Hi, we are trying to get PCI compliance for a website shopping basket and are getting errors about:

"Possible cross site scripting"

This has been explained to me by the scanning technicians that because the basket url is generated as something like:

http://domainname/basket.php?src=%2F...ductID=1126549

- there is a risk of injection.

So.... they have said to "sanitize" the page...

Can anyone suggested a way to do that please - I can post the basket code if needed.

Cheers,

Would need to basket code to be sure of what sanitisation is required.

Was the basket purchased, open source, in house or what?

Be sure to remove any passwords etc from source before pasting it.

It was written for us about 8 years ago... all bespoke....

PHP Code:

<?php

    session_start ();

    //include header code

    include_once("head.php");

    // use the user_connection include file's connectDB function

    include_once("usr_conn.php");

    if(!connectDB())

    {

        echo "<p>Unable To Connect To Database</p>";

        return;

    }



  if (isset ($_GET['src']))

  {

    $_SESSION['returnTo'] = $_GET['src'];

  }



  // assign variables

    //echo "ref1:" . $HTTP_REFERER . "<br>";

    //$temp = (string)$HTTP_REFERER;

    //$urlref2 = substr($temp,0,6);

    //echo "ref:" . $urlref;

    $urlref = $HTTP_REFERER;

    $prodID = $_GET['productID'];

    $delete = $_GET ['delete'];

    $quantity = $_GET['quantity'];

    $updateQuantity = $_GET['updateQuantity'];

    $update = $_GET ['update'];

    $currency = "&pound;";

    // maximum querys per user basket

    $MAXBASKETQUERY = 25;

    // start the html table

    ?>

    <!--  start header graphic html -->

<table width="770" border="0" align="center" cellpadding="0" cellspacing="0">

  <tr>

    <td background=""><!--  end header graphic html -->

      <!--  start Nav html -->
      <!-- end nav html -->

      <table width="800" border="0" align="center" cellpadding="0">

        <tr>

          <td height="170" valign="top">

            <div align="center">
              <table width="100%" border="0" align="center" cellpadding="0" cellspacing="0">

                <tr>

                  <td align=center>

                    <!--begin basket output-->

                    <table width="98%" border="1" align="center" cellpadding="2" cellspacing="0" bordercolor="#FFFFFF">

                      <!--start tableheaders-->

                      <tr class="headertable">

                        <td width="111" height="25"> <div align="center">FOR VEHICLE:</div></td>

                        <td width="75" height="25"> <div align="center">REF NO.</div></td>

                        <td width="292" height="25"> <div align="center">DESCRIPTION</div></td>

                        <td width="42" height="25"> <div align="center">QTY</div></td>
                        
                        <td width="71" height="25"> <div align="center">ex vat</div></td>

                        <td width="71"> <div align="center">inc vat<br />

                          </div></td>

                        <td width="57" height="25"> <div align="center">TOTAL<br />

                            PRICE</div></td>

                        <td width="59" height="25" bgcolor="#FFFFFF">

                          <div align="center"><font face="Verdana, Arial, Helvetica, sans-serif"></font></div></td>

                      </tr>

                      <!--end table headers-->

                      <tr class="stdtable">

                        <td colspan="6" align="center">

                          <?php

    // check if user has no cookie set

    if ($userID == "")

    {

        ?>

                          <table border="0" align="center" cellpadding="0" cellspacing="0">

                            <tr class="stdtable" align="center">

                              <td colspan="6">No Product Querys made yet </td>

                            </tr>

                          </table>

                          <p>

                            <?php

        return;

    }

    //if the updated quantity is 0 or blank remove item from basket

    if ($updateQuantity == '0'){

    $delete = 'yes';

    }

    if (($update == 'yes')&& ($updateQuantity == '')){

    $delete = 'yes';

    }

    // if delete parameter set to yes run the delete code

    if ($delete == 'yes')

    {

        // if prodID is set, delete that specific product from this userID's basket

        if ($prodID != "")

