Cross-site Script Vulnerability - can inject javascript into URI

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Insert a javascrpt in the URI and the browser will execute it.  See
sample script below.

http://www.somewebsite.com/wp-content/themes/mytheme/scripts/timthumb.php?src=ht
tp%3A%2F%2Fwww.somewebsite.com%2Ffiles%2F2009%2F11%2FSomeImage.gif%22%3E%3Cscrip
t%3Ealert%28123%29%3C%2Fscript%3E&amp=&zc=1&w=120&h=90%22

What is the expected output? What do you see instead?
It should do string validation to prevent scripts form executing.  Removing
"<" and ">" would likely do the trick.

What version of the product are you using? On what operating system?
Latest version as far as I know.

Please provide any additional information below.

Original issue reported on code.google.com by jimgoi...@gmail.com on 2 Dec 2009 at 10:17

[GoogleCodeExporter]

I was able to fix this issue by adding one line to the clean function:
$src = htmlentities($src);

Can someone please look at this and check it in? :)

Original comment by jimgoi...@gmail.com on 7 Dec 2009 at 4:55

[GoogleCodeExporter]

thanks for the report, I have implemented your suggest fix

Original comment by BinaryMoon on 31 Dec 2009 at 7:18

• Changed state: Fixed