Cross-Site Scripting when route not found

mishanian · Post by **mishanian** » Wed Apr 10, 2024 11:31 am

Hi, I have a website maintained only by PHPMaker but when I did penetration test, I got "Cross-site Scripting" high vulnerability

Attack Details
URI was set to 1<ScRiPt>2Zpq(9578)</ScRiPt>
The input is reflected inside a text element.

HTTP Response

 <!-- Main content -->
        <section class="content">
        <div class="container-fluid">
<div class="error-page">
        <h2 class="headline text-warning">404</h2>
        <div class="error-content">
                <h3><i class="fa-solid fa-triangle-exclamation text-warning"></i> Not Found</h3>
                <p>Route '"1<ScRiPt>2Zpq(9578)</ScRiPt>' not found.</p>
            </div>
    <!-- /.error-content -->
</div>
<!-- /.error-page -->

How can I fix it?

mobhar · Post by **mobhar** » Wed Apr 10, 2024 2:21 pm

There are two options that you can do.

First option, just replace the phrase PageNotFound from languages/english.en-US.xml file, from Route '%p' not found. to Route not found.

Second option, if you don't want to change from that .xml language file, you may simply put this following code in Language_Load server event:

$this->setPhrase("PageNotFound", "Route not found.");

In other words, the vulnerability can be exploited from the route param that changed by the hacker. That's why we need to remove the route param from the related phrase above.

mishanian · Post by **mishanian** » Wed Apr 10, 2024 4:50 pm

Thanks, it works, I saw another error also

URL encoded GET input view was set to 1'"()&%<zzz><ScRiPt >fa78(9266)</ScRiPt>

in here:

<!-- Main content -->
        <section class="content">
        <div class="container-fluid">
<div class="error-page">
        <div class="error-content">
                <h3><i class="fa-solid fa-triangle-exclamation text-danger"></i> Error</h3>
                <p>/home/d6nj0ffp7xd1/public_html/maintenance.isologicradiopharm.ca/vendor/slim/php-view/src/PhpRenderer.php(176): View cannot render "1'"()&%<zzz><ScRiPt >fa78(9266)</ScRiPt>.php" because the template does not exist</p>
            </div>
    <!-- /.error-content -->
</div>
<!-- /.error-page -->
``

arbei · Post by **arbei** » Wed Apr 10, 2024 6:07 pm

The error just told you that your view does not exists. (Note that by default the view's file name is same as the route name.)

mobhar · Post by **mobhar** » Wed Apr 10, 2024 7:18 pm

If you meant the error is caused by the change that applied into the URL of View Page, then you should check the parameter as follows, for example, put this code in Page_Load server event of the View Page:

// in this example, YourID is the primary key for the table, adjust it to yours
if (!empty(Route("YourID")) && !is_numeric(Route("YourID"))) {
        echo "Parameter not valid for View Page!";
        exit;
    }

As you can see, if the YourID field is a numeric field type, then you should check whether the value is numeric or not. And if it is not, then you should prevent it to be used as the param, and display the message, and exit the execution of script immediately.