        {

            $sqlquery = "DELETE FROM basket WHERE userID = '" . $userID . "' AND  productID = '" . $prodID . "'";

            $result = mysql_query($sqlquery);

            if ($result)

            {

                ?>

                          </p>

                          <p>&nbsp; </p>

                          <table border="0" align="center" cellpadding="15" cellspacing="0">

                            <tr class="stdtable" align="center">

                              <td width="564" colspan="6"><font size="5" face="Arial, Helvetica, sans-serif"><strong>Item

                                Deleted. Click <a href="basket.php"><font color="#990000">Here</font></a>

                                to refresh the basket </strong></font></td>

                            </tr>

                          </table>

                          <?php

            }

            else

            {

                ?>

                          <table border="0" align="center" cellpadding="0" cellspacing="0">

                            <tr class="stdtable" align="center">

                              <td width="368" colspan="6">Unable To Delete <br />

                                Item Click <a href="basket.php">Here</a> to refresh

                                the basket </td>

                            </tr>

                          </table>

                          <?php

                    }

            // close the  database connection

            mysql_close();

            return;

        }

    }

    //update the shopping basket quantity

    if ($update == 'yes')

    {

        // if prodID is set, delete that specific product from this userID's basket

        if ($prodID != "")

        {

            $sqlquery = "UPDATE basket SET quantity = '" . $updateQuantity . "' WHERE productID = '" . $prodID . "'AND userID = '" . $userID . "'";

            $result = mysql_query($sqlquery);

            if ($result)

            {

                ?>

                          <table border="0" align="center" cellpadding="0" cellspacing="0">

                            <tr class="stdtable" align="center">

                              <td colspan="6">Your basket has been updated</td>

                            </tr>

                          </table>

                          <?php

            }

            else

            {

                ?>

                          <table border="0" align="center" cellpadding="0" cellspacing="0">

                            <tr class="stdtable" align="center">

                              <td colspan="6">Your basket has NOT been updated</td>

                            </tr>

                          </table>

                          <?php

                    }

            // close the database connection

            //mysql_close();

            //return;

        }

    }

    // find the number of rows in this userID's basket

    $sqlquery = "SELECT * FROM basket WHERE userID = '" . $userID . "'";

    $result = mysql_query($sqlquery);

    if (!$result)

    {

        echo "<p><font class=error>Could not find any entrys for this Basket</small></p>";

        mysql_close();

        return;

    }

    else

        $rowCount = mysql_num_rows($result);

    // if prodID is set new product is passed in, add/update the userID's basket

    if ($prodID != "")

    {

        // find if the prodID already exists in this userID's basket

        $sqlquery = "SELECT * FROM basket WHERE userID = '" . $userID . "' AND productID = '" . $prodID . "'";

        $result = mysql_query($sqlquery);

        $rowCount = mysql_num_rows($result);

        // if no matches  insert the product into the userID's basket

        if ($rowCount == 0)

        {

            // find number of items in basket

            $sqlquery = "SELECT * FROM basket WHERE userID = '" . $userID . "'";

            $result = mysql_query($sqlquery);

            $rowCount = mysql_num_rows($result);

            // check if the maxquery's has been reached

            if ($rowCount > ($MAXBASKETQUERY - 1))

            {

                echo ("<p><font class=error>Only $MAXBASKETQUERY overall orders are allowed, your product could not be added to basket</font></p>");

            }

            else

            {

            $expiretime = time() + 7200;

            $sqlquery = "INSERT INTO basket" . $basketFields . "VALUES ('" . $prodID . "', '1', '" .$userID . "', '" . $expiretime . "')";

            $result = mysql_query($sqlquery);

            if (!$result)

                echo "<font class=error><p>Could not add item to Basket</p></font>";

            }

        }

    }

    // select the userID's basket query and the Product Reference relating to each of the basket's productID's

