Actions
Evolution #42
closedXSS exploit on search
Start date:
Due date:
% Done:
0%
Estimated time:
Resolution:
fixed
Description
Actions
Added by Simon over 16 years ago. Updated over 10 years ago.
0%
Description
fixed r780
To fix it manually
line 26 in public/tpl_search.php replace
$str=$_REQUEST['search'];
by :
$str=strip_tags($_REQUEST['search']);
The previous post is valid for 1.2.x versions only.
*For version 1.1, do the change on line 15! *
Update securityCheck() function
/**
* securityCheck()
* Test and sanitize user input
* from request
* @return boolean
**/
function securityCheck() {
$passed = true;
// we first sanitize vars
if(isset($_REQUEST['rub']))
$_REQUEST['rub']= strip_tags($_REQUEST['rub']);
if(isset($_REQUEST['search']))
$_REQUEST['search']= strip_tags($_REQUEST['search']);
if(isset($_REQUEST['name']))
$_REQUEST['name']= strip_tags($_REQUEST['name']);
if(isset($_REQUEST['newsletteremail']))
$_REQUEST['newsletteremail']= strip_tags($_REQUEST['newsletteremail']);
// then do tests
if(isset($_REQUEST['id']) && preg_match('/[^0-9A-Za-z]/',$_REQUEST['id']))
$passed= false;
if(isset($_REQUEST['parentid']) && !is_numeric($_REQUEST['parentid']))
$passed= false;
if(isset($_REQUEST['parentparentid']) && !is_numeric($_REQUEST['parentparentid']))
$passed= false;
if(isset($_REQUEST['debut']) && !is_numeric($_REQUEST['debut']))
$passed= false;
if($passed == false) die('no way!');
else return true;
}