security bug in PHP-server-1.1
Niels Berkers
niels at quotar.com
Tue Apr 10 15:30:13 PDT 2007
Hi All,
i found a security bug in PHP-server-1.1
with this line set in the example consumer I call my openID server:
Which will result in two javascript alert popups. I'm not much of a
hacker but i know this could lead to much bigger problems like
injections in PHP. The leased you should do is strip the htmltags from
all $sreg values in function setRequestInfo or better in function
Server_requestSregData ( earlier in the data processing )
---------------------
$auth_request->addExtensionArg('sreg', 'policy_url',
'http://www.openid.net">openid</a><script>alert("test")</script><a
href="http://www.openid.net');
---------------------
function setRequestInfo($info=null, $sreg=null)
{
if (!isset($info)) {
unset($_SESSION['request']);
} else {
$_SESSION['request'] = serialize($info);
$_SESSION['sreg_request'] = serialize($sreg);
}
}
function getRequestInfo()
{
if (isset($_SESSION['request'])) {
return array(unserialize($_SESSION['request']),
unserialize($_SESSION['sreg_request']));
} else {
return false;
}
}
br,
Niels
More information about the Dev
mailing list