    $sqlquery = "SELECT products.Prod_REF, basket.productID, basket.quantity, products.Prod_Make, products.Prod_Model, products.Prod_Type, products.Car_Make, products.Car_Model, products.Price_ExVat, products.Post_ID, Product_Desc FROM basket INNER JOIN products ON basket.productID = products.Prod_ID WHERE ((basket.userID) = '" . $userID . "')";

    $result = mysql_query($sqlquery);

    $rowCount = mysql_num_rows($result);

    // echo $sqlquery;  // *debug

    // assign the table headers

    //$dbFields = array( "Reference", "Product Query");

    // check if no entries in basket

    if (!$result || (mysql_num_rows($result) == 0)){

        ?>

                          <table border="0" align="center" cellpadding="0" cellspacing="0">

                            <tr class="stdtable" align="center">

                              <td colspan="6" class="error">No Product Queries

                                In Basket. </td>

                            </tr>

                          </table>

                          <?php

    }

    else

    //*************display contents of basket//////////////////////////////////////////////////////

    {

        // echo each header from array

        //foreach ($dbFields as $headIndex)

        // echo an extra blank header for the delete item column

        // fetch each row as an associative array

        $counter = 1;

        $price = 0;

        //set default postage value outside loop
        $postagerate = 10.00;

        while ($row = mysql_fetch_assoc($result))
        {
             //decide which postage value is the highest and use that to calculate overall price
             //get the postage values for each product
             $sqlpostquery = "SELECT * FROM postage WHERE Post_ID = '" . htmlspecialchars($row['Post_ID']) . "'";

             //get the postage values from the database
             $postresult = mysql_query($sqlpostquery);
             $rowpost = mysql_fetch_assoc($postresult);

             // check if postage value was available
             if ($postresult || !(mysql_num_rows($postresult) == 0))
    {
               $rawpostage = htmlspecialchars($rowpost['Post_Cost']) ? htmlspecialchars($rowpost['Post_Cost']) : 0.00;

               //get the lowest postage rate.
               if ($postagerate > $rawpostage)
      {
        $postagerate = $rawpostage;
               }
             }
             else
             {
               $postagerage = 0.00;
             }

             //round postage rate of 2 decimal places
             $postagerate = $postagerate;

             //release the postage resultset array

             mysql_free_result($postresult);

             echo "<form action=basket.php method=get name=form".$counter.">

                   <input name=update type=hidden value=yes>

                   <input name=productID type=hidden value=". $row['productID'] ."><tr class=stdtable>";

             echo("<td align=center> " . htmlspecialchars($row['Car_Model']) . "</td>");

             echo("<td align=center> " . htmlspecialchars($row['Prod_REF']) .  "</td>");

             echo("<td align=left>" . htmlspecialchars($row['Product_Desc']) . "</td>");

             //echo("<td align=center>". htmlspecialchars($row['Prod_REF']) ."</td>");

             // for the final column echo an hyperlink to delete the product entry

    //settype($row["Price_ExVat"], "integer");

             echo "<td align=center><input name=updateQuantity onchange=submit(); type=text size=2 value=". htmlspecialchars($row['quantity'])."></td><td align=center>". $currency . number_format(htmlspecialchars($row['Price_ExVat']), 2) ."</td><td align=center>". $currency . number_format(calcVAT($row["Price_ExVat"]), 2) ."</td><td align=center>". $currency . number_format((calcVAT (htmlspecialchars($row['Price_ExVat'] * $row['quantity']))), 2)  ."</td>";

             echo "<td align=center><a href=\"basket.php?delete=yes&productID=" . $row['productID'] . "\"><img src=2003/remove.gif border=0></a></td>";

             echo "</tr></form>";

             $counter ++;

             //get a cumulative value of the price as items are added to the basket and multiply by quantity as we go.

