Reflective XSS from useragent

[rcubetrac]

Reported by bladeswords on 4 Oct 2012 12:48 UTC as Trac ticket #1488737

At the URL

/?_task=login&_action=error&_code=0x199

which is triggered from detecting an incompatible browser user agent set your user agent to something XSS for example

<script>alert(1);</script>

The effected code is located in program/steps/utils/error.inc

The vulnerable code is:

  $user_agent =  $_SERVER[ $__error_title = 'Your browser does not suit the requirements for this applic$
  $__error_text = <<<EOF
<i>Supported browsers:</i><br />
&raquo; &nbsp;Microsoft Internet Explorer 6+<br />
...snip...

<p><i>Your configuration:</i><br />
$user_agent</p>

To fix I changed where the $user_agent variable is assigned

  $user_agent =  htmlentities($_SERVER['HTTP_USER_AGENT']('HTTP_USER_AGENT'];

));

Migrated-From: http://trac.roundcube.net/ticket/1488737

[rcubetrac]

Comment by @thomascube on 4 Oct 2012 15:03 UTC

Fixed in commit [(master) and 0ce66ba(95d2892]) (release 0.8)

[rcubetrac]

Milestone changed by @thomascube on 4 Oct 2012 15:03 UTC

later => 0.8.2

[rcubetrac]

Status changed by @thomascube on 4 Oct 2012 15:03 UTC

new => closed