4images Forum & Community

4images Help / Hilfe => Bug Fixes & Patches => Topic started by: kai on June 15, 2009, 11:38:42 AM

Title: [1.7 - 1.7.7] Security fix for XSS vulnerability in includes/functions.php
Post by: kai on June 15, 2009, 11:38:42 AM
A cross site scripting vulnerability in 4images 1.7 - 1.7.7 has been found.

To fix this:

In includes/functions.php

find

return $url;

and replace it by

return htmlspecialchars($url);


The download package of 4images 1.7.7 (http://www.4homepages.de/4images/download.php) has been updated (15.06.2009)
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: sanko86 on June 15, 2009, 03:31:03 PM
thank you.
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: Sunny C. on June 15, 2009, 04:56:45 PM
Danke,
hab es auch mal in meiner Liste mit aufgenommen!
http://www.4homepages.de/forum/index.php?topic=24888.0
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: Jan-Lukas on June 15, 2009, 09:21:14 PM
Danke,

LG Harald
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: nobby on June 15, 2009, 09:26:56 PM
aktualisiert  :wink:
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: ahmad on June 15, 2009, 09:52:52 PM
Thanks alot
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: adam_samhan on June 16, 2009, 02:10:36 PM
thanks kai  :roll:
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: nabeel on June 26, 2009, 03:39:59 PM
great
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: manola on July 02, 2009, 03:12:37 AM
Thank you so much for your information.
sonnerie portable gratuite (http://sonneriegratuite.org)
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: birdost on July 20, 2009, 08:14:29 PM
needed, thanks for the fix...
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: oboinastol2008 on July 24, 2009, 09:10:52 AM
 :!: Thank you!!!
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: mawenzi on July 24, 2009, 12:34:54 PM
... es ist schon eigenartig wie viele User mit "1 Beitrag" (und offensichtlich aus dem Nahen Osten) sich hier bedanken ...
... misteriös ... und ein Schelm wer hier Übeles denkt ...  :roll:
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: soft4arab on August 11, 2009, 02:28:32 PM
teknopaylaşım (http://www.teknopaylasim.net)
bilgi paylaşım (http://www.bilgibaz.net)
Oyun sunucuları, domain, hosting, reseller, vps (http://www.liderserver.com)
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: honsa on August 18, 2009, 07:17:49 PM
... es ist schon eigenartig wie viele User mit "1 Beitrag" (und offensichtlich aus dem Nahen Osten) sich hier bedanken ...
... misteriös ... und ein Schelm wer hier Übeles denkt ...  :roll:

was denkst du denn? die funktion htmlspecialchars macht doch nicht viel :roll:

http://ch2.php.net/manual/de/function.htmlspecialchars.php
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: mawenzi on August 18, 2009, 09:09:16 PM
@ honsa

... ich denke hier nichts, denn ich weiß es ...
... wogegen der Fix ist, dass sagt die Überschrift bereits (und die ist absolut ernst gemeint) ...
... woher die Leute kommen, die im 4images-Code rumtüfteln, um schadhaften Code platzieren zu können, das sagte ich bereits ...
... wenn Jan / Kai nun eine so einfache Lösung dazu gefunden haben ... dann Hut ab ... und es sollte uns alle freuen ...
... und mehr möchte ich dazu nicht ausführen ... ;)
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: Sunny C. on August 18, 2009, 09:44:25 PM
... woher die Leute kommen, die im 4images-Code rumtüfteln, um schadhaften Code platzieren zu können, das sagte ich bereits ...

Meinst du damit auch Mod-Ersteller. Sollte man nun besser darauf achten das kein Schadcode vorhanden ist?
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: mawenzi on August 19, 2009, 12:01:30 AM
... nein ...
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: bradcapo112 on August 19, 2009, 05:24:19 AM
Merci pour le site, des infos a mediter,mais c'est technique .

[Nicky]
Merci for your input, but spam removed.
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: marbella on August 21, 2009, 08:44:15 PM
meine Seite wurde gestern von diesem verdammten "maroccan Alien" Arsch gehackt, seitdem ich den Fix drin habe ist der Titel-tag wieder mein eigener.
Außerdem habe ich restores von Datenbank und 1 GByte jpg gemacht.
Was muss ich nun weiterhin tun? die Includes alle von der neuen Version nehmen? Ich habe teilweise Mods drin.
Übrigens Google findet > 2800 Opfer dieses Hacks! Hat wohl so ne Terror Dumpfbacke ein automatisches Script losgeschickt!

http://www.google.de/search?hl=de&safe=off&q=%22hacked+by+moroccan+alien%22&meta=

Meine steht ganz weit oben...

[Nicky]
politische äusserung gelöscht
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: vandamme on November 10, 2009, 08:29:57 AM
cool, thanks you  :lol:
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: shtsht on January 02, 2010, 05:50:26 PM
thanks
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: Zhra on January 14, 2010, 09:32:14 PM
thank you so much
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: dunyakupasi on May 24, 2010, 03:24:19 PM
Thank you so much!
Title: Re: [1.7 - 1.7.7] Security fix for XSS inssue in includes/functions.php
Post by: bugra_12 on October 04, 2010, 08:00:43 PM
This message has been deleted by V@no as spam!
Title: Ynt: [1.7 - 1.7.7] Security fix for XSS vulnerability in includes/functions.php
Post by: mycub on December 23, 2010, 02:42:56 AM
Thank you