michaelalemu / phurl

Automatically exported from code.google.com/p/phurl
0 stars 0 forks source link

Another XSS Vulnerability #69

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
html/index_form.php vulnerable to XSS(cross site scripting)
Line 5 <?php echo $_SERVER['PHP_SELF'] ?>
visiting html/index_form.php/">(XSS here)

not cleaning php_self, allows for an injection of javascript.
i would suggest including a function to clean all get/post/cookie/requests that 
is included on every page.

Original issue reported on code.google.com by itspa...@gmail.com on 8 Jul 2010 at 6:41

GoogleCodeExporter commented 8 years ago
Actually I refine my submission, as you can lunch the page itself because it 
has an undefined function.

But it is actually affecting the index.php page
here is an actual example:
http://wp.nu/index.php/"><script>alert(1);</script>
just incase google strips the code
http://preview.tinyurl.com/2g6k42a

Original comment by itspa...@gmail.com on 9 Jul 2010 at 8:49

GoogleCodeExporter commented 8 years ago
thanks for the info, this will be fixed in the next version

Original comment by hcblahb...@gmail.com on 12 Jul 2010 at 1:51

GoogleCodeExporter commented 8 years ago

Original comment by hcblahb...@gmail.com on 26 Oct 2010 at 8:46