Fork me on GitHub
Subscribe 2

Ticket #673 (fixed bug)

IP field not escaped

  • Created: 2012-05-20 19:31:32
  • Reported by: adaur
  • Assigned to: Franz
  • Milestone: 1.5.1
  • Component: security
  • Priority: high

In viewtopic, IP field is not escaped with pun_htmlspecialchars.

$user_info[] = '<dd><span><a href="moderate.php?get_host='.$cur_post['id'].'" title="'.$cur_post['poster_ip'].'">'.$lang_topic['IP address logged'].'</a></span></dd>';

According to UnitedBytes, who hacked my forum with a plug in security hole (not FluxBB core wink), if the forum has already an XSS hole, it is possible to request admin mail form edit.

http://www.wareziens.info/forum/topic-1 … ml#p202708

History

adaur 2012-05-20 19:33:50

  • Component changed from search to security.
  • Description changed. (Diff)

Franz 2012-05-20 21:03:22

  • Milestone set to 1.5.1.

Thanks for the report!!!

If I understand correctly, this simply means that if there is a SQL injection vulnerability somewhere else, this can be used to cause an XSS using the ip field. Right?

Comment edited 1 times (Diff)

adaur 2012-05-21 14:36:04

From what I understand in his post, yes.

By the way, this must be a mistake, as it is escaped properly in profile.php:

<p><?php printf($lang_profile['Registered info'], format_time($user['registered'], true).(($pun_user['is_admmod']) ? ' (<a href="moderate.php?get_host='.pun_htmlspecialchars($user['registration_ip']).'">'.pun_htmlspecialchars($user['registration_ip']).'</a>)' : '')) ?></p>

As this is public now, I suggest a quick update to 1.5.1.

Comment edited 1 times (Diff)

Franz 2012-10-05 13:36:37

  • Owner set to Franz.

Franz 2012-10-30 10:16:27

Gosh, this sat here for a long time.

I have a patch ready, will push that when I release v1.5.1.

Franz 2012-11-13 14:30:17

Commit 2d52c3a to fluxbb master

#673: Escape poster IP in viewtopic page.

Reported by @adaur, thank you!

Franz 2012-11-13 15:04:17

  • Status changed from open to fixed.

adaur 2012-11-15 17:36:03

Commit b974590 to fluxbb master

#673 : escaping one more IP field

Franz 2013-04-15 20:58:26

  • Visibility set to public.