Closed isaacsu closed 13 years ago
Most files in www also contain quite a few XSS'es.
thanks igorw. would you be able to share with us the ones that you have found?
_app.php
You need to run both $_SERVER and $_GET data through htmlspecialchars().
<?php echo $_SERVER['SERVER_NAME']?>/<span style='color:#fff'><?php echo $_GET['room']?></span>
The same in _head.php, index.php, iphone.php, print.php, redis/authenticate.php.
In case of index.php it also makes sense to use json_encode().
Another thing, print.php has calls to stripslashes. Looks like somebody had magic quotes enabled.
fixed original issue with commit e7ebb32c415fcdf8345a6ce6a8eb57e1df9cf53c
And what about the PHP XSSes?
/index.php?room=<script>doEvilStuff();</script>
This stuff needs to be escaped on the server side.
I've opened a separate issue #12 for it.
Uhh, ugh. Seeing $_GET being outputted without escaping put a lid on my excitement about finding this project. The script error above was not fixed on twich.me, yet.
like this
http://x/"style="background-image:url('http://www.google.com/intl/en_ALL/images/srpr/logo1w.png')
and
http://x/"style="background:url('http://www.google.com/intl/en_ALL/images/srpr/logo1w.png');font-size:100em"