diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2015-03-18 22:16:34 +0100 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2015-03-18 22:16:34 +0100 |
| commit | f23f95941a400702f525923973f3612df6da82cb (patch) | |
| tree | 87b3a6d2acbd96a32711f86470d69cc53cbd64ec /lib/plugins/usermanager | |
| parent | 6abea1c0be56a2cb5575c8921c3e6661ed565697 (diff) | |
| download | rpg-f23f95941a400702f525923973f3612df6da82cb.tar.gz rpg-f23f95941a400702f525923973f3612df6da82cb.tar.bz2 | |
SECURITY escape user properties in user manager #1081
The user properties (login, real name, etc) where not properly escaped
in the user manager's edit form. This allowed a XSS attack on the
superuser by registered users.
Thanks to Filippo Cavallarin from www.segment.technology for discovering
this bug.
Diffstat (limited to 'lib/plugins/usermanager')
| -rw-r--r-- | lib/plugins/usermanager/admin.php | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php index cc4c4ae47..9cb9b0c40 100644 --- a/lib/plugins/usermanager/admin.php +++ b/lib/plugins/usermanager/admin.php @@ -222,9 +222,9 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { */ $groups = join(', ',$grps); ptln(" <tr class=\"user_info\">"); - ptln(" <td class=\"centeralign\"><input type=\"checkbox\" name=\"delete[".$user."]\" ".$delete_disable." /></td>"); + ptln(" <td class=\"centeralign\"><input type=\"checkbox\" name=\"delete[".hsc($user)."]\" ".$delete_disable." /></td>"); if ($editable) { - ptln(" <td><a href=\"".wl($ID,array('fn[edit]['.hsc($user).']' => 1, + ptln(" <td><a href=\"".wl($ID,array('fn[edit]['.$user.']' => 1, 'do' => 'admin', 'page' => 'usermanager', 'sectok' => getSecurityToken())). @@ -356,7 +356,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { // save current $user, we need this to access details if the name is changed if ($user) - ptln(" <input type=\"hidden\" name=\"userid_old\" value=\"".$user."\" />",$indent); + ptln(" <input type=\"hidden\" name=\"userid_old\" value=\"".hsc($user)."\" />",$indent); $this->_htmlFilterSettings($indent+10); @@ -401,6 +401,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin { $fieldtype = 'text'; $autocomp = ''; } + $value = hsc($value); echo "<tr $class>"; echo "<td><label for=\"$id\" >$label: </label></td>"; |