Announcement

**hmendenhall** · 12-04-14, 01:16 PM

Re: XSS issue with error message on NTFD page

Originally posted by Mike521w View Post

Our vulnerability scanner figured out that we had an XSS issue on our NTFD page. Basically the system-generated error message was printing g.Screen without encoding entities.

I dug around all over the place looking for a spot where I could change the error message from &mvt to &mte but I couldn't find it, so I ended up just testing if the page is NTFD, and if so I print my own message. But is there a way to correct the actual system-generated message?

My new code, located in my global header, is:

Code:

<mvt:if expr="g.Error_Message_Count">
    <mvt:if expr="l.settings:page:code NE 'NTFD'">
           <mvt:item name="messages" />
    <mvt:else>
        We're sorry, that page no longer exists.
    </mvt:if>
</mvt:if>

Hey When you say system-generated message are you talking about the default message IE " The item you requested is not available at this time." I think I am a little lost as to what you mean can you clarify a bit more.

**Mike521w** · 12-04-14, 02:07 PM

Re: XSS issue with error message on NTFD page

Well basically, it seems like the line that reads:

<mvt:item name="messages" />
was creating a message that said something like "Sorry, page 'xyz' does not exist."

That part was vulnerable to XSS attacks because it reprinted the page code, even if the code was supplied by the query string and was really just a javascript or something.

**hmendenhall** · 12-04-14, 02:27 PM

Re: XSS issue with error message on NTFD page

Originally posted by Mike521w View Post

Well basically, it seems like the line that reads:

<mvt:item name="messages" />
was creating a message that said something like "Sorry, page 'xyz' does not exist."

That part was vulnerable to XSS attacks because it reprinted the page code, even if the code was supplied by the query string and was really just a javascript or something.

Hey

All you would need to do is go to the NTFD page template and change this line.

<mvt:if expr="ISNULL g.Error_Messages">
<h4 class="text-danger">The resource you requested is not available at this time.</h4>
<mvt:else>
<h4 class="text-danger">We're sorry, that page no longer exists.</h4>
</mvt:if>

Please and Thank You

**Mike521w** · 12-04-14, 03:11 PM

Re: XSS issue with error message on NTFD page

I know, that's basically what I did, but my question is, can I fix the actual system-generated message somewhere? So I can still use <mvt:item name="messages" />

**findme** · 08-06-15, 06:31 AM

Re: XSS issue with error message on NTFD page

I'm getting harassed by a "security researcher" who has published a similar MIVA-based XSS issue on a public XSS forum and tweeted about it.

I'm worried about a "whack-a-mole" scenario where they keep finding URL's within the bowels of MIVA to complain about.

Is there a way MIVA can do a universal patch for this so it goes away once and for all?

**Rick Wilson** · 08-06-15, 09:40 AM

Re: XSS issue with error message on NTFD page

There are no XSS in Miva by default, so no we can't.

However our platform is flexible enough for you to introduce your own XSS's and there's nothing we can do to stop that.

**findme** · 08-06-15, 10:06 AM

Re: XSS issue with error message on NTFD page

Originally posted by findme View Post

I'm getting harassed by a "security researcher" who has published a similar MIVA-based XSS issue on a public XSS forum and tweeted about it.

I'm worried about a "whack-a-mole" scenario where they keep finding URL's within the bowels of MIVA to complain about.

Is there a way MIVA can do a universal patch for this so it goes away once and for all?

Does anyone out there know how to fix this?

**Mike521w** · 08-06-15, 11:45 AM

Re: XSS issue with error message on NTFD page

Originally posted by Rick Wilson View Post

There are no XSS in Miva by default, so no we can't.

However our platform is flexible enough for you to introduce your own XSS's and there's nothing we can do to stop that.

Rick, my original post on this was specifically about the error message generated by Miva - meaning Miva's message was vulnerable at that time. Maybe it's been fixed since then? I'm not sure, I still have my workaround in place, haven't thought about this at all.

**Brennan** · 08-06-15, 11:50 AM

Re: XSS issue with error message on NTFD page

To answer your question, no if MMUI you cannot modify the built in error messages. However in a CSSUI store you are able to view and edit these messages.

This issue you are seeing is that the <mvt:item name="messages" /> is not intended to be used on the NFTD page.

The correct code should be (for a MMUI store):

Code:

<blockquote>
    <mvt:item name="fonts" param="body_font">
        <mvt:if expr = "ISNULL g.Error_Messages">
            The item you requested is not available at this time. 
        <mvt:else>
            &mvte:global:Error_Messages;
        </mvt:if>
    </mvt:item>
</blockquote>

**Mike521w** · 08-07-15, 07:57 AM

Re: XSS issue with error message on NTFD page

sounds good, thanks Brennan!

Announcement

XSS issue with error message on NTFD page

XSS issue with error message on NTFD page

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment