XSS in html/index_done.php

[GoogleCodeExporter]

This requires register_globals to be enabled. And for the user to click the 
short URL link on the page.

if you set 
http://example.com/phurl/html/index_done.php?short_url=javascript:alert(document
.cookie);

and the administrator clicks on the link it will alert their admin cookie for 
the control panel.

But if you tried using that javascript code as a valid URL on the front page it 
doesnt get accepted. (Please enter a valid URL to shorten.)

So Id have index_done.php use the same function to check

Original issue reported on code.google.com by itspa...@gmail.com on 28 Oct 2010 at 12:41

[GoogleCodeExporter]

Original comment by hcblahb...@gmail.com on 28 Oct 2010 at 12:56

• Changed state: Started

[GoogleCodeExporter]

I've defined "PHURL" in /index.php, and made it so all files under /html will 
only run when "PHURL" is defined. This should be a good and permanent fix.

Original comment by hcblahb...@gmail.com on 28 Oct 2010 at 1:04

• Changed state: Fixed-but-not-released

[GoogleCodeExporter]

Original comment by he...@phurlproject.org on 30 Oct 2010 at 12:40

• Changed state: Fixed