February 9, 2009

OS version of Assignment Calculator vulnerable to XSS attack

Thanks to the fine folks at the University of Portland, we have been alerted to the possibility of the Assignment Calculator code (specifically "date.php") being susceptible to a Cross-Site Scripting (XSS) attack.

What this means is that using a GET method with the date.php someone could create a link to date.php that could possibly execute harmful code or forward a person to a web site seeking passwords or other personal information. For example:

A link like this:
http://www.lib.umn.edu/help/calculator/date.php?monthone=2&dayone=3&yearone=2009&monthtwo=2&daytwo=4&yeartwo=<script>alert('Hi%20Everyone!');</script>

could be sent to a person spoofing the library email address and an XSS attack may occur.

Again, the good people at the University of Portland have not only pointed out this problem, but they've also provided some simple scripting that will help people fix this problem in current installations.

The code in the ZIP file below checks for the existence of all the GET variables. Then, it checks that each entry is actually a number.

If it is a number, the code trims the number down to be 2 characters (day and month) or 4 characters (year). This prevents people putting in the year 20098 or something similar.

Again, thanks to Ronan at the University of Portland for finding this and providing a fix!

Download file

Posted by snackeru at February 9, 2009 2:55 PM