[VIM] Source VERIFY of CityPost PHP Upload message parameter XSS

Steven M. Christey coley at mitre.org
Fri Jan 27 17:05:12 EST 2006

Ref: SECTRACK:103752

Using the file downloaded from:

[31] $message ="";

So no global variable overwrite.

[69]  //File Size Check
[70]  if ( $_FILES['userfile']['size'] > $MAX_SIZE) 
[71]     $message = "The file size is over 2MB.";

various error conditions cause $message to be set to some error
message.  There are a number of code snippets like this one.

[79]  print "<script>window.location.href='$url_this?message=$message'</script>";

Oh, so it redirects using the message that was just set... slightly
unusual, but alright.

[127]    <font color=red><?=$_REQUEST[message]?></font>

Alrighty then, we have direct injection from a message parameter.

- Steve

More information about the VIM mailing list