#11 Security issue : XSS

closed
Liroy
None
5
2014-04-03
2007-07-13
Anonymous
No

BtitTracker version : 1.4.4 (and some previous versions)
Type : XSS, very dangerous

XSS issue in "usercp.php" on line 186.
The GET parameter "to" can be used to insert Javascript (and by this, steal cookies for automatic connection ...).

The bug correction is very easy, just use an htmlspecialchars on this variable.

So the line 186, which is :

print("\n".RECEIVER.":<input type="\\"text\\"" name="\\"receiver\\"" value="\\"".($_GET&lt;span">["what"]!="new" ? unesc($result["sendername"]):urldecode($_GET["to"]))."\\" size=\\"40\\" maxlength=\\"40\\" ".($_GET["what"]!="new" ? " readonly" : "")." />  ".($_GET["what"]=="new" ? "".FIND_USER."" : "")."");

Has to be replaced by this one :

print("\n".RECEIVER.":<input type="\\"text\\"" name="\\"receiver\\"" value="\\"".($_GET&lt;span">["what"]!="new" ? unesc($result["sendername"]):htmlspecialchars(urldecode($_GET["to"])))."\\" size=\\"40\\" maxlength=\\"40\\" ".($_GET["what"]!="new" ? " readonly" : "")." />  ".($_GET["what"]=="new" ? "".FIND_USER."" : "")."");

Discussion

  • Liroy

    Liroy - 2007-07-19

    Logged In: YES
    user_id=1776146
    Originator: NO

    ok thx we will check this bug :) btw what is your nick on btiteam forum?

     
  • Jeremie78

    Jeremie78 - 2007-07-29

    Logged In: YES
    user_id=1844743
    Originator: NO

    I'm not registered ;)

     
  • Liroy

    Liroy - 2007-07-29

    Logged In: YES
    user_id=1776146
    Originator: NO

    do you see any other bugs like sql injection, xss and others?

     
  • Lupin

    Lupin - 2007-08-01

    Logged In: YES
    user_id=1294231
    Originator: NO

    fixed on SVN

     
  • Nobody/Anonymous

    R9Ifpz hshwvyetjlmr, [url=http://qduianjlkvap.com/]qduianjlkvap[/url], [link=http://pgrzwyixzixn.com/]pgrzwyixzixn[/link], http://bkjbytysmrvg.com/

     

Log in to post a comment.