Community Support Forums

[jfmetcalf1]

We are currently running 111029 and we are hitting a wall with the PCI Scan. Its been brought to our attention that would should see if you have a possible fix for your script.

Here is a copy of part of the scan that involved s2Member Pro

XSS is a type of computer security vulnerability typically found in web applications which allow code injection by malicious
web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts.
An attacker can use this vulnerability to completely alter the layout of a particular page for a specific user or to force the user
to launch malicious javascript.
Cross site scripting occurs when user input is not properly encoded by the application prior to display back to the user. In
order to fix this issue, the application developers must encode most non-alphanumeric user-supplied data into their
corresponding HTML characters before the data is displayed back to the user. For example, " would convert to &quot and <
would convert to &lt;
There are built in functions for different languages that may do the encoding for you. In PHP you can use the
htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.


Please reach out as soon as you can.

Thanks,
Jeremy

[Cristián Lávaque]

Thanks Jeremy. Could you show us where in s2Member that is the case so we look into it?

[jfmetcalf1]

From what I received from the scan its looks to be a cross site script from a web service called fritiko. Here is a copy/paste of the scan result. And thanks for the assistance on it.

Cross-Site Scripting
Web Services :: Fritko
ID
300004
Port
TCP:80
Risk
3
Path: /member-registration
XSS is a type of computer security vulnerability typically found in web applications which allow code injection by malicious
web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts.
An attacker can use this vulnerability to completely alter the layout of a particular page for a specific user or to force the user
to launch malicious javascript.
Cross site scripting occurs when user input is not properly encoded by the application prior to display back to the user. In
order to fix this issue, the application developers must encode most non-alphanumeric user-supplied data into their
corresponding HTML characters before the data is displayed back to the user. For example, " would convert to &quot and <
would convert to &lt;
There are built in functions for different languages that may do the encoding for you. In PHP you can use the
htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.
Solution:
There are built in functions for different languages that may do the encoding for you. In PHP you can use the
htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.

[jfmetcalf1]

Anything on this yet?

[jfmetcalf1]

Anyone around here?

[Jason Caldwell]

Thanks for the heads up on this thread.
~ and thanks for reporting this important security issue.

Interesting. s2Member does not interact with this service:

Code: Select all

Web Services :: Fritko

What PCI scanning service are you using please?
Also, what you posted prior is a general outline of the issue that was detected. It does not point to anything specific, nor does it isolate the issue to s2Member. Please check your full PCI compliance scan and associated reports. Look for the exact test your scanning service performed, which would allow you to reproduce the issue. For XSS, this would normally include a URL with a particular query string.

Code: Select all

Path: /member-registration

( not enough to go on )

* Note: we are not currently aware of any XSS vulnerability in s2Member or s2Member Pro. However, if you have a report that indicates there is, please post that information. We'll be happy to review it.

[jfmetcalf1]

I hope this helps this is exactly line by line from the scan: I am still attempting to get more information from the company that did the scan.


Port Threat Name Risk Level Dispute Status Actions
300004 80 Cross-Site Scripting High (3)
Threat ID: 300004
Details:
IP Address: 50.56.134.155
Host: www.protectanddefend.org
Path: /member-registration

THREAT REFERENCE

Summary:
Cross-Site Scripting

Risk: High (3)
Type: Fritko
Port: 80
Protocol: TCP
Threat ID: 300004

Information From Target:
Regular expression ".{0,1}'.{0,1}"> " matched contents of /member-registration.

Query Parameters
• s2member_pro_authnet_checkout[card_start_date_issue_number] -
• s2member_pro_authnet_checkout[card_number] -
• s2member_pro_authnet_checkout[card_verification] -
• s2member_pro_authnet_checkout[first_name] -
• s2member_pro_authnet_checkout[city] -
• s2member_pro_authnet_checkout[email] -
• s2member_pro_authnet_checkout[username] -
• s2member_pro_authnet_checkout[last_name] -
• s2member_pro_authnet_checkout[state] -
• s2member_pro_authnet_checkout[street] -
• s2member_pro_authnet_checkout[card_expiration] -
• s2member_pro_authnet_checkout[card_type] - Amex
• s2member_pro_authnet_checkout[zip] -
• s2member_pro_authnet_checkout[attr] - fnIyOnpzemxGcHAweTBRZ3dDcnBVNXBlS3h3VnAwUEZSbmdxfHY4vzbG8zG1HqGghS4C92GV43VRKFftAc5MyQI_mDEZaBmIN4p7
• s2member_pro_authnet_checkout[password2] -
• s2member_pro_authnet_checkout[coupon] - '">
• s2member_pro_authnet_checkout[nonce] - b45185b09d
• s2member_pro_authnet_checkout[password1] -
Solution:
There are built in functions for different languages that may do the encoding for you. In PHP you can use the htmlspecialchars() function In .Net you can use the Server.HtmlEncode() function.Details:

XSS is a type of computer security vulnerability typically found
in web applications which allow code injection by malicious web
users into the web pages viewed by other users. Examples of such
code include HTML code and client-side scripts.


