need help please , website under attack XSS :(

Our website is under attack by some hackers , it seems that we have an XSS hole in the login page , i run a software to scan the CMS and it found some holes and they included the solution , but i’m not a developer so i can’t understand what they mean , So if someone could check the code and the report and can modify it please .

here is the report and below is the code of the login page .
This vulnerability affects /admin/adminlogin/login.php.
Discovered by: Scripting (XSS.script).
1- Attack details
URL encoded POST input pword was set to '"()&%1
URL encoded POST input pword was set to
'"()&%1
URL encoded POST input uname was set to '"()&%1

The impact of this vulnerability
Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.

How to fix this vulnerability
Your script should filter metacharacters from user input.

What can I do to protect myself as a vendor?"
This is a simple answer. Never trust user input and always filter metacharacters. This will eliminate the majority of XSS attacks. Converting < and > to < and > is also suggested when it comes to script output. Remember XSS holes can be damaging and costly to your business if abused. Often attackers will disclose these holes to the public, which can erode customer and public confidence in the security and privacy of your organization’s site. Filtering < and > alone will not solve all cross site scripting attacks and it is suggested you also attempt to filter out ( and ) by translating them to ( and ), and also # and & by translating them to &#35 (#) and &#38 (&).

CODE:

<?php require_once('../../Connections/rawecconn.php'); ?> <?php require_once('../../include/lang.php'); ?> <?php session_start(); ?> <? if ((isset($HTTP_POST_VARS["MM_insert"])) && ($HTTP_POST_VARS["MM_insert"] == "form1")) { //echo "try login"; mysql_select_db($database_rawecconn, $rawecconn); $uname = $_POST['uname']; $pword = $_POST['pword']; $query_LoginRec = "SELECT * FROM tbl_user where username='$uname' and password='$pword'"; //echo $query_LoginRec; $LoginRec = mysql_query($query_LoginRec, $rawecconn) or die(mysql_error()); $row_LoginRec = mysql_fetch_assoc($LoginRec); $totalRows_LoginRec = mysql_num_rows($LoginRec); if($totalRows_LoginRec > 0) { //echo "OK"; $ADMIN_CPanel_WFusername = $row_LoginRec['username']; $_SESSION['ADMIN_CPanel_WFusername'] = $ADMIN_CPanel_WFusername; session_register("ADMIN_CPanel_WFusername"); //echo $row_LoginRec['username']; } else { //echo "NOTOK"; $fontcolor=rand(0,9); //echo $fontcolor; $a[0]="#FF0000"; $a[1]="#0000FF"; $a[2]="#993366"; $a[3]="#CC00CC"; $a[4]="#FF6666"; $a[5]="#9966FF"; $a[6]="#9933FF"; $a[7]="#9999FF"; $a[8]="#FF0000"; $a[9]="#33CCFF"; $error_msg="

Error --> Invalid UserName & PassWord

"; session_start(); session_destroy(); } if (session_is_registered("ADMIN_CPanel_WFusername")) { //echo "NOSESSIon"; //header ("location: ../adminlogin/frm.php"); //$insertGoTo = "../adminlogin/frm.php"; //header(sprintf("Location: %s", $insertGoTo)); echo ""; die(); } } ?> Login

<? echo $error_msg; ?> WELCOME ADMIN CPANEL Username <? echo $lang["username"] ; ?> Password <? echo $lang["password"] ; ?>

function Pos() {

oh yea, you’re asking for trouble with that code. At a bare minimum, you should always use mysql_real_escape_string() or addslashes() on any type of user input (like the user and password).

Could you help me more , i’m not a programmer so i can’t understand it . please do me a favor and modify the code .

I use this to secure my input:
[php]function sanitize($input) {
$output = addslashes(htmlspecialchars(strip_tags(trim($input))));
return output;
}[/php]

I would add that to the beginning of your PHP code or to a functions file and include it into your page. I would then change lines 12 and 13 of your current file to this:
[php] $uname = sanitize($_POST[‘uname’]);
$pword = sanitize($_POST[‘pword’]);[/php]

Let us know if you need any further help.

I made a mistake in that function that I mentioned. Here is a correction:

[php]function sanitize($input) { $output = addslashes(htmlspecialchars(strip_tags(trim($input)))); return $output;}[/php]

do i have to delete any code ? sorry i know i’m idiot , but i don’t know any programming , if it is possible to modify all the code and then i select all and replace the code .

