Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Major
-
Resolution: Fixed/Completed
-
Affects Version/s: 3.3.5
-
Fix Version/s: 3.4.alpha
-
Component/s: Core CiviCRM
-
Labels:None
Description
We recently had our Drupal/CiviCRM instance scanned by SecurityMetrics as part of our PCI DSS compliance process. They've identified a cross-site scripting vulnerability, and it appears to be in the "printer-friendly" link in the default Drupal/standalone page template. The test used by SecurityMetrics:
GET /civicrm/contribute/transact<SCRIPT>alert('SAINT')</SCRIPT> HTTP/1.0
Host: www.mysite.org
User-Agent: Mozilla/4.0
Connection: Keep-alive
And in the server response we see:
<div id="printer-friendly">
<a href="/db/civicrm/contribute/transact<SCRIPT>alert('SAINT')</SCRIPT>?q=civicrm/contribute/transact<SCRIPT>alert('SAINT')</SCRIPT>&snippet=2" title="Printer-friendly view of this page.">
<div class="ui-icon ui-icon-print"></div>
</a>
</div>
The un-escaped <SCRIPT> tags appear in the printer-friendly link. I was able to reproduce on our CiviCRM 3.3.5 installation.
As a workaround, I've removed the printer-friendly link from our default template for now.