#11 Security issue : XSS

[Anonymous]

BtitTracker version : 1.4.4 (and some previous versions)
Type : XSS, very dangerous

XSS issue in "usercp.php" on line 186.
The GET parameter "to" can be used to insert Javascript (and by this, steal cookies for automatic connection ...).

The bug correction is very easy, just use an htmlspecialchars on this variable.

So the line 186, which is :

print("\n".RECEIVER.":<input type="\\"text\\"" name="\\"receiver\\"" value="\\"".($_GET&lt;span">["what"]!="new" ? unesc($result["sendername"]):urldecode($_GET["to"]))."\\" size=\\"40\\" maxlength=\\"40\\" ".($_GET["what"]!="new" ? " readonly" : "")." />  ".($_GET["what"]=="new" ? "".FIND_USER."" : "")."");

Has to be replaced by this one :

print("\n".RECEIVER.":<input type="\\"text\\"" name="\\"receiver\\"" value="\\"".($_GET&lt;span">["what"]!="new" ? unesc($result["sendername"]):htmlspecialchars(urldecode($_GET["to"])))."\\" size=\\"40\\" maxlength=\\"40\\" ".($_GET["what"]!="new" ? " readonly" : "")." />  ".($_GET["what"]=="new" ? "".FIND_USER."" : "")."");

[Liroy]

Logged In: YES
user_id=1776146
Originator: NO

ok thx we will check this bug :) btw what is your nick on btiteam forum?

[Jeremie78]

Logged In: YES
user_id=1844743
Originator: NO

I'm not registered ;)

[Liroy]

Logged In: YES
user_id=1776146
Originator: NO

do you see any other bugs like sql injection, xss and others?

[Lupin]

Logged In: YES
user_id=1294231
Originator: NO

fixed on SVN

[Nobody/Anonymous]

R9Ifpz hshwvyetjlmr, [url=http://qduianjlkvap.com/]qduianjlkvap[/url], [link=http://pgrzwyixzixn.com/]pgrzwyixzixn[/link], http://bkjbytysmrvg.com/