An attacker can use this vulnerability to completely alter the
layout of a particular page for a specific user or to force the
user to launch malicious javascript.


Cross site scripting occurs when user input is not properly
encoded by the application prior to display back to the user. In
order to fix this issue, the application developers must encode
most non-alphanumeric user-supplied data into their corresponding
HTML characters before the data is displayed back to the user. For
example, " would convert to &quot and < would convert
to &lt;


There are built in functions for different languages that may do
the encoding for you. In PHP you can use the htmlspecialchars()
function In .Net you can use the Server.HtmlEncode() function.

[Jason Caldwell]

Thanks for the follow-up.

I'm not aware of any issue in this regard. All of these variables are sanitized by s2Member before they are used and/or displayed back to the user. Your report indicates otherwise. If you have more information you can provide, we'll be happy to have a look. This list just shows the variables, it doesn't show the vulnerability being reproduced yet. I suspect this is a false positive.

Code: Select all

• s2member_pro_authnet_checkout[card_start_date_issue_number] -
• s2member_pro_authnet_checkout[card_number] -
• s2member_pro_authnet_checkout[card_verification] -
• s2member_pro_authnet_checkout[first_name] -
• s2member_pro_authnet_checkout[city] -
• s2member_pro_authnet_checkout[email] -
• s2member_pro_authnet_checkout[username] -
• s2member_pro_authnet_checkout[last_name] -
• s2member_pro_authnet_checkout[state] -
• s2member_pro_authnet_checkout[street] -
• s2member_pro_authnet_checkout[card_expiration] -
• s2member_pro_authnet_checkout[card_type] - Amex
• s2member_pro_authnet_checkout[zip] -
• s2member_pro_authnet_checkout[attr] - fnIyOnpzemxGcHAweTBRZ3dDcnBVNXBlS3h3VnAwUEZSbmdxfHY4vzbG8zG1HqGghS4C92GV43VRKFftAc5MyQI_mDEZaBmIN4p7
• s2member_pro_authnet_checkout[password2] -
• s2member_pro_authnet_checkout[coupon] - '">
• s2member_pro_authnet_checkout[nonce] - b45185b09d
• s2member_pro_authnet_checkout[password1]

[jfmetcalf1]

Thanks again for looking into this. I have submitted a support ticket with our people to run our own PCI Scan so we have a clear visual on the hits. I will be in touch soon.

Jeremy

[jfmetcalf1]

I received information back from our PCI Scan:

Jeremy



I have attached proof of concept that the cross-site scripting threat is legitimate. I was able to pop it on the www.protectanddefend.org/member-registration pageJust some background information that may assist your developers, I was able to manually verify the cross-site scripting by using a proxy and intercepting the request. Once I intercepted the request, I was able to change the s2member_pro_authnet_checkout[card_type] to "Amex" (American Express isn't one of the selectable options originally) and I was also able to insert the script into the s2member_pro_authnet_checkout[coupon] parameter.

Chris Martin
Sr. Security Analyst
ControlScan, Inc.

[Jason Caldwell]

Thank you very much. Investigating now.

[Jason Caldwell]

Investigation completed.
Thanks for reporting this important issue.

1. Proxy Coupon Code with special chars.
Fixed in development copy. Coming in release of 111220 later today.

2. Card Type = Amex, against accept attribute.
Fixed in development copy. Coming in release of 111220 later today.

[Jason Caldwell]

Resolved in s2Member and s2Member Pro v111220.
http://wordpress.org/extend/plugins/s2member/changelog/

v111220

(s2Member Pro) Security fix. PayPal® Pro and Authorize.Net® Forms were vulnerable to an XSS attack, reproducible with a Coupon Code containing special characters. Discovered by ControlScan™. Fixed in this release. For further details, please see this thread.

(s2Member Pro) Security hardening. s2Member's Systematics routine hardended against a possible attack coming from a spoofed IP address matching that of the installation server itself. For further details, please see this thread.

(s2Member Pro) Security hardening. PayPal® Pro and Authorize.Net® Forms hardended against a possible attack against card types. Discovered by ControlScan™. For further details, please see this thread.

99% Resolved ( awaiting confirmation )

[jfmetcalf1]

I personally wanted to thank you for such a quick resolve on this. I have turned it back over to ControlScan to run hopefully a final scan on this matter. I will update if there are anymore findings.


Jeremy

[jfmetcalf1]

Cross Scripting was Resolved on the PCI Scan. Thank you for the assistance.

Jeremy

[Jason Caldwell]

Resolved. Thanks for the confirmation.
~ You're very welcome.

100% Resolved