On Wednesday 06 December 2006 09:00, Cameron Dale wrote: > > In index.php and dir.php, urldecode() is called after the > > htmlentities escaping is done by getRequestVar(). This allows to > > bypass the escaping. In dir.php this could be used for a XSS. > > Replace $dir by htmlentities($dir) in the error message. Or maybe > > it would be a good idea to put the urldecode() into > > getRequestVar() and remove it from all other places. > > I don't think putting urldecode() in getRequestVar() before > htmlentities is called will work, as the directory name is needed > decoded at some points in the file (maybe decode it only when > needed and safe?).
I don't understand the problem. In principle, urldecoding the parameters should always be done before using them. > > When you say the error message, do you mean this line: > > echo "<strong>".$dir."</strong> could not be found or is not > valid."; Yes. > Is that the only place you've found so far that this is a problem? > I see the $torrent and $file_name variables in index.php might also > be problems, but I can't tell for sure. I missed $file_name, it has the same issue. But I still don't see the contents of $torrent being sent to the user. Of course if it is used as a filename, the filename may later be sent to the user at some other place. So it is probably a good idea to fix it, too. Cheers, Stefan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]