An external penetration test against our upload site was able to execute Javascript alerts with the following URL
http://XXX-MyServer-XXX/index.php?lang=en&action=login&step=1"><script>alert("Proof%20of%20concept")</script>
I was able to fix this by using the htmlentities command to filter the input of the step & input variables
diff of www/index.php
--- /root/openupload-0.4.2/www/index.php 2010-11-20 10:39:43.000000000 +0000
+++ index.php 2011-09-07 10:01:43.000000000 +0100
@@ -45,6 +45,8 @@
} else {
$action = '';
}
+ $action = htmlentities($action);
+
if (isset($_GET['s'])) {
$step = $_GET['s'];
} else if (isset($_GET['step'])) {
@@ -54,6 +56,8 @@
} else {
$step = '';
}
+$step = htmlentities($step);
+
$configfile = 'config.inc.php';
if (defined('__NOT_MAIN_SCRIPT'))
$configfile = 'www/'.$configfile;
Anonymous
WOW, that's correct.
thanks for the tip.
Alessandro
should be fixed in SVN