On 12/4/06, Stefan Fritsch <[EMAIL PROTECTED]> wrote:
In index.php and dir.php, urldecode() is called after the htmlentities escaping is done by getRequestVar(). This allows to bypass the escaping. In dir.php this could be used for a XSS. Replace $dir by htmlentities($dir) in the error message. Or maybe it would be a good idea to put the urldecode() into getRequestVar() and remove it from all other places.
I've looked into this further, and I'm not convinced that this will result in a vulnerability. It seems to me that htmlentities() uses a different encoding format than urlencode() does, and so urldecode(htmlentities($dir)) != $dir. I've tested this, and urldecode() definitely doesn't decode the '<' and '>' that htmlentities() creates. Now, you could try and submit a URL such as http://hostname/torrentflux/dir.php?dir=%3Cscript%3Ealert('xss')%3C/script%3E in the hopes that htmlentities() will not replace the %3C with < and then later urldecode() will replace it with '<', but this doesn't seem to work as all the variables are urldecoded when they are read (from my testing it seems that way, anyway). Therefore they are made safe by htmlentities(). I'm not sure why this doesn't work, so if you know, or have found a way to exploit this, please let me know. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]