Open Upload / Patches / #12 XSS Vulnerability

#12 XSS Vulnerability

Status: open

Owner: Alessandro Briosi

Labels: fix (3)

Priority: 5

Updated: 2012-09-14

Created: 2011-09-09

Creator: Anonymous

Private: No

An external penetration test against our upload site was able to execute Javascript alerts with the following URL

http://XXX-MyServer-XXX/index.php?lang=en&action=login&step=1"><script>alert("Proof%20of%20concept")</script>

I was able to fix this by using the htmlentities command to filter the input of the step & input variables

diff of www/index.php

--- /root/openupload-0.4.2/www/index.php 2010-11-20 10:39:43.000000000 +0000
+++ index.php 2011-09-07 10:01:43.000000000 +0100
@@ -45,6 +45,8 @@
} else {
$action = '';
}
+ $action = htmlentities($action);
+
if (isset($_GET['s'])) {
$step = $_GET['s'];
} else if (isset($_GET['step'])) {
@@ -54,6 +56,8 @@
} else {
$step = '';
}
+$step = htmlentities($step);
+
$configfile = 'config.inc.php';
if (defined('__NOT_MAIN_SCRIPT'))
$configfile = 'www/'.$configfile;

Discussion

Alessandro Briosi - 2011-09-09

WOW, that's correct.
thanks for the tip.

Alessandro

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Anonymous
  
  Add attachments
  Cancel
  You seem to have CSS turned off. Please don't fill out this field.
  
  You seem to have CSS turned off. Please don't fill out this field.

Alessandro Briosi - 2011-09-09

should be fixed in SVN

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- Anonymous
  
  Add attachments
  Cancel
  You seem to have CSS turned off. Please don't fill out this field.
  
  You seem to have CSS turned off. Please don't fill out this field.

Anonymous

XSS Vulnerability

Group

Searches

Help

#12 XSS Vulnerability

Discussion