Announcement

Collapse
No announcement yet.

XSS issue with error message on NTFD page

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    XSS issue with error message on NTFD page

    Our vulnerability scanner figured out that we had an XSS issue on our NTFD page. Basically the system-generated error message was printing g.Screen without encoding entities.

    I dug around all over the place looking for a spot where I could change the error message from &mvt to &mte but I couldn't find it, so I ended up just testing if the page is NTFD, and if so I print my own message. But is there a way to correct the actual system-generated message?

    My new code, located in my global header, is:
    Code:
    <mvt:if expr="g.Error_Message_Count">
        <mvt:if expr="l.settings:page:code NE 'NTFD'">
               <mvt:item name="messages" />
        <mvt:else>
            We're sorry, that page no longer exists.
        </mvt:if>
    </mvt:if>
    Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

    #2
    Re: XSS issue with error message on NTFD page

    Originally posted by Mike521w View Post
    Our vulnerability scanner figured out that we had an XSS issue on our NTFD page. Basically the system-generated error message was printing g.Screen without encoding entities.

    I dug around all over the place looking for a spot where I could change the error message from &mvt to &mte but I couldn't find it, so I ended up just testing if the page is NTFD, and if so I print my own message. But is there a way to correct the actual system-generated message?

    My new code, located in my global header, is:
    Code:
    <mvt:if expr="g.Error_Message_Count">
        <mvt:if expr="l.settings:page:code NE 'NTFD'">
               <mvt:item name="messages" />
        <mvt:else>
            We're sorry, that page no longer exists.
        </mvt:if>
    </mvt:if>
    Hey When you say system-generated message are you talking about the default message IE " The item you requested is not available at this time." I think I am a little lost as to what you mean can you clarify a bit more.
    Happie Mendenhall
    Support Technician
    Miva, Inc.

    Comment


      #3
      Re: XSS issue with error message on NTFD page

      Well basically, it seems like the line that reads:

      <mvt:item name="messages" />
      was creating a message that said something like "Sorry, page 'xyz' does not exist."

      That part was vulnerable to XSS attacks because it reprinted the page code, even if the code was supplied by the query string and was really just a javascript or something.
      Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

      Comment


        #4
        Re: XSS issue with error message on NTFD page

        Originally posted by Mike521w View Post
        Well basically, it seems like the line that reads:

        <mvt:item name="messages" />
        was creating a message that said something like "Sorry, page 'xyz' does not exist."

        That part was vulnerable to XSS attacks because it reprinted the page code, even if the code was supplied by the query string and was really just a javascript or something.
        Hey

        All you would need to do is go to the NTFD page template and change this line.

        <mvt:if expr="ISNULL g.Error_Messages">
        <h4 class="text-danger">The resource you requested is not available at this time.</h4>
        <mvt:else>
        <h4 class="text-danger">We're sorry, that page no longer exists.</h4>
        </mvt:if>

        Please and Thank You
        Happie Mendenhall
        Support Technician
        Miva, Inc.

        Comment


          #5
          Re: XSS issue with error message on NTFD page

          I know, that's basically what I did, but my question is, can I fix the actual system-generated message somewhere? So I can still use <mvt:item name="messages" />
          Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

          Comment


            #6
            Re: XSS issue with error message on NTFD page

            I'm getting harassed by a "security researcher" who has published a similar MIVA-based XSS issue on a public XSS forum and tweeted about it.

            I'm worried about a "whack-a-mole" scenario where they keep finding URL's within the bowels of MIVA to complain about.

            Is there a way MIVA can do a universal patch for this so it goes away once and for all?

            Comment


              #7
              Re: XSS issue with error message on NTFD page

              There are no XSS in Miva by default, so no we can't.

              However our platform is flexible enough for you to introduce your own XSS's and there's nothing we can do to stop that.
              Thanks,

              Rick Wilson
              CEO
              Miva, Inc.
              [email protected]
              https://www.miva.com

              Comment


                #8
                Re: XSS issue with error message on NTFD page

                Originally posted by findme View Post
                I'm getting harassed by a "security researcher" who has published a similar MIVA-based XSS issue on a public XSS forum and tweeted about it.

                I'm worried about a "whack-a-mole" scenario where they keep finding URL's within the bowels of MIVA to complain about.

                Is there a way MIVA can do a universal patch for this so it goes away once and for all?

                Does anyone out there know how to fix this?

                Comment


                  #9
                  Re: XSS issue with error message on NTFD page

                  Originally posted by Rick Wilson View Post
                  There are no XSS in Miva by default, so no we can't.

                  However our platform is flexible enough for you to introduce your own XSS's and there's nothing we can do to stop that.
                  Rick, my original post on this was specifically about the error message generated by Miva - meaning Miva's message was vulnerable at that time. Maybe it's been fixed since then? I'm not sure, I still have my workaround in place, haven't thought about this at all.
                  Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

                  Comment


                    #10
                    Re: XSS issue with error message on NTFD page

                    To answer your question, no if MMUI you cannot modify the built in error messages. However in a CSSUI store you are able to view and edit these messages.

                    This issue you are seeing is that the <mvt:item name="messages" /> is not intended to be used on the NFTD page.

                    The correct code should be (for a MMUI store):

                    Code:
                    <blockquote>
                        <mvt:item name="fonts" param="body_font">
                            <mvt:if expr = "ISNULL g.Error_Messages">
                                The item you requested is not available at this time. 
                            <mvt:else>
                                &mvte:global:Error_Messages;
                            </mvt:if>
                        </mvt:item>
                    </blockquote>
                    
                    Last edited by Brennan; 08-06-15, 11:50 AM.
                    Brennan Heyde
                    VP Product
                    Miva, Inc.
                    [email protected]
                    https://www.miva.com

                    Comment


                      #11
                      Re: XSS issue with error message on NTFD page

                      sounds good, thanks Brennan!
                      Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

                      Comment

                      Working...
                      X