[ic] XSS Exploit in demo -- UserDB.pm
Carl Bailey
carl at endpoint.com
Wed Aug 26 17:56:55 UTC 2009
I found an XSS problem (confirmed in the demo) with the new-account
page. To reproduce it, go to the new account page and enter the
following as the username:
"><script>alert(123)</script>
The page returns with an error that the username has invalid
characters, but displays the bogus username unsanitized.
Here's a fix:
UserDB.pm (IC version 5.6 line 1698)
- die errmsg("Can't have '%s' as username; it contains illegal
characters.",
- $self->{USERNAME}) . "\n"
- if $self->{USERNAME} !~ m{^$self->{VALIDCHARS}+$};
+ if ($self->{USERNAME} !~ m{^$self->{VALIDCHARS}+$} )
+ {
+ my $sanitized_name = $self->{USERNAME};
+ $sanitized_name =~ s/</</g;
+ die errmsg("Can't have '%s' as username; it contains
illegal characters.", $sanitized_name . "\n");
+ }
Carl
. . . . . . . . . . . . . . . . . . .
Carl Bailey
t: 919-323-8025
carl at endpoint.com
. . . . . . . . . . . . . . . . . . .
More information about the interchange-users
mailing list