Thanks for the notification. Lets keep in mind that we don't want to see
another form of the highlight or sanity issue here, as the removeTags is
simply the strip_tags PHP function. As we've seen, not all attacks will
have HTML tags in them.
gallery fix:
$username = htmlspecialchars(removeTags(urldecode($username)));
(The same also found in search.php)
phpbb pre-fix:
$words = explode(' ',
trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));
phpbb fix:
$words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));
I have not taken the time to audit the code, but as we've all become
familiar with the raw encoded URL during the wonderful days of Christmas,
it would be a good idea to run a quick test to ensure that base is
covered. So hopefully I'm wrong and just being over-paranoid.
In any case, thanks for the update. Please correct me if I'm off base
while thinking aloud.
On Sun, 30 Jan 2005, Luke Macken wrote:
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Gentoo Linux Security Advisory GLSA 200501-45
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> http://security.gentoo.org/
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> Severity: Low
> Title: Gallery: Cross-site scripting vulnerability
> Date: January 30, 2005
> Bugs: #78522
> ID: 200501-45
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
--
Regards,
Paul Laudanski - Computer Cops, LLC.
CastleCops(SM) - http://castlecops.com
http://justalittlepoke.com | http://cuddlesnkisses.com |
http://zhen-xjell.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
