skin xss

[MarcoP]

index.php?skin=<script>alert('ciao');</script>

[whatboy]

Looks like you miss something???

[MarcoP]

I'm not missing anything

in index.php line 63, for additional security,

change

Code: Select all

if ( isset($_GET['skin']) )
    $skin = $_GET['skin'];
elseif ( isset($_COOKIE['zmSkin']) )
    $skin = $_COOKIE['zmSkin'];
else
    $skin = "classic";

to

Code: Select all

if ( isset($_GET['skin']) && preg_match('#^[a-z]+$#', $_GET['skin']))
    $skin = $_GET['skin'];
elseif ( isset($_COOKIE['zmSkin']) && preg_match('#^[a-z]+$#', $_COOKIE['zmSkin']) )
    $skin = $_COOKIE['zmSkin'];
else
    $skin = "classic";

[whatboy]

Told ya you miss something... you miss that I didn't understood a thing... now seems clearer!!!