Fixes: bug 13891 - mail.cgi txt_mailuser txt_mailpass Stored Cross-Site Scripting Signed-off-by: Adolf Belka <[email protected]> --- html/cgi-bin/mail.cgi | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/html/cgi-bin/mail.cgi b/html/cgi-bin/mail.cgi index 0ed3dfeca..aae4abc31 100644 --- a/html/cgi-bin/mail.cgi +++ b/html/cgi-bin/mail.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team <[email protected]> # +# Copyright (C) 2007-2025 IPFire Team <[email protected]> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -102,8 +102,8 @@ if ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}"){ #SaveButton on configsite $mail{'RECIPIENT'} = $cgiparams{'txt_recipient'}; if ($cgiparams{'txt_mailuser'} && $cgiparams{'txt_mailpass'}) { - $auth{'AUTHNAME'} = $cgiparams{'txt_mailuser'}; - $auth{'AUTHPASS'} = $cgiparams{'txt_mailpass'}; + $auth{'AUTHNAME'} = &Header::escape($cgiparams{'txt_mailuser'}); + $auth{'AUTHPASS'} = &Header::escape($cgiparams{'txt_mailpass'}); $auth{'AUTHHOST'} = $cgiparams{'txt_mailserver'}; print TXT1 "$auth{'AUTHNAME'}|$auth{'AUTHHOST'}:$auth{'AUTHPASS'}\n"; } -- 2.51.0
