xss: Audit Log

This mitigates a vulnerability discovered by the AppSec Research Team at Checkmarx where it's possible to perform XSS via the Audit Log plugin. This is due to not properly escaping the `state` and `type` URL params. This adds `Format::htmlchars()` to both params to ensure they are properly escaped.
osTicket · Apr 21, 2022 · 047a1c3 · 047a1c3
1 parent 0b59afb
commit 047a1c3
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/audit/templates/auditlogs.tmpl.php b/audit/templates/auditlogs.tmpl.php
@@ -3,18 +3,18 @@
 
 $qs = array();
 if($_REQUEST['type'])
-    $qs += array('type' => $_REQUEST['type']);
+    $qs += array('type' => Format::htmlchars($_REQUEST['type']));
 $type='D';
 
 if ($_REQUEST['type'])
-  $type=$_REQUEST['type'];
+  $type=Format::htmlchars($_REQUEST['type']);
 
 if($_REQUEST['state'])
-    $qs += array('state' => $_REQUEST['state']);
+    $qs += array('state' => Format::htmlchars($_REQUEST['state']));
 $state=__('All');
 
 if ($_REQUEST['state'])
-  $state=$_REQUEST['state'];
+  $state=Format::htmlchars($_REQUEST['state']);
 
 //dates
 $startTime  =($_REQUEST['startDate'] && (strlen($_REQUEST['startDate'])>=8))?strtotime($_REQUEST['startDate']):0;
@@ -28,7 +28,7 @@
     if($endTime)
         $qs += array('endDate' => $_REQUEST['endDate']);
 }
-$order = AuditEntry::getOrder($_REQUEST['order']);
+$order = AuditEntry::getOrder(Format::htmlchars($_REQUEST['order']));
 $qs += array('order' => (($order=='DESC') ? 'ASC' : 'DESC'));
 $qstr = '&amp;'. Http::build_query($qs);