[CVE-2015-2926] XSS vuln in phpTrafficA

Product: phpTrafficA
Product page: http://soft.zoneo.net/phpTrafficA/
Affected versions: Up to and including 2.3 (latest as of writing).

Description:
The user agent string provided by the browser is not sanitized nor
escaped when handled. This string is then outputting into HTML code on
the "Latest visitors > Details" page, leading to HTML injection that can
be abused to perform XSS. For example, the following user agent will
cause a JavaScript dialogbox to pop up as soon as the page is visited:
"><script>alert();</script>

This page can be hidden from the public, in which case only admins can
visit it. However, the script still executes when they do, which could
enable a malicious user agent to steal the phpTrafficA cookie (no
expiry) or other admin credentials.


Proposed fix:
Escape the HTML characters with htmlspecialchars before outputting the
user agent string.

In: Php/stats/statsRecent.inc.php

Line 304:
echo "<tr class=\"data av $even $clrobots $clreturn\"><td
nowrap>$end</td><td>&nbsp;$dur</td><td
align=\"center\">&nbsp;".
format_float($hits)."&nbsp;</td><td>&nbsp;<a
href=\"./index.php?mode=stats&amp;sid=$sid&amp;show=clickstream&amp;lang=$lang&amp;ip=$ip\"
title=\"".$strings['Moreinfovisitor']."\"
class=\"basic\">$ipText</a>&nbsp;</td><td
align=\"center\">&nbsp;".format_float($visits)."&nbsp;</td><td>".countryFlag($country)."</td><td>".osImg($os,'')."</td><td>".browserImg($wb,$agent)."</td><td>$page</td><td>$refString</td></tr>\n";
becomes:
echo "<tr class=\"data av $even $clrobots $clreturn\"><td
nowrap>$end</td><td>&nbsp;$dur</td><td
align=\"center\">&nbsp;".format_float($hits)."&nbsp;</td><td>&nbsp;<a
href=\"./index.php?mode=stats&amp;sid=$sid&amp;show=clickstream&amp;lang=$lang&amp;ip=$ip\"
title=\"".$strings['Moreinfovisitor']."\"
class=\"basic\">$ipText</a>&nbsp;</td><td
align=\"center\">&nbsp;".format_float($visits)."&nbsp;</td><td>".countryFlag($country)."</td><td>".osImg($os,'')."</td><td>".browserImg($wb,htmlspecialchars($agent))."</td><td>$page</td><td>$refString</td></tr>\n";


Line 369:
$echo = "<tr><td valign=\"top\" colspan=\"3\">$ip
($whoislink$baniplink)<br>$host<br>$labelTxt<table
class=\"basic\"><tr><td>".countryNameFlag($country)."</td></tr></table></td><td
valign=\"top\" colspan=\"2\">".$strings['Agent'].": $thisagent<br><table
class=\"basic\"><tr><td>".osImgName($os)."</td><td>".browserImgName($wb)."</td></tr></table>".$strings['Referrer'].":
";
becomes:
$echo = "<tr><td valign=\"top\" colspan=\"3\">$ip
($whoislink$baniplink)<br>$host<br>$labelTxt<table
class=\"basic\"><tr><td>".countryNameFlag($country)."</td></tr></table></td><td
valign=\"top\" colspan=\"2\">".$strings['Agent'].":
".htmlspecialchars($thisagent)."<br><table
class=\"basic\"><tr><td>".osImgName($os)."</td><td>".browserImgName($wb)."</td></tr></table>".$strings['Referrer'].":
";



Best regards,
Daniel Geerts