XSS Vulnerability

[paurkedal]

I understand you are working on security updates to Archon, so I'm passing archonproject#75 over to you. The issue regards a XXS vuln which a college of mine found here: https://www.openbugbounty.org/incidents/202333/. I did the following on the page in question, which curbs the particular attach, but I'm not sure if it breaks something and fgrep '\"$' -r * --include \*.php suggests there may be similar issues.

--- packages/core/pub/contact.php       2017-02-23 18:00:19.289374542 +0100
+++ packages/core/pub/contact.php.orig  2014-01-17 21:24:06.000000000 +0100
@@ -67,7 +67,7 @@
 
     $in_referer = $_REQUEST['referer'] ? $_REQUEST['referer'] : urlencode($_REQUEST['HTTP_REFERER']);
 
-    $repositoryid = $_REQUEST['repositoryid'] ? int($_REQUEST['repositoryid']) : 0;
+    $repositoryid = $_REQUEST['repositoryid'] ? $_REQUEST['repositoryid'] : 0;
 
 
 
@@ -111,8 +111,8 @@
 
        $form = "<input type=\"hidden\" name=\"f\" value=\"sendemail\" />\n";
        $form .= "<input type=\"hidden\" name=\"p\" value=\"core/contact\" />\n";
-       $form .= "<input type=\"hidden\" name=\"referer\" value=\"".htmlspecialchars($in_referer)."\" />\n";
-       $form .= "<input type=\"hidden\" name=\"query_string\" value=\"".htmlspecialchars($query_string)."\" />\n";
+       $form .= "<input type=\"hidden\" name=\"referer\" value=\"$in_referer\" />\n";
+       $form .= "<input type=\"hidden\" name=\"query_string\" value=\"$query_string\" />\n";
        $form .= "<input type=\"hidden\" name=\"RepositoryID\" value=\"$repositoryid\" />\n";
 
        $strRequiredMarker = "<span style=\"color:red\">*</span>";

[cvonkleist]

Hey, @paurkedal. I recently did a light pen test of Archon and came to the same conclusion as you: Archon has a number of XSS vulnerabilities.

Archon doesn't have a dedicated development team right now, but I hope any security conscious folks who want to run it will help look for these bugs and submit issues or pull requests. I think it's going to take a while to find and fix these bugs.

In the meantime, it seems to me that Archon should be run behind a fairly restricted web application firewall. I added this document to our fork of the repo: ModSecurity.md

It's probably a very good idea to make a note of this security stuff in the Archon README, so I'll make that happen.

Thanks for opening this issue!

[chrisprom]

I did a bit of manual testing of this, and I believe most if not all of the xss vulnerabilities are found in the 'contact us' script and in the 'research' package. There are much better ways for repositories to achieve both of these functions outside of archon, for example by pointing to a contact form or by integrating the aeon software. As the production testing moves forward, you may want to either eliminate these functions from the software or at least suppress them from the default theme, which means simply removing them from the header files in which they are included.

[cvonkleist]

@chrisprom: Thank you, that's great info. It sounds like the "contact us" script and "research" package would be the best places for someone to begin making improvements.

[paurkedal]

@cvonkleist: I'm looking into ModSecurity, thanks for the nice guide!
@chrisprom: Thanks, good we can limit it.