XSS in PayumServer about payumserver HOT 10 CLOSED

Not sure what to do. The UI is not meant to be used by untrusted people. It is backend stuff and only an admin or a manager have access to it. They want do xss injections, I hope.

The api must not be publicly accessible too.
Though the security topic is not solved yet in Payum. It is PoC and everything is public for now.

from payumserver.

Thank for raising starting discussion on this topic.

from payumserver.

What problems did you face trying to install payumserver?

from payumserver.

Strict data validation input should clear this up.

from payumserver.

What do you mean by Strict data validation?

from payumserver.

Giving some ideas to harden security.

• Selected input exists in the list for the current user.
• Casting it to an integer if it's an auto-incremental index will clear up some problems as it will change the whole string to '0'.
• Additional checks could be look up if value it exists within the existing range of identifiers.

It will make the code slower, but more secure.. and that's what we want for Payum.

from payumserver.

Why should we bother about it. The functionality is accessible by limited set of users. They work on your company.

We can do changes audit. What was changed and by what user.

from payumserver.

Yeah just as idea. I agree with you it's overkill @makasim.

from payumserver.

Hey,
i already fixed this issue in my pull-request.
Just an example:
Jack (a client) wants Barbara (a secretary) to add a gateway. I a mail he sends her the name (a xss) and the xss sends information (user token etc.) to Jack.

I understood that the Gatway is only accessible by a limited set of users but the security awareness of these users is important.
I always ask myselfe "what if my mum would be the secretary?"

from payumserver.

I gave it one more thought and now I tend to think we have to sanitize it. Maybe a regexp validation rule for some fields would be the way to go.

from payumserver.