[ic] XSS Exploit in demo -- UserDB.pm
Stefan Hornburg
racke at linuxia.de
Thu Aug 27 07:05:34 UTC 2009
Carl Bailey wrote:
> I found an XSS problem (confirmed in the demo) with the new-account
> page. To reproduce it, go to the new account page and enter the
> following as the username:
>
> "><script>alert(123)</script>
>
> The page returns with an error that the username has invalid
> characters, but displays the bogus username unsanitized.
>
> Here's a fix:
>
> UserDB.pm (IC version 5.6 line 1698)
>
> - die errmsg("Can't have '%s' as username; it contains illegal
> characters.",
> - $self->{USERNAME}) . "\n"
> - if $self->{USERNAME} !~ m{^$self->{VALIDCHARS}+$};
> + if ($self->{USERNAME} !~ m{^$self->{VALIDCHARS}+$} )
> + {
> + my $sanitized_name = $self->{USERNAME};
> + $sanitized_name =~ s/</</g;
> + die errmsg("Can't have '%s' as username; it contains
> illegal characters.", $sanitized_name . "\n");
> + }
Let's just say "Username contains illegal characters.".
So we don't need to think about XSS exploits in this part of code anymore,
and feedback to the user is still fair enough.
In addition to that, the valid characters should be shown on the new
account page.
Regards
Racke
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
More information about the interchange-users
mailing list