Skip to content

Commit 762f98a

Browse files
committed
Fix: [Bug #232] Multiple Cross-Site-Scripting vulnerabilities
1 parent 9ff0690 commit 762f98a

File tree

2 files changed

+9
-6
lines changed

2 files changed

+9
-6
lines changed

Diff for: htdocs/lib/security.lib.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -181,7 +181,7 @@ function dol_loginfunction($langs,$conf,$mysoc)
181181
}
182182

183183
// Login
184-
$login = (!empty($lastuser)?$lastuser:(GETPOST("username")?GETPOST("username"):$demologin));
184+
$login = (!empty($lastuser)?$lastuser:(GETPOST("username","alpha",2)?GETPOST("username","alpha",2):$demologin));
185185
$password = $demopassword;
186186

187187
// Show logo (search in order: small company logo, large company logo, theme logo, common logo)

Diff for: htdocs/main.inc.php

+8-5
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,9 @@ function test_sql_and_script_inject($val,$get)
7676
$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
7777
// For XSS Injection done by adding javascript with script
7878
$sql_inj += preg_match('/<script/i', $val);
79+
$sql_inj += preg_match('/img[\s]+src/i', $val);
80+
$sql_inj += preg_match('/base[\s]+href/i', $val);
81+
$sql_inj += preg_match('/style([\s]+)?=/i', $val);
7982
if ($get) $sql_inj += preg_match('/javascript:/i', $val);
8083
// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
8184
if ($get) $sql_inj += preg_match('/"/i', $val); // We refused " in GET parameters value
@@ -324,7 +327,7 @@ function analyse_sql_and_script(&$var,$get)
324327
}
325328

326329
// Verification security graphic code
327-
if (isset($_POST["username"]) && ! empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA))
330+
if (GETPOST("username","alpha",2) && ! empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA))
328331
{
329332
require_once DOL_DOCUMENT_ROOT.'/includes/artichow/Artichow.cfg.php';
330333
require_once ARTICHOW."/AntiSpam.class.php";
@@ -339,7 +342,7 @@ function analyse_sql_and_script(&$var,$get)
339342
$langs->load('main');
340343
$langs->load('other');
341344

342-
$user->trigger_mesg='ErrorBadValueForCode - login='.$_POST["username"];
345+
$user->trigger_mesg='ErrorBadValueForCode - login='.GETPOST("username","alpha",2);
343346
$_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadValueForCode");
344347
$test=false;
345348

@@ -365,7 +368,7 @@ function analyse_sql_and_script(&$var,$get)
365368
// If error, we will put error message in session under the name dol_loginmesg
366369
$goontestloop=false;
367370
if (isset($_SERVER["REMOTE_USER"]) && in_array('http',$authmode)) $goontestloop=true;
368-
if (isset($_POST["username"]) || GETPOST('openid_mode','alpha',1)) $goontestloop=true;
371+
if (GETPOST("username","alpha",2) || GETPOST('openid_mode','alpha',1)) $goontestloop=true;
369372

370373
if ($test && $goontestloop)
371374
{
@@ -378,7 +381,7 @@ function analyse_sql_and_script(&$var,$get)
378381
if ($result)
379382
{
380383
// Call function to check user/password
381-
$usertotest=$_POST["username"];
384+
$usertotest=GETPOST("username","alpha",2);
382385
$passwordtotest=$_POST["password"];
383386
$entitytotest=$_POST["entity"];
384387
$function='check_user_password_'.$mode;
@@ -411,7 +414,7 @@ function analyse_sql_and_script(&$var,$get)
411414
$langs->load('other');
412415

413416
// Bad password. No authmode has found a good password.
414-
$user->trigger_mesg=$langs->trans("ErrorBadLoginPassword").' - login='.$_POST["username"];
417+
$user->trigger_mesg=$langs->trans("ErrorBadLoginPassword").' - login='.GETPOST("username","alpha",2);
415418
$_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadLoginPassword");
416419

417420
// Appel des triggers

0 commit comments

Comments
 (0)