Skip to content
This repository was archived by the owner on Mar 1, 2024. It is now read-only.

Commit fad2670

Browse files
author
angrybyte
committed
added security checks to avoid full path disclosure, XSS, unprivileged manipulation
git-svn-id: https://plugins.svn.wordpress.org/wordpress-exit-box-lite/trunk@719474 b8457f37-d9ea-0310-8a92-e5e31aec5664
1 parent 7c9c725 commit fad2670

File tree

1 file changed

+8
-6
lines changed

1 file changed

+8
-6
lines changed

Diff for: wordpress-exit-box-lite.php

+8-6
Original file line numberDiff line numberDiff line change
@@ -3,18 +3,21 @@
33
/**
44
* @package Wordpress Exit Box Lite
55
* @author Bouzid Nazim Zitouni
6-
* @version 1.06
6+
* @version 1.10
77
*/
88
/*
99
Plugin Name: Wordpress Exit Box Lite
1010
Plugin URI: http://angrybyte.com/wordpress-plugins/wordpress-exit-box-finally-released/
1111
Description: Wordpress exit box is used design and display your exit box, a ThickBox page that will be shown to your users when they click a external link.
1212
Author: Bouzid Nazim Zitouni
13-
Version: 1.06
13+
Version: 1.10
1414
Author URI: http://angrybyte.com
1515
*/
1616

17-
17+
if(!function_exists('add_action')){
18+
echo ""; // someone is trying to run the plugin directly, added to avoid full path disclosure.
19+
die;
20+
}
1821
add_option("exitboxcontents",
1922
'<h2 style="text-align: center;">It was nice having you! We hope you enjoyed your stay.</h2>',
2023
'Contents of the Exit page', 'yes');
@@ -88,8 +91,7 @@ function exitboxadmin()
8891
}
8992
function exit_box_admin()
9093
{
91-
92-
if ($_POST['xx'])
94+
if (($_POST["xx"])&& (is_admin())&& check_admin_referer( 'exit_box_save', 'exit_box_nonce' ))
9395
{
9496

9597
if (is_numeric($_POST['exitboxwidth']) || $_POST['exitboxwidth'] == "auto")
@@ -129,7 +131,7 @@ function exit_box_admin()
129131
{
130132
echo "<textarea name='xx' cols='150' rows='20'>$oldtemp</textarea>";
131133
}
132-
134+
wp_nonce_field( 'exit_box_save','exit_box_nonce' );
133135
echo <<< EOFT
134136
135137
<br/>

0 commit comments

Comments
 (0)