Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Kacper Szurek (http://security.szurek.pl/) discovered an XSS vulnerability in Custom fields management pages, caused by unescaped output of 'return URL' GPC parameter. His report describes two ways to exploit this issue: 1. using 'accesskey' inside hidden input field (see [1]) reflects XSS to the administrator in manage_custom_field_edit_page.php when the keyboard shortcut is actioned 2. using 'javascript:' URI scheme executes the code when the user clicks the [Proceed] link on manage_custom_field_update.php after updating a custom field This commit fixes both attack vectors: - properly escape the return URL prior to printing it on the hidden form field - let html_operation_successful() sanitize the URL before displaying it, just like html_meta_redirect() does. In this case, if the string contains an URI scheme, it will be replaced by 'index.php' [1] http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.html Fixes #20956 This is a backport from master 3f2779b4c6dc8d465fb73c08cfa1d806184d2e79.
- Loading branch information
Showing
6 changed files
with
6 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters