#11 Security issue : XSS

closed
Liroy
None
5
2014-04-03
2007-07-13
Anonymous
No

BtitTracker version : 1.4.4 (and some previous versions)
Type : XSS, very dangerous

XSS issue in "usercp.php" on line 186.
The GET parameter "to" can be used to insert Javascript (and by this, steal cookies for automatic connection ...).

The bug correction is very easy, just use an htmlspecialchars on this variable.

So the line 186, which is :

print("\n".RECEIVER.":["what"]!="new" ? unesc($result["sendername"]):urldecode($_GET["to"]))."\\" size=\\"40\\" maxlength=\\"40\\" ".($_GET["what"]!="new" ? " readonly" : "")." />  ".($_GET["what"]=="new" ? "".FIND_USER."" : "")."");

Has to be replaced by this one :

print("\n".RECEIVER.":["what"]!="new" ? unesc($result["sendername"]):htmlspecialchars(urldecode($_GET["to"])))."\\" size=\\"40\\" maxlength=\\"40\\" ".($_GET["what"]!="new" ? " readonly" : "")." />  ".($_GET["what"]=="new" ? "".FIND_USER."" : "")."");

Discussion

  • Liroy
    Liroy
    2007-07-19

    Logged In: YES
    user_id=1776146
    Originator: NO

    ok thx we will check this bug :) btw what is your nick on btiteam forum?

     
  • Jeremie78
    Jeremie78
    2007-07-29

    Logged In: YES
    user_id=1844743
    Originator: NO

    I'm not registered ;)

     
  • Liroy
    Liroy
    2007-07-29

    Logged In: YES
    user_id=1776146
    Originator: NO

    do you see any other bugs like sql injection, xss and others?

     
  • Lupin
    Lupin
    2007-08-01

    Logged In: YES
    user_id=1294231
    Originator: NO

    fixed on SVN

     
  • R9Ifpz hshwvyetjlmr, [url=http://qduianjlkvap.com/]qduianjlkvap[/url], [link=http://pgrzwyixzixn.com/]pgrzwyixzixn[/link], http://bkjbytysmrvg.com/