After getting notified about a Cross-site scripting vulnerability in phpDenora irc-junkie quickly tried to get in touch with the project.
The vulnerability – which generally can be used to steal cookies – exists at least in phpDenoras then latest stable release, version 1.2.2 and “possibly all other versions” says developer Hal9000.
Due to lacking sanitization it was possible to exploit the vulnerability using specially crafted channelnames that would be visible on several pages of phpDenora – according to phpDenoras Hal9000 on the “channel listing, the channel stats page, the user stats page and the top channel list on the homepage – if the channel is in the top X channels”.
To test if your installation of phpDenora is vulnerable you simply can /join #<script>alert(‘XSS’)</script> and then visit one of the mentioned pages – if you’re getting a popup, you should upgrade.
But, since channels names usually are pretty limited in length and usable charset, serious threats like stolen cookies are unlikely to occur. Nonetheless this recent upgrade is a recommended one.
The download for phpDenora 1.2.3 can be found here.
Thanks go to Shawn for reporting the vulnerability, to w00t for making the initial intermediary contact to Hal9000 and of course to Hal9000 for being so quick to fix the vulnerability.