4images Forum & Community
4images Issues / Ausgaben => Discussion & Troubleshooting => Topic started by: mdwnn on April 05, 2008, 10:17:41 AM
-
http://agoratalk.com/2008/01/23/4images-xss-site-hacking/ with a full video on how to exploit
http://www.calistaflockhart.hollywood.com/gallery/categories.php?cat_id=541 was defaced, running 1.7.4
I also see reports of attemps for 1.7.6?
http://forum.antichat.ru/threadedpost621227.html#post621227
-
Hi there ...
This problem was solved long time ago
You have two ways : -
1 / to put this ( http://www. ) in homepage field .
or
2 / to remove homepage code from ur template
open (member_editprofile.html)
remove this code :
<td class="row1"><b>{lang_homepage}</b></td>
<td class="row1"><input type="text" name="user_homepage" size="30" value="{user_homepage}" class="input" /></td>
-
So this is a confirmed xss exploit? It would be good to have this in the release notes of the newer version if this was fixed?
Thanks for your reply.
-
To fix this, search in member.php for
$user_homepage = (isset($user_row['user_homepage'])) ? format_url($user_row['user_homepage']) : REPLACE_EMPTY;
and replace it with
$user_homepage = (isset($user_row['user_homepage'])) ? format_text(format_url($user_row['user_homepage']), 2) : REPLACE_EMPTY;
-
@ Jan
... are you sure about that ...
... after your change shows now for homepage ...
Homepage : http://www.my_website.de" target="_blank">http://www.my_website.de
... instead of ...
Homepage : http://www.my_website.de
-
You are right, the correct line is:
$user_homepage = (isset($user_row['user_homepage'])) ? format_text(format_url($user_row['user_homepage']), 2) : REPLACE_EMPTY;
I've update the fix in my previous post!
-
... now it shows the homepage in the correct way ...
... thanks Jan ...