Determining XSS Attack Vulnerabilities

I am experiencing a relentless XSS attack that I can't seem to prevent. I've got three total input forms on my site - one is for the uploading of images, one for adding comments to a page, and a third that sends an email via php. I am protecting all of them in one way or another, but somehow the vulnerability is still there.

My comments code:

for($j = 0; $j < 3 ; $j++)
                    {
                            $s = $styles[array_rand($styles)];
                            if($song_arr[$k] != '' && $artist_arr[$k] != '' && $name_arr[$k] != '')
                            {
                            echo '<td>';    
                            echo '<div class="'.$s.'" style="clear:left" >';
                                echo '<p class="rendom">';
                                    echo 'Song:&nbsp;'.htmlspecialchars($song_arr[$k]).'<br>Artist:&nbsp;'.htmlspecialchars($artist_arr[$k]).'<br>Submitted By:&nbsp;'.htmlspecialchars($name_arr[$k]);
                                echo '</p>';
                            echo '</div>';
                            echo '</td>';
                            }
                        $k++;
                    }

Upload form:

    if ((($_FILES["userfile"]["type"] == "image/jpg")
|| ($_FILES["userfile"]["type"] == "image/jpeg")
|| ($_FILES["userfile"]["type"] == "image/pjpeg"))
&& ($_FILES["userfile"]["size"] < 20000)) {
    if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
        if (move_uploaded_file ($_FILES['userfile']['tmp_name'],'userfile.jpg')) {
            $image = new SimpleImage();
            $image->load('userfile.jpg');
            $image->resize(29,136);
            $image->save('userfile.jpg');
            ?>
            <img src="img/text/uploadSuccess.jpg" alt="Image uploaded successfully." /><br />
                    <br />
                    <img src="userfile.jpg?rand=<? echo rand(1,10000); ?>" />
            <?
        } else {
            echo 'Moving uploaded file failed';
        }
    } else {
        echo 'File upload fai开发者_C百科led';
    }
} else {
echo 'Invalid Filetype';
}

Email Form:

<?php
// Process input variables (trim, stripslash, reformat, generally prepare for email)
    $recipients = trim($_POST['recipients']);
    $sender_email = trim($_POST['sender_email']);
    $sender_name = stripslashes(trim($_POST['sender_name']));
    $subject = stripslashes(str_replace(array("\r\n", "\n", "\r"), " ", trim($_POST['subject'])));
    $message = stripslashes(str_replace(array("\r\n", "\n", "\r"), "<br />", trim($_POST['message'])));

// Check email addresses for validity
    // Explode the comma-separated list of recipients + the sender email address into an array. Even if there is only one recipient, this will check for validity.
    $addresses = explode("," , $recipients.",".$sender_email);
    // For each email address specified...
    foreach ($addresses as $address) {
        // If the email address doesn't match the RFC8622 spec regex, assume invalid 
        if (!(preg_match("~^[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+(?:[A-Z]{2}|com|org|net|uk|edu|jp|de|br|ca|gov|au|info|nl|fr|us|ru|it|cn|ch|tw|es|se|be|dk|pl|at|il|tv|nz|biz)$~i", trim($address)))) {
            // Output error message for invalid email address and end script.
            echo '"' . $address . '" is not a valid email address. Please try again.';
            return;
        }
    }

// Check other vars are not empty
    if ((empty($sender_name)) OR (empty($subject)) OR (empty($message))) {
        // Output error message and end script.
        echo 'Please complete all form fields and try again.';
        return;
    }

// Send HTML email
    $headers = "MIME-Version: 1.0\r\nContent-type:text/html;charset=iso-8859-1\r\nFrom: ". $sender_name ." <". $sender_email ."> \n\n";
    if (mail($recipients,$subject,$message,$headers)) {
        // Mail successfully sent, output success message and end script
        echo 'Message sent. We will be in touch with you shortly.';
        return;
    } else {
        // Something unknown went wrong. =(
        echo 'Something went wrong which the little worker monkeys could not fix. Please try again.';
        return;
    }
?>

The XSS keeps showing up at the absolute bottom of my index page, in which i include() all of the three above files whose contents are in different files.

Any ideas?

---

In the e-mail form, you echo back invalid e-mail addresses that were submitted without escaping them. Change this line:

 echo '"' . $address . '" is not a valid email address. Please try again.';

to

 echo '"' . htmlspecialchars($address) . '" is not a valid email address. Please try again.';

---

After a quick look, it seems that the only place where you display untrusted data is in the comments. And you used htmlspecialchars, which sould prevent any html code to be interpreted.

You say that the malicious code is at the bottom of your page. Maybe the attacker found a way to upload and include his script directy on your server ? What does the included code look like ? Is it JavaScript, HTML ?

---

This is not an answer, and not good news, but I did see something very similar to what you described in an example in the rather disturbing video ad from Symantec, "Zeus: King of the Crimeware Toolkits" at Youtube: http://www.youtube.com/watch?v=hfjPO8_pGIk

It's worth seeing the video in any case.

I have no connection with Symantec.