Ticket #673 (fixed bug)
IP field not escaped
- Created: 2012-05-20 19:31:32
- Reported by: adaur
- Assigned to: Franz
- Milestone: 1.5.1
- Component: security
- Priority: high
In viewtopic, IP field is not escaped with pun_htmlspecialchars.
$user_info = '<dd><span><a href="moderate.php?get_host='.$cur_post['id'].'" title="'.$cur_post['poster_ip'].'">'.$lang_topic['IP address logged'].'</a></span></dd>';
According to UnitedBytes, who hacked my forum with a plug in security hole (not FluxBB core ), if the forum has already an XSS hole, it is possible to request admin mail form edit.
Franz 2012-05-20 21:03:22
- Milestone set to 1.5.1.
Thanks for the report!!!
If I understand correctly, this simply means that if there is a SQL injection vulnerability somewhere else, this can be used to cause an XSS using the ip field. Right?
adaur 2012-05-21 14:36:04
From what I understand in his post, yes.
By the way, this must be a mistake, as it is escaped properly in profile.php:
<p><?php printf($lang_profile['Registered info'], format_time($user['registered'], true).(($pun_user['is_admmod']) ? ' (<a href="moderate.php?get_host='.pun_htmlspecialchars($user['registration_ip']).'">'.pun_htmlspecialchars($user['registration_ip']).'</a>)' : '')) ?></p>
As this is public now, I suggest a quick update to 1.5.1.
Franz 2012-10-05 13:36:37
- Owner set to Franz.
Franz 2012-10-30 10:16:27
Gosh, this sat here for a long time.
I have a patch ready, will push that when I release v1.5.1.
Franz 2012-11-13 15:04:17
- Status changed from open to fixed.
Franz 2013-04-15 20:58:26
- Visibility set to public.