31
Bug Fixes & Patches / [1.7 - 1.7.8] Security fix for XSS vulnerability in admin/admin_functions.php
« on: October 27, 2010, 11:39:09 AM »
A cross site scripting vulnerability in 4images 1.7 - 1.7.8 has been found.
To fix this:
In admin/admin_functions.php
find
echo "<form action=\"".$site_sess->url($phpscript)."\"".$upload." name=\"".$name."\" method=\"post\">\n";
and replace it with
echo "<form action=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($phpscript)))."\"".$upload." name=\"".$name."\" method=\"post\">\n";
find
echo "<a href=\"".$site_sess->url($url)."\"".$target.">[".$text."]</a> ";
and replace it with
echo "<a href=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($url)))."\"".$target.">[".$text."]</a> ";
find
echo "<a href=\"".$site_sess->url($url)."\" class=\"navlink\">".$title."</a> $extra\n";
and replace it with
echo "<a href=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($url)))."\" class=\"navlink\">".$title."</a> $extra\n";
If you are using 4images v1.7 also add in includes/functions.php above ?>
function safe_htmlspecialchars($chars) {
// Translate all non-unicode entities
$chars = preg_replace(
'/&(?!(#[0-9]+|[a-z]+);)/si',
'&',
$chars
);
$chars = str_replace(">", ">", $chars);
$chars = str_replace("<", "<", $chars);
$chars = str_replace('"', """, $chars);
return $chars;
}
Thanks to Secunia Research for finding and reporting this vulnerability!
To fix this:
In admin/admin_functions.php
find
echo "<form action=\"".$site_sess->url($phpscript)."\"".$upload." name=\"".$name."\" method=\"post\">\n";
and replace it with
echo "<form action=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($phpscript)))."\"".$upload." name=\"".$name."\" method=\"post\">\n";
find
echo "<a href=\"".$site_sess->url($url)."\"".$target.">[".$text."]</a> ";
and replace it with
echo "<a href=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($url)))."\"".$target.">[".$text."]</a> ";
find
echo "<a href=\"".$site_sess->url($url)."\" class=\"navlink\">".$title."</a> $extra\n";
and replace it with
echo "<a href=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($url)))."\" class=\"navlink\">".$title."</a> $extra\n";
If you are using 4images v1.7 also add in includes/functions.php above ?>
function safe_htmlspecialchars($chars) {
// Translate all non-unicode entities
$chars = preg_replace(
'/&(?!(#[0-9]+|[a-z]+);)/si',
'&',
$chars
);
$chars = str_replace(">", ">", $chars);
$chars = str_replace("<", "<", $chars);
$chars = str_replace('"', """, $chars);
return $chars;
}
Thanks to Secunia Research for finding and reporting this vulnerability!