[interchange-bugs] [rt.icdevgroup.org #306] [Comment] XSS Exploit in demo -- UserDB.pm

Gert van der Spoel via RT interchange-comment at rt.icdevgroup.org
Mon Feb 28 08:21:52 UTC 2011


http://rt.icdevgroup.org/Ticket/Display.html?id=306
This is a comment.  It is not sent to the Requestor(s):

patched:

diff --git a/lib/Vend/UserDB.pm b/lib/Vend/UserDB.pm
index 0f5f1f5..f74af93 100644
--- a/lib/Vend/UserDB.pm
+++ b/lib/Vend/UserDB.pm
@@ -1828,7 +1828,7 @@ sub new_account {
                }
                # plain error message without user-supplied username
                # to avoid XSS exploit (RT #306)
-               die errmsg("Username contains illegal characters.\n")
+               die errmsg("Username contains illegal characters.") . "\n"
                        if $self->{USERNAME} !~ m{^$self->{VALIDCHARS}+$};
                die errmsg("Must have at least %s characters in username.",
                        $self->{USERMINLEN}) . "\n"
@@ -1836,7 +1836,7 @@ sub new_account {

                if($self->{OPTIONS}{captcha}) {
                        my $status = Vend::Tags->captcha( { function => 'check'
-                       die errmsg("Must input captcha code correctly.\n")
+                       die errmsg("Must input captcha code correctly.") . "\n"
                                unless $status;
                }




More information about the interchange-bugs mailing list