             $price = $price + (calcVAT (htmlspecialchars($row['Price_ExVat']))) * htmlspecialchars($row['quantity']);
     }

        //assign subtotal and round to 2 decimal places

        $subtotal = $price;

        $total = $subtotal + $postagerate;

            //pick overall postage type

            if ($postagerate == 5)

            $postage = 3;

            else if ($postagerate == 9)

            $postage = 2;

            else if ($postagerate == 10)

            $postage = 1;

}

        //update shopper table with new/changed info

        $sqlshopper = "SELECT * FROM shopper WHERE User_ID = '" . $userID . "'";

        //echo "query: " . $sqlshopper;

        $result = mysql_query($sqlshopper);

        $rowCount2 = mysql_num_rows($result);

                //add shopper

                if ($rowCount2 == 0)

                {

                    $sqladd = "INSERT INTO shopper" . $shopperFields . "VALUES ('" . $userID . "', '" . $total . "', '" . $postage . "')";

                    //echo "noshopper: " . $sqladd;

                    $shopadd = mysql_query($sqladd);

                    if (!$shopadd)

                    echo "<font class=error><p>Your basket has not been processed</p></font>";

                }

                else

                {

                    //update details

                    $sqlupdate = "UPDATE shopper SET Basket_total = '" . $total . "', Postage = '" . $postage . "' WHERE user_ID = '" . $userID . "'";

                    //echo "shopper: " . $sqlupdate;

                    $shopupdate = mysql_query($sqlupdate);

                    if (!$shopupdate)

                    echo "<font class=error><p>Your basket has not been updated</p></font>";

                }

        // finish table

        ?>

                        </td>

                      </tr>

                      <?php

                ?>

                    </table>

                    <table width="100%" border="0" cellspacing="0" cellpadding="1">

                      <tr>

                        <td width="69%"><div align="right">

                            <table width="100%" border="0" cellspacing="0" cellpadding="5">

                              <tr>

                                <td width="90%"><div align="right"><a href="#"><img src="2003/update2.gif" alt="CLICK HERE TO UPDATE BASKET IF YOU CHANGE QUANTITIES" width="81" height="34" border="0" /></a></div></td>

                                <td width="10%"><div align="right"></div></td>

                              </tr>

                            </table>

                          </div></td>

                        <td width="31%"><table width="161" border="1" cellpadding="1" cellspacing="0" bordercolor="#FFFFFF">

                            <tr bordercolor="#FFFFFF">

                              <td width="55%" height="25" align="right" bgcolor="#EBEBEB" class=small><font color="#000000"><strong>SUB

                                TOTAL</strong></font></td>

                              <td width="45%" height="25" align="center" bgcolor="#EBEBEB" class=header>

                                <?php

                  echo $currency;

                  echo number_format($subtotal, 2);

                  ?>

                              </td>

                            </tr>

                            <tr bordercolor="#FFFFFF">

                              <td height="25" align="right" class="small"><font color="#000000">POSTAGE</font></td>

                              <td height="25" align="center" class="header">

                                <?php

                  echo $currency;

                  echo number_format($postagerate, 2);

                  ?>

                              </td>

                            </tr>

                            <tr bordercolor="#FFFFFF" bgcolor="#EAEADB">

                              <td height="25" align="right" class="small"><font color="#000000"><strong>TOTAL</strong></font></td>

                              <td height="25" align="center" class="header">

                                <?php

                  echo $currency;

                  echo number_format($total, 2);

                  ?>

                              </td>

                            </tr>

                          </table></td>

                      </tr>

                    </table>

                    <!--end basket output-->

                  </td>

                </tr>

              </table>

              <hr width="600" size="1" />

              <div align="left"></div>

              <table width="100%" border="0" cellspacing="0" cellpadding="15">

                <tr>

                  <td align="center"><div align="left"><a href="<?php echo $_SESSION['returnTo']; ?>"><img src="2003/continue2.gif" alt="CLICK HERE TO CONTINUE SHOPPING" width="212" height="39" border="0" /></a></div></td>

