diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2015-03-18 22:16:34 +0100 |
|---|---|---|
| committer | bxn <bxn@gitorious> | 2015-03-19 20:27:37 +0100 |
| commit | ee62f3f7f1d59e4e3c7a643a67ecd52583ce9512 (patch) | |
| tree | 9216b164a56bcaa2eff9f216784c2f21d94ea10a | |
| parent | 4f50e20a5170571b6dd6b5a49bb5ca84cf2f0a42 (diff) | |
| download | rpg-ee62f3f7f1d59e4e3c7a643a67ecd52583ce9512.tar.gz rpg-ee62f3f7f1d59e4e3c7a643a67ecd52583ce9512.tar.bz2 | |
SECURITY escape user properties in user manager #1081
The user properties (login, real name, etc) where not properly escaped
in the user manager's edit form. This allowed a XSS attack on the
superuser by registered users.
Thanks to Filippo Cavallarin from www.segment.technology for discovering
this bug.
| -rw-r--r-- | lib/plugins/usermanager/admin.php | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php index b67d91b36..d777b6542 100644 --- a/lib/plugins/usermanager/admin.php +++ b/lib/plugins/usermanager/admin.php @@ -191,9 +191,9 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { */ $groups = join(', ',$grps); ptln(" <tr class=\"user_info\">"); - ptln(" <td class=\"centeralign\"><input type=\"checkbox\" name=\"delete[".$user."]\" ".$delete_disable." /></td>"); + ptln(" <td class=\"centeralign\"><input type=\"checkbox\" name=\"delete[".hsc($user)."]\" ".$delete_disable." /></td>"); if ($editable) { - ptln(" <td><a href=\"".wl($ID,array('fn[edit]['.hsc($user).']' => 1, + ptln(" <td><a href=\"".wl($ID,array('fn[edit]['.$user.']' => 1, 'do' => 'admin', 'page' => 'usermanager', 'sectok' => getSecurityToken())). @@ -325,7 +325,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { // save current $user, we need this to access details if the name is changed if ($user) - ptln(" <input type=\"hidden\" name=\"userid_old\" value=\"".$user."\" />",$indent); + ptln(" <input type=\"hidden\" name=\"userid_old\" value=\"".hsc($user)."\" />",$indent); $this->_htmlFilterSettings($indent+10); @@ -370,6 +370,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { $fieldtype = 'text'; $autocomp = ''; } + $value = hsc($value); echo "<tr $class>"; echo "<td><label for=\"$id\" >$label: </label></td>"; |