Skip to content

Commit

Permalink
escape target error message (SECURITY) FS#2487 FS#2488
Browse files Browse the repository at this point in the history 
The error message when a non-existant editor was tried to load wasn't
escaped correctly, allowing to introduce arbitrary JavaScript to the
output, leading to a XSS vulnerability.

Note: the reported second XCRF vulnerability is the same bug, the xploit
code simply uses JavaScript to extract a valid CSRF token from the site
  • Loading branch information
@splitbrain
splitbrain committed Apr 19, 2012
1 parent 56ef9b9 commit ff71173
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion inc/html.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1436,7 +1436,7 @@ function html_edit_form($param) {
global $TEXT;

if ($param['target'] !== 'section') {
msg('No editor for edit target ' . $param['target'] . ' found.', -1);
msg('No editor for edit target ' . hsc($param['target']) . ' found.', -1);
}

$attr = array('tabindex'=>'1');
Expand Down

1 comment on commit ff71173

@fgeek
Copy link

@fgeek fgeek commented on ff71173 May 7, 2012

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVE-identifiers assigned in this thread: http://seclists.org/oss-sec/2012/q2/162

CVE-2012-2128/CVE-2012-2129

Please sign in to comment.