You’re not an idiot by any means, the fact that you are asking for help proves that Here is the code:

[code]<?php require_once('../../Connections/rawecconn.php'); ?>

<?php require_once('../../include/lang.php'); ?> <?php session_start(); function sanitize($input) { $output = addslashes(htmlspecialchars(strip_tags(trim($input)))); return $output; } ?> <?php if ((isset($HTTP_POST_VARS["MM_insert"])) && ($HTTP_POST_VARS["MM_insert"] == "form1")) { //echo "try login"; mysql_select_db($database_rawecconn, $rawecconn); $uname = sanitize($_POST['uname']); $pword = sanitize($_POST['pword']); $query_LoginRec = "SELECT * FROM tbl_user where username='$uname' and password='$pword'"; //END OF MODIFICATIONS //echo $query_LoginRec; $LoginRec = mysql_query($query_LoginRec, $rawecconn) or die(mysql_error()); $row_LoginRec = mysql_fetch_assoc($LoginRec); $totalRows_LoginRec = mysql_num_rows($LoginRec); if($totalRows_LoginRec > 0) { //echo "OK"; $ADMIN_CPanel_WFusername = $row_LoginRec['username']; $_SESSION['ADMIN_CPanel_WFusername'] = $ADMIN_CPanel_WFusername; session_register("ADMIN_CPanel_WFusername"); //echo $row_LoginRec['username']; } else { //echo "NOTOK"; $fontcolor=rand(0,9); //echo $fontcolor; $a[0]="#FF0000"; $a[1]="#0000FF"; $a[2]="#993366"; $a[3]="#CC00CC"; $a[4]="#FF6666"; $a[5]="#9966FF"; $a[6]="#9933FF"; $a[7]="#9999FF"; $a[8]="#FF0000"; $a[9]="#33CCFF"; $error_msg="

Error --> Invalid UserName & PassWord

"; session_start(); session_destroy(); } if (session_is_registered("ADMIN_CPanel_WFusername")) { //echo "NOSESSIon"; //header ("location: ../adminlogin/frm.php"); //$insertGoTo = "../adminlogin/frm.php"; //header(sprintf("Location: %s", $insertGoTo)); echo ""; die(); } } ?> Login

<? echo $error_msg; ?> WELCOME ADMIN CPANEL Username <? echo $lang["username"] ; ?> Password <? echo $lang["password"] ; ?>

function Pos() {[/code]

It looks like your post may have hit a character limit and the end of your code could have been cut off. Try to make sure that things merge properly. My modifications were only in the first few lines. I have added a comment at that point.

i got also some points from the program :
1- Auto Complete Enabled
Remedy : Add the attribute autocomplete=“off” to the form tag or to individual “input” fields

2-Password Transmitted Over HTTP
Remedy :Move all of your critical forms and pages to HTTPS and do not serve them over HTTP.

3-Cookie Not Marked As HttpOnly
Remedy : Mark the cookie as HTTPOnly

4-Database Error Message
remedy: Do not provide any error messages on production environments. Save error messages with a reference number to a backend storage such as a text file or database, then show this number and a static user-friendly error message to the user.

I will appreciate alot if you help me more .
Thanks in advance

What type of content does your site serve? I generally hate auto complete because it because it is a security risk but if your site is unlikely to have any information that third parties would be interested in, it may be good to leave that on so that there is more useability for people. Not all sites truly require a secure connection (SSL), which is what the second recommendation is talking about. Not even Facebook uses this. I am not exactly sure about number 3 here, you may want to see what richei thinks of it. The fourth one is important. Who is your web host? You may have a setting there to disable SQL error messages.

P.S. What CMS are you using? I find it somewhat surprising that they have some of these problems.
P.P.S. Another reason that I say that you don’t necessarily have to have a secure connection is that there is increased cost there and if you are not dealing with financial information or trade secrets it is unlikely to be needed.

i know that i’m asking you alot , but really i couldn’t find anyone to help me , only you .

our website is for a power plant , and it contains some confedential data like financial … The CEO can show the shareholders some finanical things , all the website is a flash based website . the CMS is a php page . Thats why i’m doing my best to make it 100% secure .

The host company is Inmotion .

regarding the code below , is there a way to make it more secure ? some websites are saying that i should use another code for this one .
mysql_select_db($database_rawecconn, $rawecconn);

Someone also stated this code that might be helpful , could you please check :
$array_keys = array_keys($_POST); //strips all html and script tags globally//
for( $i=0;$i<count($array_keys);$i++ ) {
$_POST[$array_keys[$i]] = strip_tags($_POST[$array_keys[$i]],’,’);
}

and also the code which was written by richie , is it correct and where i should place it exactly .

mysql_real_escape_string() or addslashes() on any type of user input (like the user and password).

In that case, I would seek out the help of a web development firm that has done work for companies that require strict security systems. I cannot think of anyone off the top of my head but will let you know if I find any with an impressive portfolio. Right now you have a huge liability on your hands and I would not necessarily trust the coding advice of random people on the internet for it. We have good intentions but I doubt if anyone here could honestly be considered a world expert on internet security (though I could be wrong since I am pretty new to the community). I will try to help you research some good firms that you could use but may not be able to respond very soon due to some personal issues that I am dealing with.

EDIT: Here is one that I found that you may want to look into. I have not researched them but if the claims on their site are accurate then they could be very good (though likely expensive). dsainc .com

OK thanks alot man , but i can still use the code that you gave me before right ? it is at least more secure than the one we have ?

Yes, that takes care of the problem that richei’s code was meant to handle.