Fixing the Cross site scripting (XSS) vulnerability in Zazzle Store Buider 1.0.2
Thankfully the flaw is what is classed as a non-persistent cross site scripting vulnerability. At first glance there seems to be no danger as the person injecting malicious code into the URL can only damage their own browser, cookies, cache, etc. However, once the attacker has found the vulnerability they then go on to post infected links to the vulnerable website on other websites for non-savvy internet users to click.
Back to fixing Zazzle Store Builder.
It’s actually a lot easier than you would imagine to put a stop to any would be attackers and involves adding a grand total of 2 lines of code to zstore.php. All that we are going to do is use 2 preg_replace queries in the parts of the code which operate the sort and pagination as it is these which cause the vulnerability.
First find the following line (should be around line 211 if using Dreamweaver):
if(!strstr( $_GET['gridPage'], ',' )) { // only one grid page passed
Immediately before it place the following:
$_GET['gridPage'] = preg_replace('~[^0-9,_]+~i', '', $_GET['gridPage']); // removes XSS characters from gridPage
The gridPage variable controls the pagination (ability to move through pages) and tracks how many Store Builder grids are on the one web page. It only ever uses numbers, commas, and underscores so what this line of code does, is check to see if numbers, commas, and underscores exist in the gridPage parameter of the URL, if it finds anything else it gets rid of it.
We need to do something similar to the variable which controls sorting by popularity or date created. Find the following line of code (should be line 241 or there abouts)
if(!strstr($_GET['gridSort'], ',' )) {
Immediately before it place the following:
$_GET['gridSort'] = preg_replace('~[^a-z0-9,_]+~i', '', $_GET['gridSort']); // removes XSS characters from gridSort
This time we need to check to see if a few more things exist, namely any letter of the alphabet in lower or uppercase. The bit we match is practically the same as before except we’ve added a-z and an i, the latter tells it to be case insensitive. Again, we are telling Store Builder to remove anything from the URL which isn’t a letter, a number, a comma, or an underscore.
With these 2 lines of code added, if someone tries to inject anything nothing will happen as all of the vital parts needed like wakkas (< or >) get stripped from the URL. No damage can be done.
Right then, I’m off to fix mine!
Discussion: 8 Comments » add a comment
I noted your Tweet to Zazzle regarding the vulnerability of Zazzle Store Builder.
I posted onto the forums in regard to someones query.
However Zazzle Admins deleted the thread.
See this Google Cache of the Thread along with me (albeit longer version of your, fix for the issue.)
Yours, RickSeymour (Zaz_Nu on Zazzle)
Admin Edit: Removed link. Contains a URL which exposes a XSS security risk in an application. Yes, you know about it, but I want no part in making it easy for the majority of web surfers that do not know Javascript to exploit that flaw in the application.
Thanks for pointed it out Rick. Thanks for making the *easy fix* available LisaMarieArt .
First of all, let me apologize for my dumb question in advance, but am I supposed to replace
(line 210)
if($_GET['gridPage'] != ” ) {
with
$_GET['gridPage'] = preg_replace(‘~[^0-9,_]+~i’, ”, $_GET['gridPage']); // removes XSS characters from gridPage
or place it directly after that line and before line 211?
I am not a programmer at all …
Thanks for your answer in advance,
Chris
Directly before 211. You don’t need to replace any code.
Don’t worry about it. Best to ask if you’re not sure.
Thank you, Paul. I didn’t know that you had answered me already. I must not have checked the “notify me of followup comments via email” box.
No worries.
Thanks for this! Great tip.
Hi Mark,
No problem, thanks for reading.