Bugtraq mailing list archives
Re: XSS bypass in PHPNuke - FIX ?
From: Paul Laudanski <zx () castlecops com>
Date: Mon, 19 Dec 2005 19:14:40 -0500 (EST)
On Tue, 20 Dec 2005, SecurityReason - sp3x wrote:
Hi Paul Do you have any idea to do fix or update filter of phpnuke against XSS that discovered my friend. We were working with chaserv from nukefixes.com on this fix... But as you wrote on bugtraq the Fix is not very good... Any idea for good fix ?? BTW : http://castlecops.com is working with phpnuke team ?? just asking :)
Hi'ya, as per my previous post you can use htmlspecialchars or htmlentities. So in this case take the query and run it through htmlspecialchars: $query = htmlspecialchars($query); ... _before_ you do anything with it like displaying the query back to the user. -- Paul Laudanski, Microsoft MVP Windows-Security [cal] http://events.castlecops.com [de] http://de.castlecops.com [en] http://castlecops.com [wiki] http://wiki.castlecops.com [family] http://cuddlesnkisses.com
Current thread:
- Re: XSS bypass in PHPNuke - FIX ? Paul Laudanski (Dec 21)