Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-7656

printer-friendly link should sanitize variables

    Details

    • Type: Bug
    • Status: Done/Fixed
    • Priority: Major
    • Resolution: Fixed/Completed
    • Affects Version/s: 3.3.5
    • Fix Version/s: 3.4.alpha
    • Component/s: Core CiviCRM
    • Labels:
      None

      Description

      We recently had our Drupal/CiviCRM instance scanned by SecurityMetrics as part of our PCI DSS compliance process. They've identified a cross-site scripting vulnerability, and it appears to be in the "printer-friendly" link in the default Drupal/standalone page template. The test used by SecurityMetrics:

      GET /civicrm/contribute/transact<SCRIPT>alert('SAINT')</SCRIPT> HTTP/1.0
      Host: www.mysite.org
      User-Agent: Mozilla/4.0
      Connection: Keep-alive

      And in the server response we see:

      <div id="printer-friendly">
      <a href="/db/civicrm/contribute/transact<SCRIPT>alert('SAINT')</SCRIPT>?q=civicrm/contribute/transact<SCRIPT>alert('SAINT')</SCRIPT>&snippet=2" title="Printer-friendly view of this page.">
      <div class="ui-icon ui-icon-print"></div>
      </a>
      </div>

      The un-escaped <SCRIPT> tags appear in the printer-friendly link. I was able to reproduce on our CiviCRM 3.3.5 installation.

      As a workaround, I've removed the printer-friendly link from our default template for now.

        Attachments

          Activity

            People

            • Assignee:
              lobo Donald A. Lobo
              Reporter:
              jcm55 Jim Meehan
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: