GForge

Summary Reporting Search Forums Tracker

Feature Requests

Bugs

To-Do

4.5 Items

4.6 Items

4.7 Items

Documentation

Localization

4.0 Items

Patches

Docs News Files Lists Wiki SVN

Home » Projects » GForge » Tracker » Bugs » Edit Tracker Item

[#3094] HTML injection on verify.php and possible XSS

Submitted By: Jose Sanchez
Open Date 2007-09-10 11:36:08
Priority: Medium	Assignee: Nobody
Fixed In Release: wiki-0.92	Status: Open
Found In Release: wiki-0.92	Category: Account Maintenance
Group: v4.6b1
Summary HTML injection on verify.php and possible XSS
Details There is a little bug that can allow to insert html code (and maybe even javascript) on account/verify.php, the string is not securely parsed and when you type this kind of URL: http://[TheGForgePath]/account/verify.php?confirm_hash="/><p>This must not happen</p> you see the text down in the form "This must not happen" in a new paragraph. This could be used to make phising of the account (inserting a new form with different action), putting spam texts, etc The correction is very easy, you only need to use the htmlentities() function with that parameter (only in the form) on the file verify.php: Before: <input type="hidden" name="confirm_hash" value="<?php print $confirm_hash; ?>" /> After: <input type="hidden" name="confirm_hash" value="<?php print htmlentities($confirm_hash); ?>" /> This line is near from line 99 in my code (I have a modified version, so the line could differ). I haven't tried on this server, but I think that this server is vulnerable too. Affected versions are at least 4.6 but I also think that previous are vulnerable too.
Details There is a little bug that can allow to insert html code (and maybe even javascript) on account/verify.php, the string is not securely parsed and when you type this kind of URL: http://[TheGForgePath]/account/verify.php?confirm_hash="/><p>This must not happen</p> you see the text down in the form "This must not happen" in a new paragraph. This could be used to make phising of the account (inserting a new form with different action), putting spam texts, etc The correction is very easy, you only need to use the htmlentities() function with that parameter (only in the form) on the file verify.php: Before: <input type="hidden" name="confirm_hash" value="<?php print $confirm_hash; ?>" /> After: <input type="hidden" name="confirm_hash" value="<?php print htmlentities($confirm_hash); ?>" /> This line is near from line 99 in my code (I have a modified version, so the line could differ). I haven't tried on this server, but I think that this server is vulnerable too. Affected versions are at least 4.6 but I also think that previous are vulnerable too.

Follow-ups
Submitted By: Timothy Perdue Adddate: 2007-09-12 19:36:17 This is patched in trunk, 4.6 and 45

File Name	File Type	File Size	Posted By
No Files Were Found

Change Date	User Id	Field Name	Old Value	New Value
No Changes Were Found

File	Date	Previous Version	New Version	Message Log	By
No Commits Found

Dependent On Other Items

ID	Summary	Percent	Status	Delete
No Dependencies Were Found

Items Dependent On This Item

ID	Summary
No Dependencies Were Found

Duplicate of items

ID	Summary	Percent	Status	Delete
No Duplicates Were Found

Items that are duplicates of this item

ID	Summary	Percent	Status
No Duplicates Were Found

Associated Item	Comment
No Associated Items Found
~~Add Association~~

Save changes Back