Disable Discount Coupon Lookup Cross Linking Script

[Pablo1719]

Running 1.39h, Cpanel 11.34, and PHP 5.2.17

I have a recent PCI Scan failure that I need to fix asap. The scan came up with a cross scripting vulnerability. I need to fix this or disable it maybe temporarily until i fix it.

Here is an excerpt from an email from security metrics explaining the issue -

On these XSS checks we are looking at how the site handles user supplied input and specifically how it handles special characters like < > ' " etc. The site should be checking for those characters and then either sanitizing them or escaping them so they could not be used to execute code. The symptom that will trigger these is if our request comes back unchanged.

So to dispute this we would need to know what measures you have in place to prevent XSS, and how the affected area is not vulnerable. We can then test based on your statement and if it checks out we can clear that.

The scan is see this issue at the following page: http://www.(mysite).net/index.php?ma...&action=lookup

The specific parameter on that page we are seeing this in is: "lookup_discount_coupon"

So if we go to that page and parameter and enter in a string of characters or code like: ><script>alert('sm123')</script>

We are looking at the page source after that request to see if those characters are getting sanitized and if we can execute the script. When testing this there is an area of the site that is returning that request unchanged and that is why its flagging.

Here is a copy and pasted part of the source code that we are seeing this. You can see the first area is returning our request sanitized, and the other is not. I have highlighted the two areas.


<div class="centerColumn" id="discountcouponInfo">
<h1 id="discountcouponInfoHeading">Discount Coupon</h1>

<div id="discountcouponInfoMainContent" class="content">
<span class="alert important">&gt;&lt;script&gt;alert('sm123')&lt;/script&gt;</span> does not appear to be a valid Coupon Redemption Code. Please try typing it in again.</div>

<form action="http://www.(mysite).net/index.php?main_page=discount_coupon&amp;action=lookup" method="post">
<fieldset>
<legend>Look-up Discount Coupon ... </legend>
<label class="inputLabel" for="lookup-discount-coupon">Your Code: </label>
<input type="text" name="lookup_discount_coupon" value="><script>alert('sm123')</script>" size="40" id="lookup-discount-coupon" /></fieldset>

<div class="buttonRow forward"><a href="http://www.(my site).net/index.php?main_page=discount_coupon"><img src="includes/templates/classic/buttons/english/button_cancel.gif" alt="Cancel" title=" Cancel " width="39" height="15" /></a>&nbsp;&nbsp;<input type="image" src="includes/templates/classic/buttons/english/button_send.gif" alt="Send Now" title=" Send Now " /></div>
<div class="buttonRow back"><a href="http://www.(mysite).net/index.php?main_page=index"><img src="includes/templates/classic/buttons/english/button_back.gif" alt="Back" title=" Back " width="39" height="15" /></a></div>
<br class="clearBoth" />
</form>


Thanks
Paul

[Pablo1719]

In the file tpl_discount_coupon_default.php around line 27 you will find the following code. I added the zen_output_string_protected. This looks to have solved the issue.

<?php echo zen_draw_input_field('lookup_discount_coupon', zen_output_string_protected($_POST['lookup_discount_coupon']), 'size="40" id="lookup-discount-coupon"');?>