Hey,

Having a nightmare at the moment with trying to iron out security bugs in a shopping basket to make it pass a security scan.

One of the errors that comes back is the possible chance of Cross Site Scripting (XXS)

Basically, when the "buy" button is clicked, the browsers url has "%2F" inserted into it, and this is causing the problem.

After doing some research into it, it seems I need to add a function that removes that part?

The URL that displays when click the button is as follows.

http://mysite/basket.php?src=%2Fpage-title.php&productID=1061011

Hope this makes sense!

Doing that only removes the symptom of the problem. Your security check software has probably identified that you're letting the user pass a path to a file. This is often a good way to expose files on your site which contain non-public information (just change the URL to a different file... guessing and checking is ok). A better solution would be to secure your code so that it doesn't pass a forward slash (that's what %2F is) and the ".php" part and ensuring that the value of src is adjusted server-side after being validated as not trying to access unwanted files.

To give more assistance with doing this would require a look at the code. It may not be an quick solution if a number of files need to be modified, but it will make your site more secure.

EDIT: Code added:

PHP Code:

<?php
//Strip garbage from front and end.
$_GET['src'] = substr($_GET['src'],1,-4);

//Remove non-alphanumeric characters and non-dashes.
$_GET['src'] = preg_replace('/[^a-z\-0-9]/i','',$_GET['src']);

//Now ensure that $_GET['src'] contains a safe file
if (!file_exists('/'.$_GET['src'].'.php') || is_dir('/'.$_GET['src'].'.php')) {
 //File does not appear where expected, so erase variable's value.
 $_GET['src'] = '';
}
?>

The code above will sanitize the variable, but not get rid of your security scan error. For that, you'd start on my remove non-alpha after applying the changes to URLs throughout the system.

** Edit **

Ok, the code for the buy button is:

Code:

      <?php
$strProd_REF = "1234";
$strCar_ID = "all";
$sqlSelect = "SELECT Prod_ID FROM products WHERE Prod = '" . $strProd_REF . "' AND ID = '" . $strID . "'
";
// assign the basic sqlquery

$sqlquery = $sqlSelect;
//get the result set
$result = mysql_query($sqlquery);
while ($row = mysql_fetch_assoc($result))
	{
		echo "<a href=\"basket.php?src=".urlencode($_SERVER['REQUEST_URI'])."&productID=" . $row["Prod_ID"] . "\"><img src=images/add.jpg width=55 height=28 border=0></a>";

	}
	$row = "";
	mysql_free_result($result); 
?>

I'm not 100% sure where you're going with this, but try replacing

urlencode($_SERVER['REQUEST_URI'])

with

trim($_SERVER['REQUEST_URI'],'/')

Excellent! What I was trying to do is to change the buy button URL from:

http://www.mysite.com/basket.php?src...ductID=1061014

to:

http://www.mysite.com/basket.php?src...ductID=1061014

So now threre is no %2F in the url of the basket page.

What I'm hoping is that if I change this, the security scan will OK the pages?

Quote:

Originally Posted by rolda hayes

Excellent! What I was trying to do is to change the buy button URL from:

http://www.mysite.com/basket.php?src...ductID=1061014

to:

http://www.mysite.com/basket.php?src...ductID=1061014

So now threre is no %2F in the url of the basket page.

What I'm hoping is that if I change this, the security scan will OK the pages?

Did you try? I didn't write the security software.

Sorry, I guess I ment by that "do you know any obvious reasons why this wont work??"

I've got quite a few pages to change manually, so I'll let you know what happens.

Cheers Jeremy for your help

Yes, I do, and I gave them to you in the paragraph starting my first reply. Now that I've seen more of your code, that doesn't appear to be what you're doing, but I rather doubt the security software will guess that.