[1.7 - 1.7.8] Security fix for XSS vulnerability in admin/admin

4images Help / Hilfe > Bug Fixes & Patches

[1.7 - 1.7.8] Security fix for XSS vulnerability in admin/admin_functions.php

(1/1)

kai:
A cross site scripting vulnerability in 4images 1.7 - 1.7.8 has been found.

To fix this:

In admin/admin_functions.php

find

echo "<form action=\"".$site_sess->url($phpscript)."\"".$upload." name=\"".$name."\" method=\"post\">\n";

and replace it with

echo "<form action=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($phpscript)))."\"".$upload." name=\"".$name."\" method=\"post\">\n";

find

echo "<a href=\"".$site_sess->url($url)."\"".$target.">[".$text."]</a>  ";

and replace it with

echo "<a href=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($url)))."\"".$target.">[".$text."]</a>  ";

find

echo "<a href=\"".$site_sess->url($url)."\" class=\"navlink\">".$title."</a> $extra\n";

and replace it with

echo "<a href=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($url)))."\" class=\"navlink\">".$title."</a> $extra\n";

If you are using 4images v1.7 also add in includes/functions.php above ?>
function safe_htmlspecialchars($chars) {
  // Translate all non-unicode entities
  $chars = preg_replace(
    '/&(?!(#[0-9]+|[a-z]+);)/si',
    '&',
    $chars
  );

  $chars = str_replace(">", ">",   $chars);
  $chars = str_replace("<", "<",   $chars);
  $chars = str_replace('"', """, $chars);
  return $chars;
}

Thanks to Secunia Research for finding and reporting this vulnerability!

jkn:
hello,
when i'm adding the code to v1.7 works nothing in the admin-backend!

any solution??
thx
jkn

ulrich:
I am having the same problem with 1.7. Instead of the menu in the top left corner I am getting this:
--- Quote ---Fatal error: Call to undefined function safe_htmlspecialchars() in <path to gallery>/admin/admin_functions.php on line 632
--- End quote ---

Line 632 reads echo "<a href=\"".$site_sess->url(safe_htmlspecialchars(strip_tags($url)))."\" class=\"navlink\">".$title."</a> $extra\n";

How do I get the menu working again? BTW, version 1.7.6 works fine with this fix.

V@no:
added one more step

Navigation

[0] Message Index

Go to full version