Menu

#8 XSS security vulnerability fix

closed
None
5
2012-10-25
2012-06-17
Glaurungo
No

Chat doesn't check if the logout request is POST request.
It can be abused by third party users, who can - for example - insert malicious image BBcode into their chat messages. Sending something like that: [img]example.pl/chat/?logout=true[/img] will logout all users or spam window with fast increasing number of logout&login messages.

It can be fixed by changing file "/lib/class/AjaxChat.php" -> line:
$this->_requestVars['logout'] = isset($_REQUEST['login']) ? true : false;
To:
$this->_requestVars['logout'] = isset($_POST['logout']) ? true : false;

Discussion

  • Glaurungo

    Glaurungo - 2012-06-17

    File from 0.8.5a with fix applied

     
  • Philip Nicolcev

    Philip Nicolcev - 2012-09-20

    Good find.

     
  • Philip Nicolcev

    Philip Nicolcev - 2012-09-20
    • assigned_to: nobody --> frug
     
  • Philip Nicolcev

    Philip Nicolcev - 2012-10-25

    Fixed in upcoming 0.8.6. Thanks!

     
  • Philip Nicolcev

    Philip Nicolcev - 2012-10-25
    • status: open --> closed
     

Log in to post a comment.