Closed j3rech0 closed 2 months ago
Please feel free to submit a proposed fix if you have one.
@JamesHeinrich
try wrapping with htmlentities
die(htmlentities(getid3_lib::iconv_fallback($FileSystemEncoding, $PageEncoding, $_REQUEST['filename']).' does not exist'));
File Location:
\demos\demo.browse.php
Vulnerable Parameter:filename=
Steps to Reproduce:
die('For security reasons, this demo has been disabled. It can be enabled by removing line '.__LINE__.' in demos/'.basename(__FILE__));
https://YOUR_LOCAL_DOMAIN/getID3-VERSION/demos/demo.browse.php?filename=%3Cscript%3Ealert(1)%3C/script%3E
Affected version:
Tested in
getID3-1.9.8
,getID3-1.9.20
,getID3-1.9.23
,getID3-2.0.0-beta6
probably all?PoC:
I have PoC on some running websites if you want other proof. Cheers!