Possible XSS vulnerability

sparc / phpWhois.org

Original phpWhois soruces

http://www.phpwhois.org

GNU General Public License v2.0

95 stars 43 forks source link

Possible XSS vulnerability #21

Closed enferas closed 2 years ago

enferas commented 3 years ago

Hello,

I would like to report for XSS vulnerability.

In file example.php

\\ line 38
$query = $_GET['query'];
\\ line 64
$resout = str_replace('{query}', $query, $resout);
\\ line 111
$resout = str_replace('{result}', $winfo, $resout);
\\ line 117
exit(str_replace('{results}', $resout, $out));

exit function will terminate the script and print the message to the user. The message will contain $_GET['query'] then there is XSS vulnerability.

enferas commented 2 years ago

CVE-2021-43698 is assigned to this discovery.

An unspecified version of phpWhois is affected by a Cross Site Scripting (XSS) vulnerability. In file example.php, the exit function will terminate the script and print the message to the user. The message will contain $_GET['query'] then there is a XSS vulnerability.

sparc commented 2 years ago

thanx ! fixed !