4images Forum & Community
Welcome, Guest. Please login or register.
Did you miss your activation email?
October 16, 2018, 10:01:40 AM

Login with username, password and session length
Search:     Advanced search
Follow 4images on twitter: Click here to follow!
Togle to toolbar
Translate this page with =>
Translate this page >
* Home Help Search Login Register
 
+  4images Forum & Community
|-+  4images Help / Hilfe
| |-+  Bug Fixes & Patches
| | |-+  [1.7 - 1.7.10] Security fix for XSS issue in details.php
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Print
Author Topic: [1.7 - 1.7.10] Security fix for XSS issue in details.php  (Read 24294 times)
kai
Administrator
Addicted member
*****
Offline Offline

Posts: 1405

Thank You
-Given: 66
-Receive: 200


View Profile WWW
« on: March 19, 2012, 05:46:51 PM »

A cross site scripting vulnerability in 4images 1.7 - 1.7.10 has been found.

To fix this:

In details.php

find

1
2
$meta_keywords  = !empty($image_row['image_keywords']) ? implode(", "explode(","$image_row['image_keywords'])) : "";
$meta_description = !empty($image_row['image_description']) ? strip_tags($image_row['image_description']) . ". " "";

and replace it with

1
2
$meta_keywords  = !empty($image_row['image_keywords']) ? strip_tags(implode(", "explode(","$image_row['image_keywords']))) : "";
$meta_description = !empty($image_row['image_description']) ? strip_tags($image_row['image_description']) . ". " "";


and in rss.php

find 2 x

1
$text format_text(trim($text), 101);

and replace it both times with

1
$text format_text(trim($text), 201);
« Last Edit: March 20, 2012, 02:51:52 PM by kai » Logged


Your first three "must do" before you ask a question:
1. Forum rules
2. FAQ
3. Search
Jan-Lukas
Addicted member
******
Offline Offline

Posts: 1280

Thank You
-Given: 153
-Receive: 52


View Profile WWW
« Reply #1 on: March 19, 2012, 05:59:51 PM »

bei mir wurde die functions.php mal verändert, kann nicht mehr sagen von welchem Mod.

wie muss ich vorgehen ?

1
2
//$description = (!empty($image_row['image_description'])) ? format_text($image_row['image_description'], 1, 0, 1) : REPLACE_EMPTY;
  
$description = (!empty($image_row['image_description'])) ? format_text($image_row['image_description'], 1) : REPLACE_EMPTY;

LG

Der Eintrag in der rss.php ist 2x vorhanden, auch 2x ersetzen ?
Logged

Danke Harald



Sumale.my
Addicted member
******
Offline Offline

Posts: 1773

Thank You
-Given: 169
-Receive: 86

Neverdie


View Profile
« Reply #2 on: March 19, 2012, 06:31:24 PM »

@ Jan,

ich denke mal du kannst das einfach so übernehmen:
1
$description = (!empty($image_row['image_description'])) ? format_text($image_row['image_description'], 201) : REPLACE_EMPTY;

Und ja rss.php 2x suchen und 2x ersetzen
Logged
Jan-Lukas
Addicted member
******
Offline Offline

Posts: 1280

Thank You
-Given: 153
-Receive: 52


View Profile WWW
« Reply #3 on: March 19, 2012, 06:59:23 PM »

schon, nur hatte ich das ja nicht grundlos geändert  Wink
habe es jetzt so geändert

1
$description = (!empty($image_row['image_description'])) ? format_text($image_row['image_description'], 2) : REPLACE_EMPTY;

glaube das lag an der html Geschichte in der Beschreibung

LG
Logged

Danke Harald



jkn
Newbie
*
Offline Offline

Posts: 34

Thank You
-Given: 0
-Receive: 0


View Profile
« Reply #4 on: May 21, 2012, 09:34:12 AM »

hallo,
in meiner mehr oder weniger originalen version 1.7 gibts weder in der details.php, noch in der rss.php die beiden oben genannten code-zeilen! betrifft die lücke evtl. nur spätere versionen!??
Logged
Rembrandt
4images Moderator
4images Guru
*****
Offline Offline

Posts: 4187

Thank You
-Given: 116
-Receive: 900

Vienna


View Profile WWW
« Reply #5 on: May 21, 2012, 12:32:14 PM »

Hi!

...in meiner mehr oder weniger originalen version 1.7 gibts weder in der details.php, noch in der rss.php die beiden oben genannten code-zeilen! betrifft die lücke evtl. nur spätere versionen!??
Wenn du wirklich noch ein 1.7er Version hast dann ja, die Meta Keyword und Description sind viel später dazu gekommen.
Die werden dazu benötigt um die Keyw. und die desc. in den Page Header zu bekommen, quasi um das ganze Suchmaschinen freundlicher zu gestalten.

mfg Andi
Logged

Meine 4Images Modifikationen  Now over 100 Modification Online!    Meine 4images Demo Seite


Please do not PM me asking for help unless you've been specifically asked to do so. Such PMs will be deleted without answer. (forum rule #6)
Pages: [1] Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.089 seconds with 19 queries.
Post your comments here