Permalink
Browse files

Fix: [Bug #232] Multiple Cross-Site-Scripting vulnerabilities

  • Loading branch information...
1 parent 9ff0690 commit 762f98ab4137749d0993612b4e3544a4207e78a1 Regis Houssin committed Nov 8, 2011
Showing with 9 additions and 6 deletions.
  1. +1 −1 htdocs/lib/security.lib.php
  2. +8 −5 htdocs/main.inc.php
@@ -181,7 +181,7 @@ function dol_loginfunction($langs,$conf,$mysoc)
}
// Login
- $login = (!empty($lastuser)?$lastuser:(GETPOST("username")?GETPOST("username"):$demologin));
+ $login = (!empty($lastuser)?$lastuser:(GETPOST("username","alpha",2)?GETPOST("username","alpha",2):$demologin));
$password = $demopassword;
// Show logo (search in order: small company logo, large company logo, theme logo, common logo)
View
@@ -76,6 +76,9 @@ function test_sql_and_script_inject($val,$get)
$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
// For XSS Injection done by adding javascript with script
$sql_inj += preg_match('/<script/i', $val);
+ $sql_inj += preg_match('/img[\s]+src/i', $val);
+ $sql_inj += preg_match('/base[\s]+href/i', $val);
+ $sql_inj += preg_match('/style([\s]+)?=/i', $val);
if ($get) $sql_inj += preg_match('/javascript:/i', $val);
// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
if ($get) $sql_inj += preg_match('/"/i', $val); // We refused " in GET parameters value
@@ -324,7 +327,7 @@ function analyse_sql_and_script(&$var,$get)
}
// Verification security graphic code
- if (isset($_POST["username"]) && ! empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA))
+ if (GETPOST("username","alpha",2) && ! empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA))
{
require_once DOL_DOCUMENT_ROOT.'/includes/artichow/Artichow.cfg.php';
require_once ARTICHOW."/AntiSpam.class.php";
@@ -339,7 +342,7 @@ function analyse_sql_and_script(&$var,$get)
$langs->load('main');
$langs->load('other');
- $user->trigger_mesg='ErrorBadValueForCode - login='.$_POST["username"];
+ $user->trigger_mesg='ErrorBadValueForCode - login='.GETPOST("username","alpha",2);
$_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadValueForCode");
$test=false;
@@ -365,7 +368,7 @@ function analyse_sql_and_script(&$var,$get)
// If error, we will put error message in session under the name dol_loginmesg
$goontestloop=false;
if (isset($_SERVER["REMOTE_USER"]) && in_array('http',$authmode)) $goontestloop=true;
- if (isset($_POST["username"]) || GETPOST('openid_mode','alpha',1)) $goontestloop=true;
+ if (GETPOST("username","alpha",2) || GETPOST('openid_mode','alpha',1)) $goontestloop=true;
if ($test && $goontestloop)
{
@@ -378,7 +381,7 @@ function analyse_sql_and_script(&$var,$get)
if ($result)
{
// Call function to check user/password
- $usertotest=$_POST["username"];
+ $usertotest=GETPOST("username","alpha",2);
$passwordtotest=$_POST["password"];
$entitytotest=$_POST["entity"];
$function='check_user_password_'.$mode;
@@ -411,7 +414,7 @@ function analyse_sql_and_script(&$var,$get)
$langs->load('other');
// Bad password. No authmode has found a good password.
- $user->trigger_mesg=$langs->trans("ErrorBadLoginPassword").' - login='.$_POST["username"];
+ $user->trigger_mesg=$langs->trans("ErrorBadLoginPassword").' - login='.GETPOST("username","alpha",2);
$_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadLoginPassword");
// Appel des triggers

0 comments on commit 762f98a

Please sign in to comment.