Permalink
Browse files

MFB: fixed XSS reported by Russ McRee @ holisticinfosec

  • Loading branch information...
1 parent a23c125 commit 4b094f07012734a9c658ec7ac851208138dd5f70 @mysnip mysnip committed Aug 26, 2011
Showing with 19 additions and 3 deletions.
  1. +19 −2 control.php
  2. +0 −1 include/controlcenter/sig.php
View
@@ -368,13 +368,30 @@ function phorum_controlcenter_user_save($panel)
$PHORUM['DATA']['USER'][$key] = $val;
}
- // Copy data from the updated user back into the profile template data.
+ // Copy data from the updated user back into the template data.
// Leave PANEL and forum_id alone (these are injected into the
// userdata in the template from this script).
foreach ($PHORUM["DATA"]["PROFILE"] as $key => $val) {
if ($key == "PANEL" || $key == "forum_id") continue;
if (isset($PHORUM["user"][$key])) {
- $PHORUM["DATA"]["PROFILE"][$key] = $PHORUM["user"][$key];
+ if (is_array($val)) {
+ // array-data would be (most often) broken when html encoded
+ $PHORUM["DATA"]["PROFILE"][$key] = $PHORUM["user"][$key];
+ } elseif(substr($key, 0, 9) == 'signature') {
+ // the signature needs special care - e.g. for the formatted sig
+
+ // Fake a message here so we can run the sig through format_message.
+ $fake_messages = array(array("author"=>"", "email"=>"", "subject"=>"", "body"=>$PHORUM["user"]["signature"]));
+ $fake_messages = phorum_format_messages( $fake_messages );
+ $PHORUM["DATA"]["PROFILE"]["signature_formatted"] = $fake_messages[0]["body"];
+
+ // Format the user signature using standard message body formatting
+ // or HTML escape it
+ $PHORUM["DATA"]["PROFILE"]["signature"] = htmlspecialchars($PHORUM["user"]["signature"], ENT_COMPAT, $PHORUM["DATA"]["HCHARSET"]);
+ } else {
+ // same handling as when loading the page for the first time
+ $PHORUM["DATA"]["PROFILE"][$key] = htmlspecialchars($PHORUM["user"][$key], ENT_COMPAT, $PHORUM['DATA']['HCHARSET']);
+ }
} else {
$PHORUM["DATA"]["PROFILE"][$key] = "";
}
@@ -21,7 +21,6 @@
if(count($_POST)) {
list($error,$okmsg) = phorum_controlcenter_user_save($panel);
- $PHORUM["DATA"]["PROFILE"]["signature"] = htmlspecialchars($PHORUM["DATA"]["PROFILE"]["signature"], ENT_COMPAT, $PHORUM["DATA"]["HCHARSET"]);
}
$PHORUM['DATA']['PROFILE']['SIGSETTINGS'] = 1;

0 comments on commit 4b094f0

Please sign in to comment.