Issue #602 has been updated by Luca Carettoni. File XSSvalidation.patch added
I made a patch to address the security concerns related to XSS attacks. This should fix http://tools.ltb-project.org/issues/602, http://tools.ltb-project.org/issues/601 and another occurrence discovered in setquestions.php In detail: - a new function "htmlencode_utf8()" has been created to enforce strict UTF8 html-encoding. This function should be used when outputting user-supplied data in HTML context (no URL, no JavaScript, just pure HTML) - modified all occurrences mentioned by this bug report and quickly looked for similar patterns. As a result, I fixed another Stored XSS affecting setquestions.php (line 205) where $text was retrieved from stored user-supplied data. I haven't really performed extensive testing, but it shouldn't break functionalities. Cheers! Luca ---------------------------------------- Bug #602: Poor XSS validation http://tools.lsc-project.org/issues/602 Author: John Menerick Status: Assigned Priority: Urgent Assigned to: Clément OUDOT Category: Self Service Password Target version: self-service-password-? change.php: Line 215, resetbyquestions.php: Line 204, resetbytoken.php: Line 237, sendsms.php: Line 234 / 247 / 248 / 266, sendtoken.php: Line 210, and setquestions: Line 195 all involve a type of validation / sanitization which is not enough to prevent malicious requests from reaching the user's browser. Htmlentities will prevent some but not all XSS attacks. It really depends on the execution context. Relying on the htmlentities encoding function is equivalent to using a very weak blacklist. See http://wiremask.eu/?p=tutorials&id=10 for additional information on how one may bypass htmlentities. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
_______________________________________________ ltb-dev mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-dev
