Security fix: XSS at product listings page

Security fix: XSS at product listings page

Please apply below fix, if you are using VPASP 7 with build date older than 3/September/2010, to avoild XSS attack to product listings page.

1. Modify shop$db.asp

1a. Open shop$db.asp

1b. Locate function gennavrefstr (ref) (estimate line 2660)

1c. Replace whole function gennavrefstr, as below:

function gennavrefstr (ref)
if Request.QueryString("sppp") <> "" then
'6.50 - precautionary security fix
if isnumeric(Request.QueryString("sppp")) then
'700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
ref = ref & "&sppp=" & cleanchars(Request.QueryString("sppp"))
end if
end if

'700 - Paging Navigation - bookmark page2, page3 for the category
if Request.QueryString("id") <> "" then
if isnumeric(Request.QueryString("id")) then
'700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
ref = ref & "&id=" & cleanchars(Request.QueryString("id"))
end if
end if

'700 - Paging Navigation - bookmark page2, page3 for simple search
if Request.QueryString("Keyword") <> "" then
'700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
ref = ref & "&Keyword=" & cleanchars(Request.QueryString("Keyword"))
end if
if Request.QueryString("Search") <> "" then
'700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
ref = ref & "&Search=" & cleanchars(Request.QueryString("Search"))
end if

'700 - Paging Navigation - bookmark page2, page3 for advanced search
if Request.QueryString("category") <> "" then
'700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
ref = ref & "&category=" & cleanchars(Request.QueryString("category"))
end if
if Request.QueryString("highprice") <> "" then
'700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
ref = ref & "&highprice=" & cleanchars(Request.QueryString("highprice"))
end if
if Request.QueryString("lowprice") <> "" then
'700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
ref = ref & "&lowprice=" & cleanchars(Request.QueryString("lowprice"))
end if
if Request.QueryString("allwords") <> "" then
'700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
ref = ref & "&allwords=" & cleanchars(Request.QueryString("allwords"))
end if
if Request.QueryString("exact") <> "" then
'700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
ref = ref & "&exact=" & cleanchars(Request.QueryString("exact"))
end if
if Request.QueryString("atleast") <> "" then
'700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
ref = ref & "&atleast=" & cleanchars(Request.QueryString("atleast"))
end if
if Request.QueryString("without") <> "" then
'700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
ref = ref & "&without=" & cleanchars(Request.QueryString("without"))
end if

'700 - Paging Navigation - for footnote query
if Request.QueryString("bc") <> "" or session("seocbc") <> "" then
if Request.QueryString("bc") <> "" then
'700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
ref = ref & "&bc=" & cleanchars(Request.QueryString("bc"))
else
'700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
ref = ref & "&bc=" & cleanchars(session("seocbc"))
end if
end if
if Request.QueryString("queryprefix") <> "" then
'700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
ref = ref & "&queryprefix=" & cleanchars(Request.QueryString("queryprefix"))
end if
if Request.QueryString("cname") <> "" then
'700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
ref = ref & "&cname=" & cleanchars(Request.QueryString("cname"))
end if

'700 - Paging Navigation - for catalogid query
if Request.QueryString("catalogid") <> "" then
'700 - 2010.09.03 - Bug Fix: XSS security issue while genrating page navigation
ref = ref & "&catalogid=" & cleanchars(Request.QueryString("catalogid"))
end if

gennavrefstr = ref
end function

1d. Save

2. Modify shop$db.asp

2a. Open shop$db.asp

2b. Locate function CleanChars(strWords) (estimate line 3433)

2c. Replace whole function CleanChars(strWords), as below:

function CleanChars(strWords)
'6.5.1 - exit function if strwords is nothing
if strwords = "" then exit function
if isnull(strwords) then exit function

'6.50 - replace '' with ' in case function has been run twice on same string
strWords = replace(strWords, "''", "'")

do while instr(strWords,"  ") > 0
strWords = replace(strWords, "  ", " ")
loop

dim badChars,i
dim newChars, decodeChars
dim sensitiveChars

'700 - 2010.09.08 - Bug Fix: XSS issue
badChars = array("select ", "drop ", "--", "insert into", "delete from","xp_","char(","@@","|","<script",".js","onload","alert(","xss","onmouseover","document.cookie","convert(","<iframe","cast(","nvarchar","varchar","chr(","exec(","%00","expression(")

sensitiveChars = array("union ","update ","declare ")

newChars = strWords
dim newReplace,bpos,bpos2

' check bad chars and assign to null
for i = 0 to uBound(badChars)
if instr(1,lcase(newchars),lcase(badchars(i)),1)>0 then
bpos = instr(1,lcase(newchars),lcase(badchars(i)),1)
newReplace=""
bpos2 = bpos + len(newReplace)
newchars = mid(newchars,1,bpos-1) & newReplace & mid(newchars,len(badchars(i))+bpos,len(newchars) + bpos2 + 999)
end if
next

' check sensitive chars and assign spaces to %nbsp;
for i = 0 to uBound(sensitiveChars)
if instr(1,lcase(newchars),lcase(sensitiveChars(i)),1)>0 then
bpos = instr(1,lcase(newchars),lcase(sensitiveChars(i)),1)
newReplace=replace(lcase(sensitiveChars(i))," "," ")
bpos2 = bpos + len(newReplace)
newchars = mid(newchars,1,bpos-1) & newReplace & mid(newchars,len(sensitiveChars(i))+bpos,len(newchars) + bpos2 + 999)
end if
next

'newchars=replace(newchars,"""",""")
newchars=Replace(newchars,"%22","") 'remove any encoded double quotes
newchars=replace(newchars,"©","&copy;")
newchars=replace(newchars,"<br>","<br />")
newchars=replace(newchars,"<BR>","<br />")
newchars=replace(newchars,"<Br>","<br />")

'700 - 2010.08.24 - Bug Fix: XSS issue
newchars=replace(newchars,"<","&lt;")
newchars=replace(newchars,">","&gt;")
newchars=replace(newchars,"'","&apos;")
newchars=replace(newchars,")","&#x29;")
newchars=replace(newchars,"(","&#x28;")

CleanChars = newChars
end function

2d. Save

3. Modify shop$db.asp

3a. Open shop$db.asp

3b. Locate function ToSQL(Value, sType) (estimate line 3646)

3c. Replace whole function ToSQL(Value, sType), as below:

function ToSQL(Value, sType)
dim Param
Param = Value
if Param = "" then
ToSQL = ""
else
if sType = "Number" then
ToSQL = CDbl(Param)
else
'700 - 2010.08.24 - Bug Fix: XSS issue
Param=replace(Param,"&lt;","<")
Param=replace(Param,"&gt;",">")
Param=replace(Param,"&apos;","'")
Param=replace(Param,"&#x29;",")")
Param=replace(Param,"&#x28;","(")

ToSQL = Replace(Param, "'", "''")
end if
end if
end function

3d. Save


Times Viewed:
3496
Added By:
bobby
Date Created:
9/3/2010
Last Updated:
9/8/2010