XSS vulnerability on linkifyURLs = 2

[GoogleCodeExporter]

using: http://shellinabox.googlecode.com/svn/trunk/demo/demo.html

but with linkifyURLs = 2 (instead of 1), print:

print "javascript:'@1.3.3.7/http://',alert(1);" 

it will create a link that when clicked will execute an alert.

Original issue reported on code.google.com by evn@google.com on 6 Oct 2011 at 7:18

[GoogleCodeExporter]

I meant:

print "javascript:'@1.3.3.7/http://',alert(1);"

Original comment by evn@google.com on 6 Oct 2011 at 7:24

[GoogleCodeExporter]

ugh, google code is eating my quotes.. there should be a quote after the ;

Original comment by evn@google.com on 6 Oct 2011 at 7:25

[GoogleCodeExporter]

Can you help with an explanation of the problem.  Simply, I don't understand 
what the 'vulnerability' means.

Original comment by beewoo...@gmail.com on 31 Mar 2012 at 10:53

[GoogleCodeExporter]

Its called XSS. If the user is tricked into clicking such a link he would be 
executing attacker-provided JS code.

Original comment by evn@google.com on 1 Apr 2012 at 8:12

[GoogleCodeExporter]

How would the attacker get their code into the demo html file?

Perhaps what would be most helpful would be a patch that modifies the file or 
files that have the vulnerability and eliminates the problem.

Original comment by beewoo...@gmail.com on 1 Apr 2012 at 10:36

[GoogleCodeExporter]

Contributing code to this project is complicated with the license this code
has and where I work.

The attacker can get the attack in any number of ways. If shellinabox is
being used to proxy SSH then it could be sent via IRC or in an email and so
on.

Original comment by evn@google.com on 1 Apr 2012 at 5:06