super3
commented
10 years ago Please squash.
Closed rbsec closed 10 years ago
super3
commented
10 years ago Please squash.
rbsec
commented
10 years ago Done.
Fix a couple of reflected XSS issues in interview.php where $_POST parameters are echoed directly into the page.
Note that the interview.php page isn't functional on the peercoin.net site (probably due to missing ReCaptcha keys), so this issue is not currently exploitable. However, if these keys are added, the page will be vulnerable.
Also removed the check whether the stripslashes() function is present, because it's been part of PHP since version 4, and is used in another file without the check (include/recaptchalib.php). To be honest, the stripslashes() probably isn't needed at all, since magic_quotes have been disabled by default for ages, but no harm in leaving it.
PoC: