XSS vulnerability

check this often to be informed about any security problem that was reported.
Post Reply
User avatar
Oliver Georgi
Site Admin
Posts: 9888
Joined: Fri 3. Oct 2003, 22:22
Contact:

XSS vulnerability

Post by Oliver Georgi »

Yesterday I got report of an existing XSS vulnerability.
http://www.htbridge.ch/advisory/xss_vul ... pwcms.html

It seems to have an effect only when you are logged in to the backend. If you do not use the calendar module of phpwcms, just delete folder
include/inc_module/mod_calendar

The fix for this is change starting around line 42 to:
For all releases this is enough:

Code: Select all

// Change:
$_SESSION['calendardate'] = clean_slweg($_GET['calendardate']);
// To:
$_SESSION['calendardate'] = substr(clean_slweg($_GET['calendardate']), 0, 7);
For newer releases use

Code: Select all

// define some defaults
if(isset($_GET['calendardate'])) {

	$_SESSION['calendardate'] = substr(clean_slweg($_GET['calendardate']), 0, 7);

}
if(!empty($_SESSION['calendardate'])) {

	@list($plugin['current_month'], $plugin['current_year']) = explode('-', $_SESSION['calendardate']);
	
	$plugin['current_month']	= intval($plugin['current_month']);
	$plugin['current_year']		= intval($plugin['current_year']);
	
	if(empty($plugin['current_year'])) {
		$plugin['current_year']		= gmdate('Y');
	}
	if(empty($plugin['current_month'])) {
		$plugin['current_month']		= gmdate('n');
	}

} else {

	$plugin['current_year']		= gmdate('Y');
	$plugin['current_month']	= gmdate('n');

}
Or use the attached file
Attachments
backend.listing.php.zip
replace the file include/inc_module/mod_calendar/backend.listing.php with unarchived version — make backup of old file and test it
(4.36 KiB) Downloaded 698 times
Last edited by Oliver Georgi on Wed 30. Sep 2015, 05:59, edited 4 times in total.
Reason: Show all users in forum
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Систрон
Post Reply