Re: XSS issue with error message on NTFD page
sounds good, thanks Brennan!
-
Re: XSS issue with error message on NTFD page
To answer your question, no if MMUI you cannot modify the built in error messages. However in a CSSUI store you are able to view and edit these messages.
This issue you are seeing is that the <mvt:item name="messages" /> is not intended to be used on the NFTD page.
The correct code should be (for a MMUI store):
Code:<blockquote> <mvt:item name="fonts" param="body_font"> <mvt:if expr = "ISNULL g.Error_Messages"> The item you requested is not available at this time. <mvt:else> &mvte:global:Error_Messages; </mvt:if> </mvt:item> </blockquote>Last edited by Brennan; 08-06-15, 11:50 AM.Leave a comment:
-
Re: XSS issue with error message on NTFD page
Rick, my original post on this was specifically about the error message generated by Miva - meaning Miva's message was vulnerable at that time. Maybe it's been fixed since then? I'm not sure, I still have my workaround in place, haven't thought about this at all.Originally posted by Rick Wilson View PostLeave a comment:
-
Re: XSS issue with error message on NTFD page
There are no XSS in Miva by default, so no we can't.
However our platform is flexible enough for you to introduce your own XSS's and there's nothing we can do to stop that.Leave a comment:
-
Re: XSS issue with error message on NTFD page
I'm getting harassed by a "security researcher" who has published a similar MIVA-based XSS issue on a public XSS forum and tweeted about it.
I'm worried about a "whack-a-mole" scenario where they keep finding URL's within the bowels of MIVA to complain about.
Is there a way MIVA can do a universal patch for this so it goes away once and for all?Leave a comment:
-
Re: XSS issue with error message on NTFD page
I know, that's basically what I did, but my question is, can I fix the actual system-generated message somewhere? So I can still use <mvt:item name="messages" />Leave a comment:
-
Re: XSS issue with error message on NTFD page
HeyOriginally posted by Mike521w View Post
All you would need to do is go to the NTFD page template and change this line.
<mvt:if expr="ISNULL g.Error_Messages">
<h4 class="text-danger">The resource you requested is not available at this time.</h4>
<mvt:else>
<h4 class="text-danger">We're sorry, that page no longer exists.</h4>
</mvt:if>
Please and Thank YouLeave a comment:
-
Re: XSS issue with error message on NTFD page
Well basically, it seems like the line that reads:
<mvt:item name="messages" />
was creating a message that said something like "Sorry, page 'xyz' does not exist."
That part was vulnerable to XSS attacks because it reprinted the page code, even if the code was supplied by the query string and was really just a javascript or something.Leave a comment:
-
Re: XSS issue with error message on NTFD page
Hey When you say system-generated message are you talking about the default message IE " The item you requested is not available at this time." I think I am a little lost as to what you mean can you clarify a bit more.Originally posted by Mike521w View PostLeave a comment:
-
XSS issue with error message on NTFD page
Our vulnerability scanner figured out that we had an XSS issue on our NTFD page. Basically the system-generated error message was printing g.Screen without encoding entities.
I dug around all over the place looking for a spot where I could change the error message from &mvt to &mte but I couldn't find it, so I ended up just testing if the page is NTFD, and if so I print my own message. But is there a way to correct the actual system-generated message?
My new code, located in my global header, is:
Code:<mvt:if expr="g.Error_Message_Count"> <mvt:if expr="l.settings:page:code NE 'NTFD'"> <mvt:item name="messages" /> <mvt:else> We're sorry, that page no longer exists. </mvt:if> </mvt:if>
Leave a comment: