CHANGE-348 Secunia advisory SA50574 - XSS in admin login.php

Update admin version of zen_get_all_get_params to carry out the same sanitization of get params as catalog version of zen_get_all_get_params
zencart · Oct 8, 2012 · 3ec70bd · 3ec70bd
1 parent 74165e5
commit 3ec70bd
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/admin/includes/functions/general.php b/admin/includes/functions/general.php
@@ -122,7 +122,8 @@ function zen_get_all_get_params($exclude_array = '') {
 
     reset($_GET);
     while (list($key, $value) = each($_GET)) {
-      if (($key != zen_session_name()) && ($key != 'error') && (!in_array($key, $exclude_array))) $get_url .= $key . '=' . $value . '&';
+      if (($key != zen_session_name()) && ($key != 'error') && (!in_array($key, $exclude_array))) 
+        $get_url .= zen_sanitize_string($key) . '=' . rawurlencode(stripslashes($value)) . '&';
     }
 
     return $get_url;