Actions
Evolution #42
closedXSS exploit on search
Start date:
Due date:
% Done:
0%
Estimated time:
Resolution:
fixed
Description
Actions
Added by Simon over 15 years ago. Updated almost 10 years ago.
0%
Description
fixed r780
To fix it manually
line 26 in public/tpl_search.php replace
$str=$_REQUEST['search'];
by :
$str=strip_tags($_REQUEST['search']);
The previous post is valid for 1.2.x versions only.
*For version 1.1, do the change on line 15! *
Update securityCheck() function
/** * securityCheck() * Test and sanitize user input * from request * @return boolean **/ function securityCheck() { $passed = true; // we first sanitize vars if(isset($_REQUEST['rub'])) $_REQUEST['rub']= strip_tags($_REQUEST['rub']); if(isset($_REQUEST['search'])) $_REQUEST['search']= strip_tags($_REQUEST['search']); if(isset($_REQUEST['name'])) $_REQUEST['name']= strip_tags($_REQUEST['name']); if(isset($_REQUEST['newsletteremail'])) $_REQUEST['newsletteremail']= strip_tags($_REQUEST['newsletteremail']); // then do tests if(isset($_REQUEST['id']) && preg_match('/[^0-9A-Za-z]/',$_REQUEST['id'])) $passed= false; if(isset($_REQUEST['parentid']) && !is_numeric($_REQUEST['parentid'])) $passed= false; if(isset($_REQUEST['parentparentid']) && !is_numeric($_REQUEST['parentparentid'])) $passed= false; if(isset($_REQUEST['debut']) && !is_numeric($_REQUEST['debut'])) $passed= false; if($passed == false) die('no way!'); else return true; }