PDA

View Full Version : xss - search box



fluffedup
06-13-2010, 04:38 PM
Theres been a trick before with the marqee feature before with the search box. But ive just been playing around with xss style attacks and found this works on the default search in avarcade.

Not a massive thing but just thought i would share it incase its something that can be blocked or what not.

';alert(String.fromCharCode(80,73,78,75,186,68,65, 82,84))//\';alert(String.fromCharCode(80,73,78,75,186,68,65 ,82,84))//";alert(String.fromCharCode(80,73,78,75,186,68,65,8 2,84))//\";alert(String.fromCharCode(80,73,78,75,186,68,65,8 2,84))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(80,73,78,75,186,68,65,82 ,84))</SCRIPT>

Chuckun
06-13-2010, 06:12 PM
Thanks for sharing!

Should definitely be fixed for AV5.2..

aksdad
06-13-2010, 06:15 PM
pssst you shouldn't have posted it in a forum that is accessible to all >:(

fluffedup
06-13-2010, 06:38 PM
It cant harm your arcade in anyway, its just a simple alert box.
Just pointing it out as 5.2 is expected soon.

aksdad
06-13-2010, 07:34 PM
I was just jking around I know what it does.

Andy
06-13-2010, 07:38 PM
I will fix in a 5.1.x release and you can find a fix for it now in the 5.1.3 release topic

Marl
06-13-2010, 07:39 PM
It doesn't work on mine. I think this was already addressed here : http://www.forum.avscripts.net/showpost.php?p=34534&postcount=70

(If this is the same exploit as this : http://www.forum.avscripts.net/showpost.php?p=34472&postcount=66)

Sonic
06-13-2010, 08:02 PM
so is it ok for ver 5.1.4 ?

salvador
06-13-2010, 09:11 PM
hi.

doesnt work for me. if it does for you, beside applying the fix posted by andy try the following:

/config.php

just after the <?php

add


if (isset($_GET['q'])) {
$_GET['q'] = preg_replace("/[^-.a-zA-Z0-9\s]+/"," ",$_GET['q']);
}


what is does is: it removes all chars not explicitely allowed from the query, in the example:
a .. z, A .. Z, 0 .. 9, some punctation and spaces are ok, everything else is replaced with space.

regards,
thomas.

2dum2kno
06-14-2010, 03:20 AM
index.php: Replace the Lines of Search Values


// Get search query
if (isset($_GET['q'])) {
$search_val = strip_tags($_GET['q']);
$search_val = htmlentities($search_val);
$whattoreplace = array("&quot;", "&gt;","&lt;","&amp;");
$search_val = str_replace($whattoreplace, '', $search_val);
}
else {
$search_val = SEARCH_DEFAULT;
}