Home
Latest images
Search
Register
Log inFIX XSS in RMSOFT donwload plus
Page 1 of 1
FIX XSS in RMSOFT donwload plus
andry Mon Sep 27, 2010 4:01 am
fixing XSS issues in RMSOFT donwload plus
RMSOFT XSS Vulnerability
###################
FIX $key variable
###################
open modules/rmdp/include/rmdp_functions.php
arround line 314 found function rmdp_make_searchnav()
found this code:
#####################
the variable $key is vulnerable in GET & POST.
Now add htmlspecialchars() function:
change for this other:
now variable is clean in functions, but we need to sanitize again in search.php...
open modules/rmdp/search.php
arround line 37 we found two request to $key variable:
need a cleaning :S use again htmlspecialchars() y GET & POST
change by this other:
$cat aparently is sanitized , but if is a numeric value allways i ithink in use intval() like :
#############################
fix $id variable in down.php
#############################
open modules/down.php and arround line 38 found this code line:
it´s a numerical variable value always and them...
yo can change by this other to sanitizing :
##############€nd ######
RMSOFT XSS Vulnerability
###################
FIX $key variable
###################
open modules/rmdp/include/rmdp_functions.php
arround line 314 found function rmdp_make_searchnav()
found this code:
#####################
- Code:
function rmdp_make_searchnav(){
global $xoopsDB, $xoopsTpl, $xoopsModule;
$xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name')));
$xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON);
$key = isset($_POST['key']) ? $_POST['key'] : (isset($_GET['key']) ?($_GET['key'] : '');
$xoopsTpl->assign('key', $key);
the variable $key is vulnerable in GET & POST.
Now add htmlspecialchars() function:
change for this other:
- Code:
function rmdp_make_searchnav(){
global $xoopsDB, $xoopsTpl, $xoopsModule;
$xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name')));
$xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON);
$key = isset($_POST['key']) ? htmlspecialchars($_POST['key']) : (isset($_GET['key']) ? htmlspecialchars($_GET['key']) : '');
$xoopsTpl->assign('key', $key);
now variable is clean in functions, but we need to sanitize again in search.php...
open modules/rmdp/search.php
arround line 37 we found two request to $key variable:
- Code:
$rmdp_location = 'search';
include('header.php');
$key = $_GET['key'];
if ($key==''){ $key=$_POST['key']; }
$cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);
need a cleaning :S use again htmlspecialchars() y GET & POST
change by this other:
- Code:
$rmdp_location = 'search';
include('header.php');
$key = htmlspecialchars($_GET['key']);
if ($key==''){ $key=htmlspecialchars($_POST['key']); }
$cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);
$cat aparently is sanitized , but if is a numeric value allways i ithink in use intval() like :
- Code:
$cat = isset($_GET['cat']) ? intval($_GET['cat']) : (isset($_POST['cat']) ? intval($_POST['cat']) : 0);
#############################
fix $id variable in down.php
#############################
open modules/down.php and arround line 38 found this code line:
- Code:
$id = $_GET['id'];
it´s a numerical variable value always and them...
yo can change by this other to sanitizing :
- Code:
$id = intval($_GET['id']);
##############€nd ######
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|