On 12/4/06, Stefan Fritsch <[EMAIL PROTECTED]> wrote:
In index.php and dir.php, urldecode() is called after the htmlentities
escaping is done by getRequestVar(). This allows to bypass the
escaping. In dir.php this could be used for a XSS. Replace $dir by
htmlentities($dir) in the error message. Or maybe it would be a good
idea to put the urldecode() into getRequestVar() and remove it from
all other places.

I've looked into this further, and I'm not convinced that this will
result in a vulnerability. It seems to me that htmlentities() uses a
different encoding format than urlencode() does, and so
urldecode(htmlentities($dir)) != $dir. I've tested this, and
urldecode() definitely doesn't decode the '&lt;' and '&gt;' that
htmlentities() creates. Now, you could try and submit a URL such as

http://hostname/torrentflux/dir.php?dir=%3Cscript%3Ealert('xss')%3C/script%3E

in the hopes that htmlentities() will not replace the %3C with &lt;
and then later urldecode() will replace it with '<', but this doesn't
seem to work as all the variables are urldecoded when they are read
(from my testing it seems that way, anyway). Therefore they are made
safe by htmlentities(). I'm not sure why this doesn't work, so if you
know, or have found a way to exploit this, please let me know.

Cameron


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to