xss in magpierss
Found an xss bug in magpierss
Code in magpie_debug.php & others
if ( isset($_GET['url']) ) {
$url = $_GET['url'];
}
else {
$url = 'http://magpierss.sf.net/test.rss';
}
http://site/magpie_debug.php?url=code
A fix can be:
if(!preg_match("/^(http:\/\/)?([^\/]+)/i"), $url) {
$ext = strtolower( substr( strrchr( $filename, "." ) , 1 ) );
$url = Gud($url);
switch($ext)
{
case 'rss': do_something; break
case 'other_types': another_thing; break;
default: header("Location: http://magpierss.sf.net/test.rss");
}
}
function Gud( $url) {
$url = htmlentities($_GET['url'], ENT_QUOTES, 'utf-8' );
return $url;
}
No comments:
Post a Comment