[ic] XSS Exploit in demo -- UserDB.pm

Stefan Hornburg racke at linuxia.de
Thu Aug 27 07:05:34 UTC 2009


Carl Bailey wrote:
> I found an XSS problem (confirmed in the demo) with the new-account  
> page.  To reproduce it, go to the new account page and enter the  
> following as the username:
> 
>       "><script>alert(123)</script>
> 
> The page returns with an error that the username has invalid  
> characters, but displays the bogus username unsanitized.
> 
> Here's a fix:
> 
> UserDB.pm (IC version 5.6 line 1698)
> 
> -        die errmsg("Can't have '%s' as username; it contains illegal  
> characters.",
> -            $self->{USERNAME}) . "\n"
> -            if $self->{USERNAME} !~ m{^$self->{VALIDCHARS}+$};
> +        if ($self->{USERNAME} !~ m{^$self->{VALIDCHARS}+$} )
> +        {
> +            my $sanitized_name = $self->{USERNAME};
> +            $sanitized_name =~ s/</&lt;/g;
> +            die errmsg("Can't have '%s' as username; it contains  
> illegal characters.", $sanitized_name . "\n");
> +        }

Let's just say "Username contains illegal characters.". 
So we don't need to think about XSS exploits in this part of code anymore,
and feedback to the user is still fair enough.

In addition to that, the valid characters should be shown on the new
account page.

Regards
          Racke


-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team




More information about the interchange-users mailing list