xss problem with http:// auto link functionality

[isaacsu]

like this

http://x/"style="background-image:url('http://www.google.com/intl/en_ALL/images/srpr/logo1w.png')

and

http://x/"style="background:url('http://www.google.com/intl/en_ALL/images/srpr/logo1w.png');font-size:100em"

[igorw]

Most files in www also contain quite a few XSS'es.

[isaacsu]

thanks igorw. would you be able to share with us the ones that you have found?

[igorw]

_app.php

You need to run both $_SERVER and $_GET data through htmlspecialchars().

<?php echo $_SERVER['SERVER_NAME']?>/<span style='color:#fff'><?php echo $_GET['room']?></span>

The same in _head.php, index.php, iphone.php, print.php, redis/authenticate.php.

In case of index.php it also makes sense to use json_encode().

Another thing, print.php has calls to stripslashes. Looks like somebody had magic quotes enabled.

[isaacsu]

fixed original issue with commit e7ebb32c415fcdf8345a6ce6a8eb57e1df9cf53c

[igorw]

And what about the PHP XSSes?

/index.php?room=<script>doEvilStuff();</script>

This stuff needs to be escaped on the server side.

[isaacsu]

I've opened a separate issue #12 for it.

[moinsen]

Uhh, ugh. Seeing $_GET being outputted without escaping put a lid on my excitement about finding this project. The script error above was not fixed on twich.me, yet.