Author Topic: [1.7 - 1.7.8] Security fix for XSS vulnerability in admin/admin_functions.php  (Read 44838 times)

0 Members and 1 Guest are viewing this topic.

Offline kai

  • Administrator
  • Addicted member
  • *****
  • Posts: 1.418
    • View Profile
    • 4images - Image Gallery Management System
A cross site scripting vulnerability in 4images 1.7 - 1.7.8 has been found.

To fix this:

In admin/admin_functions.php

find

echo "<form action=\"".$site_sess->url($phpscript)."\"".$upload." name=\"".$name."\" method=\"post\">\n";

and replace it with

echo "<form action=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($phpscript)))."\"".$upload." name=\"".$name."\" method=\"post\">\n";


find

echo "<a href=\"".$site_sess->url($url)."\"".$target.">[".$text."]</a>&nbsp;&nbsp;";

and replace it with

echo "<a href=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($url)))."\"".$target.">[".$text."]</a>&nbsp;&nbsp;";


find

echo "<a href=\"".$site_sess->url($url)."\" class=\"navlink\">".$title."</a> $extra\n";

and replace it with

echo "<a href=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($url)))."\" class=\"navlink\">".$title."</a> $extra\n";


If you are using 4images v1.7 also add in includes/functions.php above ?>
function safe_htmlspecialchars($chars) {
  
// Translate all non-unicode entities
  
$chars preg_replace(
    
'/&(?!(#[0-9]+|[a-z]+);)/si',
    
'&amp;',
    
$chars
  
);

  
$chars str_replace(">""&gt;",   $chars);
  
$chars str_replace("<""&lt;",   $chars);
  
$chars str_replace('"'"&quot;"$chars);
  return 
$chars;
}


Thanks to Secunia Research for finding and reporting this vulnerability!
« Last Edit: January 08, 2011, 10:08:55 PM by V@no »
Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search

Offline jkn

  • Newbie
  • *
  • Posts: 34
    • View Profile
hello,
when i'm adding the code to v1.7 works nothing in the admin-backend!

any solution??
thx
jkn

Offline ulrich

  • Newbie
  • *
  • Posts: 13
    • View Profile
I am having the same problem with 1.7. Instead of the menu in the top left corner I am getting this:
Quote
Fatal error: Call to undefined function safe_htmlspecialchars() in <path to gallery>/admin/admin_functions.php on line 632

Line 632 reads echo "<a href=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($url)))."\" class=\"navlink\">".$title."</a> $extra\n";

How do I get the menu working again? BTW, version 1.7.6 works fine with this fix.

Offline V@no

  • If you don't tell me what to do, I won't tell you where you should go :)
  • Global Moderator
  • 4images Guru
  • *****
  • Posts: 17.849
  • mmm PHP...
    • View Profile
    • 4images MODs Demo
added one more step
Your first three "must do" before you ask a question:
Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Extension for Firefox/Thunderbird: Master Password+    Back/Forward History Tweaks (restartless)    Cookies Manager+    Fit Images (restartless for Thunderbird)