Persistent XSS in admin/index.php

sharma-pankaj-tech / phurl

Automatically exported from code.google.com/p/phurl

0 stars 0 forks source link

Persistent XSS in admin/index.php #90

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

If a user submits a URL with XSS, example <script>alert(1);</script>

And the admin visits their admin panel, they will see a javascript alert box 
pop-up.

This could lead to session hijacking, redraw the page, and much more.

Clean user inputs and clean values you are displaying back to a user. (even if 
that user is the admin)

Original issue reported on code.google.com by itspa...@gmail.com on 26 Oct 2010 at 1:47

GoogleCodeExporter commented 9 years ago

Hi,

I understand the urgence for these bugs, however I am failing to reproduce them.

Could you possibly tell me the browser you are using, and the server software 
you are running phurl on (also an example link if possible)

Thanks in advance

Original comment by he...@hencomail.com on 26 Oct 2010 at 2:22

Added labels: ****
Removed labels: ****

GoogleCodeExporter commented 9 years ago

I am running this on a closed system, with most up to date php package.

Here are my php.ini settings
display_error set to On
register_globals set to On
magic_quotes_gpc set to Off

for this specific vulnerability I use firefox.
I visit the homepage, enter in the URL, http://<script>alert(1);</script>
It tells me your short URL is http://site.com/phurl/c

I visit the admin panel, login, and on that page, i get a javascript alert box 
stating 1.

Original comment by itspa...@gmail.com on 26 Oct 2010 at 2:41

Added labels: ****
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Ok thanks, I've got that one. I still can't reproduce the other ones where you 
append the script to the url however. Any more info on these?

Original comment by he...@hencomail.com on 26 Oct 2010 at 3:04

Added labels: ****
Removed labels: ****

GoogleCodeExporter commented 9 years ago

I have tried reversing all those security settings to be more secure and I can 
still append to the end of the index.php, just like I submitted in the last 
version.

This example is from the old version, but it is the same code:
http://wp.nu/index.php/"><script>alert(1);</script>

It is a known with PHP this can happen, google "php_self xss"

Original comment by itspa...@gmail.com on 26 Oct 2010 at 3:17

Added labels: ****
Removed labels: ****

GoogleCodeExporter commented 9 years ago

or check this out:
http://www.phpro.org/tutorials/PHP-Security.html#2

Original comment by itspa...@gmail.com on 26 Oct 2010 at 3:24

Added labels: ****
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Thanks, will fix for version 2.4.1 :)

Original comment by he...@hencomail.com on 26 Oct 2010 at 5:45

Added labels: ****
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Original comment by hcblahb...@gmail.com on 26 Oct 2010 at 7:51

Changed state: Fixed-but-not-released
Added labels: ****
Removed labels: ****

GoogleCodeExporter commented 9 years ago

Original comment by hcblahb...@gmail.com on 28 Oct 2010 at 12:12

Changed state: Fixed
Added labels: ****
Removed labels: ****