                  <td align="right"><a href="https://www.autorack.co.uk/checkout.php"><img src="2003/proceed.gif" alt="CLICK HERE TO SUPPLY PAYMENT AND SHIPPING INFORMATION" width="212" height="39" border="0" /></a></td>

                </tr>

              </table>
              <br />
          </div></td>

        </tr>

      </table></td>

  </tr>

</table>

<!--end basket htm-->

<?php

    //include footer code

    //release the postage resultset array

    mysql_free_result($result);

    // close the  database connection

    mysql_close();

?>

PHP Code:

  // assign variables

    //echo "ref1:" . $HTTP_REFERER . "<br>";

    //$temp = (string)$HTTP_REFERER;

    //$urlref2 = substr($temp,0,6);

    //echo "ref:" . $urlref;

    $urlref = $HTTP_REFERER;

    $prodID = $_GET['productID'];

    $delete = $_GET ['delete'];

    $quantity = $_GET['quantity'];

    $updateQuantity = $_GET['updateQuantity'];

    $update = $_GET ['update'];

    $currency = "&pound;";

    // maximum querys per user basket

    $MAXBASKETQUERY = 25;

    // start the html table 


These will all need sanatizing. Because they are all used in thier raw form for database querys.

PHP Code:

$sqlquery = "UPDATE basket SET quantity = '" . $updateQuantity . "' WHERE productID = '" . $prodID . "'AND userID = '" . $userID . "'"; 


http://net.tutsplus.com/tutorials/ph...-applications/ Use this link and read the article, most inportantly tip's 3,4 and 5.

I hope this gets you on the right road.

Thanks John,

This seems a bit over my head to be honest! I'll keep researching though...

No problem, it can be a bit daunting at first, i still dont fully understand the in's and out's of it.

http://www.webmaster-talk.com/php-fo...-and-html.html

Somewhat simplistic but it may help.

Quote:

Somewhat simplistic

What?? It makes no sense to mere mortals like me!!!

lol yeah that other thread isnt really going to get you anywhere.

Disclaimer: I am by no means a PHP security expert so please only use what I put here as a tool to learn from.

The basics of what you need to do:

This code needs to be cleaned so that when you pass the $variables to the MySQL query noone can send malicious code, etc.

PHP Code:

  // assign variables

    //echo "ref1:" . $HTTP_REFERER . "<br>";

    //$temp = (string)$HTTP_REFERER;

    //$urlref2 = substr($temp,0,6);

    //echo "ref:" . $urlref;

    $urlref = $HTTP_REFERER;

    $prodID = $_GET['productID'];

    $delete = $_GET ['delete'];

    $quantity = $_GET['quantity'];

    $updateQuantity = $_GET['updateQuantity'];

    $update = $_GET ['update'];

    $currency = "&pound;";

    // maximum querys per user basket

    $MAXBASKETQUERY = 25;

    // start the html table 


Basic sanitizing could consist of simple measures like checking that the value is numeric, conforms to a specific pattern (email etc) or is no longer/longer than a specified length.

An example of basic sanitisation would be (although technically not sanitisation, more data validation):

PHP Code:

if(is_numeric($_GET['productID']))
{
     $prodID = $_GET['productID'];
}
else
{
     echo 'Product ID must be a number.';
} 


PHP has functions built in to help you protect your applications, an example of some of these:

PHP.net Add Slashes.

PHP.net HTML Special Chars.

PHP Code:

$prodID = addslashes($_GET['productID']);
// if $prodID contained 89'00 for example, it would become 89\'00. this prevents the ' from causing any unwanted effects, like being used in a malicious sql query summited through your form or query string in the address.

$prodID = htmlspecialchars($_GET['productID']);
// if $prodID contained 89&00 it would become 89&00, converting the HTML character into its raw (non special) state. 


Another great built in function to use is PHP.net MySQL Real Escape String.

