[VIM] Source VERIFY of CityPost PHP Upload message parameter XSS

Steven M. Christey coley at mitre.org
Fri Jan 27 17:05:12 EST 2006

Previous message: [VIM] vendor confirms versions: iNETstore E Commerce Solution - Cross Site Scripting (fwd)
Next message: [VIM] Source VERIFY of CityPost LNKX msg XSS
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ref: SECTRACK:103752


Using the file downloaded from:
http://tech.tailoredweb.com/download.php?f=/simple-upload-53/simple-upload-53.php


[31] $message ="";

So no global variable overwrite.

[69]  //File Size Check
[70]  if ( $_FILES['userfile']['size'] > $MAX_SIZE) 
[71]     $message = "The file size is over 2MB.";

various error conditions cause $message to be set to some error
message.  There are a number of code snippets like this one.

[79]  print "<script>window.location.href='$url_this?message=$message'</script>";

Oh, so it redirects using the message that was just set... slightly
unusual, but alright.

[127]    <font color=red><?=$_REQUEST[message]?></font>

Alrighty then, we have direct injection from a message parameter.


- Steve

Previous message: [VIM] vendor confirms versions: iNETstore E Commerce Solution - Cross Site Scripting (fwd)
Next message: [VIM] Source VERIFY of CityPost LNKX msg XSS
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the VIM mailing list