XSS vulnerability
Posted: Fri 2. Jul 2010, 06:54
Yesterday I got report of an existing XSS vulnerability.
http://www.htbridge.ch/advisory/xss_vul ... pwcms.html
It seems to have an effect only when you are logged in to the backend. If you do not use the calendar module of phpwcms, just delete folder
include/inc_module/mod_calendar
The fix for this is change starting around line 42 to:
For all releases this is enough:
For newer releases use
Or use the attached file
http://www.htbridge.ch/advisory/xss_vul ... pwcms.html
It seems to have an effect only when you are logged in to the backend. If you do not use the calendar module of phpwcms, just delete folder
include/inc_module/mod_calendar
The fix for this is change starting around line 42 to:
For all releases this is enough:
Code: Select all
// Change:
$_SESSION['calendardate'] = clean_slweg($_GET['calendardate']);
// To:
$_SESSION['calendardate'] = substr(clean_slweg($_GET['calendardate']), 0, 7);Code: Select all
// define some defaults
if(isset($_GET['calendardate'])) {
$_SESSION['calendardate'] = substr(clean_slweg($_GET['calendardate']), 0, 7);
}
if(!empty($_SESSION['calendardate'])) {
@list($plugin['current_month'], $plugin['current_year']) = explode('-', $_SESSION['calendardate']);
$plugin['current_month'] = intval($plugin['current_month']);
$plugin['current_year'] = intval($plugin['current_year']);
if(empty($plugin['current_year'])) {
$plugin['current_year'] = gmdate('Y');
}
if(empty($plugin['current_month'])) {
$plugin['current_month'] = gmdate('n');
}
} else {
$plugin['current_year'] = gmdate('Y');
$plugin['current_month'] = gmdate('n');
}