Fixing the Cross site scripting (XSS) vulnerability in Zazzle Store Buider 1.0.2

/ Zazzle / by Lisa Marie Robinson / 8 Comments
This post was published back on June 25, 2010 and may be outdated. Please use caution when following older tutorials or using older code. After reading be sure to check for newer procedures or updates to code.

Thankfully the flaw is what is classed as a non-persistent cross site scripting vulnerability. At first glance there seems to be no danger as the person injecting malicious code into the URL can only damage their own browser, cookies, cache, etc. However, once the attacker has found the vulnerability they then go on to post infected links to the vulnerable website on other websites for non-savvy internet users to click.

Back to fixing Zazzle Store Builder.

It’s actually a lot easier than you would imagine to put a stop to any would be attackers and involves adding a grand total of 2 lines of code to zstore.php. All that we are going to do is use 2 preg_replace queries in the parts of the code which operate the sort and pagination as it is these which cause the vulnerability.

First find the following line (should be around line 211 if using Dreamweaver):

Immediately before it place the following:

The gridPage variable controls the pagination (ability to move through pages) and tracks how many Store Builder grids are on the one web page. It only ever uses numbers, commas, and underscores so what this line of code does, is check to see if numbers, commas, and underscores exist in the gridPage parameter of the URL, if it finds anything else it gets rid of it.

We need to do something similar to the variable which controls sorting by popularity or date created. Find the following line of code (should be line 241 or there abouts)

Immediately before it place the following:

This time we need to check to see if a few more things exist, namely any letter of the alphabet in lower or uppercase. The bit we match is practically the same as before except we’ve added a-z and an i, the latter tells it to be case insensitive. Again, we are telling Store Builder to remove anything from the URL which isn’t a letter, a number, a comma, or an underscore.

With these 2 lines of code added, if someone tries to inject anything nothing will happen as all of the vital parts needed like wakkas (< or >) get stripped from the URL. No damage can be done.

Right then, I’m off to fix mine!


Author’s gravatar

I noted your Tweet to Zazzle regarding the vulnerability of Zazzle Store Builder.
I posted onto the forums in regard to someones query.
However Zazzle Admins deleted the thread.
See this Google Cache of the Thread along with me (albeit longer version of your, fix for the issue.)

Yours, RickSeymour (Zaz_Nu on Zazzle)

Admin Edit: Removed link. Contains a URL which exposes a XSS security risk in an application. Yes, you know about it, but I want no part in making it easy for the majority of web surfers that do not know Javascript to exploit that flaw in the application.

Author’s gravatar

Thanks for pointed it out Rick. Thanks for making the *easy fix* available LisaMarieArt .

Author’s gravatar

First of all, let me apologize for my dumb question in advance, but am I supposed to replace
(line 210)

if($_GET[‘gridPage’] != ” ) {


$_GET[‘gridPage’] = preg_replace(‘~[^0-9,_]+~i’, ”, $_GET[‘gridPage’]); // removes XSS characters from gridPage

or place it directly after that line and before line 211?

I am not a programmer at all …

Thanks for your answer in advance,

Author’s gravatar

Directly before 211. You don’t need to replace any code.

Don’t worry about it. Best to ask if you’re not sure.

Author’s gravatar

Thank you, Paul. I didn’t know that you had answered me already. I must not have checked the “notify me of followup comments via email” box.

Older Comments
Newer Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

I'll keep your WordPress site up-to-date and working to its best.

Find out more