Skip to content
Permalink
Browse files

Use HTML escaping for some more values

This fixes some XSS problems in install.php, and - as far as I can
tell - does not cause any problems with existing error messages.

The issue was independently reported by
- Li of SEC Consult Vulnerability Lab
- Omar Kurt of Netsparker

Thank you both!
  • Loading branch information...
franzliedke committed Jan 13, 2018
1 parent 633d100 commit 05924608ac45647bd1a71353a2a4f5bbc3b33f9c
Showing with 6 additions and 6 deletions.
  1. +1 −1 include/functions.php
  2. +5 −5 install.php
@@ -1652,7 +1652,7 @@ function error($message, $file = null, $line = null, $db_error = false)
}
}
else
echo "\t\t".'Error: <strong>'.$message.'.</strong>'."\n";
echo "\t\t".'Error: <strong>'.pun_htmlspecialchars($message).'.</strong>'."\n";
?>
</div>
@@ -256,7 +256,7 @@ function generate_config_file()
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title><?php echo $lang_install['FluxBB Installation'] ?></title>
<link rel="stylesheet" type="text/css" href="style/<?php echo $default_style ?>.css" />
<link rel="stylesheet" type="text/css" href="style/<?php echo pun_htmlspecialchars($default_style) ?>.css" />
<script type="text/javascript">
/* <![CDATA[ */
function process_form(the_form)
@@ -533,7 +533,7 @@ function process_form(the_form)
break;
default:
error(sprintf($lang_install['DB type not valid'], pun_htmlspecialchars($db_type)));
error(sprintf($lang_install['DB type not valid'], $db_type));
}
// Create the database object (and connect/select db)
@@ -1683,7 +1683,7 @@ function process_form(the_form)
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title><?php echo $lang_install['FluxBB Installation'] ?></title>
<link rel="stylesheet" type="text/css" href="style/<?php echo $default_style ?>.css" />
<link rel="stylesheet" type="text/css" href="style/<?php echo pun_htmlspecialchars($default_style) ?>.css" />
</head>
<body>

@@ -1718,8 +1718,8 @@ function process_form(the_form)
<p><?php echo $lang_install['Info 18'] ?></p>
</div>
<input type="hidden" name="generate_config" value="1" />
<input type="hidden" name="db_type" value="<?php echo $db_type; ?>" />
<input type="hidden" name="db_host" value="<?php echo $db_host; ?>" />
<input type="hidden" name="db_type" value="<?php echo pun_htmlspecialchars($db_type); ?>" />
<input type="hidden" name="db_host" value="<?php echo pun_htmlspecialchars($db_host); ?>" />
<input type="hidden" name="db_name" value="<?php echo pun_htmlspecialchars($db_name); ?>" />
<input type="hidden" name="db_username" value="<?php echo pun_htmlspecialchars($db_username); ?>" />
<input type="hidden" name="db_password" value="<?php echo pun_htmlspecialchars($db_password); ?>" />

0 comments on commit 0592460

Please sign in to comment.
You can’t perform that action at this time.