4images Forum & Community

4images Help / Hilfe => Bug Fixes & Patches => Topic started by: kai on October 27, 2010, 11:39:09 AM

Title: [1.7 - 1.7.8] Security fix for XSS vulnerability in admin/admin_functions.php
Post by: kai on October 27, 2010, 11:39:09 AM
A cross site scripting vulnerability in 4images 1.7 - 1.7.8 has been found.

To fix this:

In admin/admin_functions.php

find

echo "<form action=\"".$site_sess->url($phpscript)."\"".$upload." name=\"".$name."\" method=\"post\">\n";

and replace it with

echo "<form action=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($phpscript)))."\"".$upload." name=\"".$name."\" method=\"post\">\n";


find

echo "<a href=\"".$site_sess->url($url)."\"".$target.">[".$text."]</a>&nbsp;&nbsp;";

and replace it with

echo "<a href=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($url)))."\"".$target.">[".$text."]</a>&nbsp;&nbsp;";


find

echo "<a href=\"".$site_sess->url($url)."\" class=\"navlink\">".$title."</a> $extra\n";

and replace it with

echo "<a href=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($url)))."\" class=\"navlink\">".$title."</a> $extra\n";


If you are using 4images v1.7 also add in includes/functions.php above ?>
function safe_htmlspecialchars($chars) {
  // Translate all non-unicode entities
  $chars = preg_replace(
    '/&(?!(#[0-9]+|[a-z]+);)/si',
    '&amp;',
    $chars
  );

  $chars = str_replace(">", "&gt;",   $chars);
  $chars = str_replace("<", "&lt;",   $chars);
  $chars = str_replace('"', "&quot;", $chars);
  return $chars;
}

Thanks to Secunia Research (http://secunia.com/) for finding and reporting this vulnerability!
Title: Re: [1.7 - 1.7.8] Security fix for XSS vulnerability in admin/admin_functions.php
Post by: jkn on December 05, 2010, 04:01:33 PM
hello,
when i'm adding the code to v1.7 works nothing in the admin-backend!

any solution??
thx
jkn
Title: Re: [1.7 - 1.7.8] Security fix for XSS vulnerability in admin/admin_functions.php
Post by: ulrich on January 08, 2011, 08:47:19 PM
I am having the same problem with 1.7. Instead of the menu in the top left corner I am getting this:
Quote
Fatal error: Call to undefined function safe_htmlspecialchars() in <path to gallery>/admin/admin_functions.php on line 632

Line 632 reads echo "<a href=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($url)))."\" class=\"navlink\">".$title."</a> $extra\n";

How do I get the menu working again? BTW, version 1.7.6 works fine with this fix.
Title: Re: [1.7 - 1.7.8] Security fix for XSS vulnerability in admin/admin_functions.php
Post by: V@no on January 08, 2011, 10:08:04 PM
added one more step