Re: [ GLSA 200501-45 ] Gallery: Cross-site scripting vulnerability

[Paul Laudanski <zx () castlecops com>]

Thanks for the notification.  Lets keep in mind that we don't want to see 
another form of the highlight or sanity issue here, as the removeTags is 
simply the strip_tags PHP function.  As we've seen, not all attacks will 
have HTML tags in them.

gallery fix:

 $username = htmlspecialchars(removeTags(urldecode($username)));

(The same also found in search.php)

phpbb pre-fix:

 $words = explode(' ', trim(htmlspecialchars(urldecode($HTTP_GET_VARS['highlight']))));

phpbb fix:

 $words = explode(' ', trim(htmlspecialchars($HTTP_GET_VARS['highlight'])));

I have not taken the time to audit the code, but as we've all become 
familiar with the raw encoded URL during the wonderful days of Christmas, 
it would be a good idea to run a quick test to ensure that base is 
covered.  So hopefully I'm wrong and just being over-paranoid.

In any case, thanks for the update.  Please correct me if I'm off base 
while thinking aloud.

On Sun, 30 Jan 2005, Luke Macken wrote:

> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Gentoo Linux Security Advisory                           GLSA 200501-45
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>                                             http://security.gentoo.org/
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
>   Severity: Low
>      Title: Gallery: Cross-site scripting vulnerability
>       Date: January 30, 2005
>       Bugs: #78522
>         ID: 200501-45
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-- 
Regards,

Paul Laudanski - Computer Cops, LLC.
CastleCops(SM) - http://castlecops.com
http://justalittlepoke.com | http://cuddlesnkisses.com | 
http://zhen-xjell.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html