forwarded 400582 http://www.torrentflux.com/contact.php thanks
Thanks for the additional info Stefan, I've forwarded this information to upstream. Unfortunately I have no time right now, so it will be a couple of days before I get to this. One question though (below). On 12/4/06, Stefan Fritsch <[EMAIL PROTECTED]> wrote:
In index.php and dir.php, urldecode() is called after the htmlentities escaping is done by getRequestVar(). This allows to bypass the escaping. In dir.php this could be used for a XSS. Replace $dir by htmlentities($dir) in the error message. Or maybe it would be a good idea to put the urldecode() into getRequestVar() and remove it from all other places.
I don't think putting urldecode() in getRequestVar() before htmlentities is called will work, as the directory name is needed decoded at some points in the file (maybe decode it only when needed and safe?). I'm starting to get over my head with some of this though, so I've forwarded this upstream in the hopes of getting some feedback. When you say the error message, do you mean this line: echo "<strong>".$dir."</strong> could not be found or is not valid."; Is that the only place you've found so far that this is a problem? I see the $torrent and $file_name variables in index.php might also be problems, but I can't tell for sure. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]