Evolution #42

XSS exploit on search

Added by Simon over 9 years ago. Updated almost 4 years ago.

Status:FerméStart date:
Priority:BasDue date:
Assignee:Simon% Done:

0%

Category:public
Target version:1.3
Resolution:fixed

History

#1 Updated by Simon over 9 years ago

  • Status changed from Nouveau to Fermé
  • Resolution set to fixed

fixed r780

To fix it manually

line 26 in public/tpl_search.php replace

$str=$_REQUEST['search'];

by :

$str=strip_tags($_REQUEST['search']);

#2 Updated by Simon over 9 years ago

The previous post is valid for 1.2.x versions only.

*For version 1.1, do the change on line 15! *

#3 Updated by Simon almost 4 years ago

Update securityCheck() function

/**
 * securityCheck()
 * Test and sanitize user input
 * from request
 * @return boolean
 **/
function securityCheck() {

    $passed = true;

    // we first sanitize vars
    if(isset($_REQUEST['rub']))
        $_REQUEST['rub']= strip_tags($_REQUEST['rub']);
    if(isset($_REQUEST['search']))
        $_REQUEST['search']= strip_tags($_REQUEST['search']);
    if(isset($_REQUEST['name']))
        $_REQUEST['name']= strip_tags($_REQUEST['name']);
    if(isset($_REQUEST['newsletteremail']))
        $_REQUEST['newsletteremail']= strip_tags($_REQUEST['newsletteremail']);
    // then do tests
    if(isset($_REQUEST['id']) && preg_match('/[^0-9A-Za-z]/',$_REQUEST['id']))
        $passed= false;
    if(isset($_REQUEST['parentid']) && !is_numeric($_REQUEST['parentid']))
        $passed= false;
    if(isset($_REQUEST['parentparentid']) && !is_numeric($_REQUEST['parentparentid']))
        $passed= false;
    if(isset($_REQUEST['debut']) && !is_numeric($_REQUEST['debut']))
        $passed= false;

    if($passed == false) die('no way!');
    else return true;
}

Also available in: Atom PDF