/
0001-Fix-12312-NuSOAP-web-description-XSS-vulnerability.patch
119 lines (112 loc) · 5.13 KB
/
0001-Fix-12312-NuSOAP-web-description-XSS-vulnerability.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
From edb817991b99cd5538f102be26865fde7c6b7212 Mon Sep 17 00:00:00 2001
From: David Hicks <hickseydr@optusnet.com.au>
Date: Thu, 2 Sep 2010 21:51:21 +1000
Subject: [PATCH] Fix #12312: NuSOAP web description XSS vulnerability
Bogdan Calin from Acunetix discovered a number of XSS vulnerabilities in
NuSOAP 0.9.5 (bundled with MantisBT) relating to improperly escaped
URLs.
A sample exploit URL is:
/api/soap/mantisconnect.php?1<ScRiPt>prompt(923395)</ScRiPt>
The upstream report for these XSS flaws in NuSOAP is located at the
following URL:
http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005
This patch provides an interim fix for MantisBT users until upstream
makes a new release.
---
library/nusoap/class.wsdl.php | 16 ++++++++--------
library/nusoap/nusoap.php | 14 +++++++-------
2 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/library/nusoap/class.wsdl.php b/library/nusoap/class.wsdl.php
index 6d2a693..7dcc307 100644
--- a/library/nusoap/class.wsdl.php
+++ b/library/nusoap/class.wsdl.php
@@ -842,9 +842,9 @@ class wsdl extends nusoap_base {
<body>
<div class=content>
<br><br>
- <div class=title>'.$this->serviceName.'</div>
+ <div class=title>'.htmlentities($this->serviceName).'</div>
<div class=nav>
- <p>View the <a href="'.$PHP_SELF.'?wsdl">WSDL</a> for the service.
+ <p>View the <a href="'.htmlentities($PHP_SELF).'?wsdl">WSDL</a> for the service.
Click on an operation name to view it's details.</p>
<ul>';
foreach($this->getOperations() as $op => $data){
@@ -854,21 +854,21 @@ class wsdl extends nusoap_base {
<a href='#' onclick='popout()'><font color='#ffffff'>Close</font></a><br><br>";
foreach($data as $donnie => $marie){ // loop through opdata
if($donnie == 'input' || $donnie == 'output'){ // show input/output data
- $b .= "<font color='white'>".ucfirst($donnie).':</font><br>';
+ $b .= "<font color='white'>".htmlentities(ucfirst($donnie)).':</font><br>';
foreach($marie as $captain => $tenille){ // loop through data
if($captain == 'parts'){ // loop thru parts
- $b .= " $captain:<br>";
+ $b .= " ".htmlentities($captain).":<br>";
//if(is_array($tenille)){
foreach($tenille as $joanie => $chachi){
- $b .= " $joanie: $chachi<br>";
+ $b .= " ".htmlentities($joanie).": ".htmlentities($chachi)."<br>";
}
//}
} else {
- $b .= " $captain: $tenille<br>";
+ $b .= " ".htmlentities($captain).": ".htmlentities($tenille)."<br>";
}
}
} else {
- $b .= "<font color='white'>".ucfirst($donnie).":</font> $marie<br>";
+ $b .= "<font color='white'>".htmlentities(ucfirst($donnie)).":</font> ".htmlentities($marie)."<br>";
}
}
$b .= '</div>';
@@ -1935,4 +1935,4 @@ class wsdl extends nusoap_base {
}
}
-?>
\ No newline at end of file
+?>
diff --git a/library/nusoap/nusoap.php b/library/nusoap/nusoap.php
index 4973532..10750aa 100644
--- a/library/nusoap/nusoap.php
+++ b/library/nusoap/nusoap.php
@@ -5424,9 +5424,9 @@ class wsdl extends nusoap_base {
<body>
<div class=content>
<br><br>
- <div class=title>'.$this->serviceName.'</div>
+ <div class=title>'.htmlentities($this->serviceName).'</div>
<div class=nav>
- <p>View the <a href="'.$PHP_SELF.'?wsdl">WSDL</a> for the service.
+ <p>View the <a href="'.htmlentities($PHP_SELF).'?wsdl">WSDL</a> for the service.
Click on an operation name to view it's details.</p>
<ul>';
foreach($this->getOperations() as $op => $data){
@@ -5436,21 +5436,21 @@ class wsdl extends nusoap_base {
<a href='#' onclick='popout()'><font color='#ffffff'>Close</font></a><br><br>";
foreach($data as $donnie => $marie){ // loop through opdata
if($donnie == 'input' || $donnie == 'output'){ // show input/output data
- $b .= "<font color='white'>".ucfirst($donnie).':</font><br>';
+ $b .= "<font color='white'>".htmlentities(ucfirst($donnie)).':</font><br>';
foreach($marie as $captain => $tenille){ // loop through data
if($captain == 'parts'){ // loop thru parts
- $b .= " $captain:<br>";
+ $b .= " ".htmlentities($captain).":<br>";
//if(is_array($tenille)){
foreach($tenille as $joanie => $chachi){
- $b .= " $joanie: $chachi<br>";
+ $b .= " ".htmlentities($joanie).": ".htmlentities($chachi)."<br>";
}
//}
} else {
- $b .= " $captain: $tenille<br>";
+ $b .= " ".htmlentities($captain).": ".htmlentities($tenille)."<br>";
}
}
} else {
- $b .= "<font color='white'>".ucfirst($donnie).":</font> $marie<br>";
+ $b .= "<font color='white'>".htmlentities(ucfirst($donnie)).":</font> ".htmlentities($marie)."<br>";
}
}
$b .= '</div>';
--
1.7.2.2