You should use it in conjunction with print to build your query:

PHP Code:

$prodID = $_GET['productID'];

$query = sprintf("SELECT * FROM table WHERE productid='%s' LIMIT 1", mysql_real_escape_string($prodID)); 


Note, you should read about (s)print here: http://www.talkphp.com/general/1062-...s-sprintf.html.

You should use combinations of security measures or even better, create your own (or borrow) secure post/get/variable/query cleaner utalising the best functions and methods for your situation.

Ok, am I understanding this correctly...

basket.php?src=%2Fproduct_page.php&productID=11265 49

is a problem BECAUSE the %2f is there and:

basket.php?src=product_page.php&productID=1126549

Would be more secure?

No no, it's because "product_page.php" is there.

Passing a target page is what makes it potentially a weakness, because an "attacker" could replace "product_page.php" with "remoteURI.tld" and if you have failed to "sanitise" the GET parameters, could be including the content from or redirecting to that remote URI.

Im not sure if the %2F is causing a security hole if im honest, the main hole in your app that i can see is:

Your variables:

PHP Code:

    $urlref = $HTTP_REFERER;

    $prodID = $_GET['productID'];

    $delete = $_GET ['delete'];

    $quantity = $_GET['quantity'];

    $updateQuantity = $_GET['updateQuantity'];

    $update = $_GET ['update']; 


are being used here (and in other querys):

PHP Code:

$sqlquery = "UPDATE basket SET quantity = '" . $updateQuantity . "' WHERE productID = '" . $prodID . "'AND userID = '" . $userID . "'"; 


But anyone could intercept the query string (basket.php?src=%2Fproduct_page.php&productID=1126 549) and replace it with somthing like:

basket.php?src=%2Fproduct_page.php&productID='DROP basket';

And there for delete the basket table. Insert, delete or change data, imagine if someone was to set all your prices to 0.01p or delete all your products!

If you cant get your head around this I would look at paying someone who is very good with PHP to run through your script and patch it up.

Hopefully someone else will come into this thread and help you out a bit more.

Quote:

basket.php?src=%2Fproduct_page.php&productID='DROP basket';

The problem is CROSS SITE SCRIPTING NOT SQL Injection.

Quote:

Originally Posted by chrishirst

No no, it's because "product_page.php" is there.

Passing a target page is what makes it potentially a weakness, because an "attacker" could replace "product_page.php" with "remoteURI.tld" and if you have failed to "sanitise" the GET parameters, could be including the content from or redirecting to that remote URI.

Chris, just out of interest (becasue im still learning this myself), while being able to chage the page is not good, what security holes would this open, i.e. what bad things could people do to the system by redirecting to there own page?

Quote:

Originally Posted by chrishirst

The problem is CROSS SITE SCRIPTING NOT SQL Injection.

They are both present.

It's not so much the redirecting though that can allow installation of malicious code, but the includes that poses the main risk.

Because the remote page will be executed on the page therefore on the same site as the parent it will allow javascript or embedded ActiveX controls to run in the context of the local site and as such can elevate the client permissions. (I'm sounding like a MS Tech now).
That may leave the client browser (Well IE mainly) open to hijacks or malicious scripts or code to be added/installed without raising any security warnings depending on how the client browser securities are set.

Quote:

Originally Posted by Phunk Rabbit

They are both present.

Yep; but the concern for PCI is the XSS posibilities which may of course compromise SSL integrity.

Quote:

Originally Posted by chrishirst

It's not so much...

...lient browser securities are set.

ooooh gotcha, I have been overlooking the presense of the included file that is now present on the server, this is where my logic failed when looking into this subject before now.

I Think I'm going to cry...

Quote:

Originally Posted by rolda hayes

I Think I'm going to cry...

Cheer up rolda, it could be worse, you could keep putting your foot in your mouth :P like me.

Due to the nature of the problem you are seemingly facing outside help might be warrented although from what i now understand from Chris and his replys the problem may not be that bad to fix. However I would hesitate from suggesting anything since my understanding isnt great.