme1mg0u57577iutrhokj7; path=/
X-Powered-By: ASP.NET
Date: Tue, 18 Aug 2015 13:57:33 GMT
Content-Length: 6837
Evidence: <script>alert('TK000000CD')</script>

[jrgilo]

I get the same results, were you ever able to figure it out kentraub ?
I´m on an azure environment btw.
Thanks!

[alfa24]

which tool is giving you this issue?

[alberto]

Kentraub messages is very old, those vulerabilities have been fixed in later releases

[canelli]

I confirm that with forma 2.0 we can't reproduce this vulnerability

In forma 1.x we fixed some vulnerabilities . please use last version 1.4.3 to be sure you are up to date

[alfa24]

I confirm Forma2 is affected from the vulnerability too, after login.
See attached screenshot.