From ee62f3f7f1d59e4e3c7a643a67ecd52583ce9512 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Wed, 18 Mar 2015 22:16:34 +0100
Subject: SECURITY escape user properties in user manager #1081

The user properties (login, real name, etc) where not properly escaped
in the user manager's edit form. This allowed a XSS attack on the
superuser by registered users.

Thanks to Filippo Cavallarin from www.segment.technology for discovering
this bug.
---
 lib/plugins/usermanager/admin.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php
index b67d91b36..d777b6542 100644
--- a/lib/plugins/usermanager/admin.php
+++ b/lib/plugins/usermanager/admin.php
@@ -191,9 +191,9 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin {
                  */
                 $groups = join(', ',$grps);
                 ptln("    <tr class=\"user_info\">");
-                ptln("      <td class=\"centeralign\"><input type=\"checkbox\" name=\"delete[".$user."]\" ".$delete_disable." /></td>");
+                ptln("      <td class=\"centeralign\"><input type=\"checkbox\" name=\"delete[".hsc($user)."]\" ".$delete_disable." /></td>");
                 if ($editable) {
-                    ptln("    <td><a href=\"".wl($ID,array('fn[edit]['.hsc($user).']' => 1,
+                    ptln("    <td><a href=\"".wl($ID,array('fn[edit]['.$user.']' => 1,
                                                            'do' => 'admin',
                                                            'page' => 'usermanager',
                                                            'sectok' => getSecurityToken())).
@@ -325,7 +325,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin {
 
         // save current $user, we need this to access details if the name is changed
         if ($user)
-          ptln("          <input type=\"hidden\" name=\"userid_old\"  value=\"".$user."\" />",$indent);
+          ptln("          <input type=\"hidden\" name=\"userid_old\"  value=\"".hsc($user)."\" />",$indent);
 
         $this->_htmlFilterSettings($indent+10);
 
@@ -370,6 +370,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin {
             $fieldtype = 'text';
             $autocomp  = '';
         }
+        $value = hsc($value);
 
         echo "<tr $class>";
         echo "<td><label for=\"$id\" >$label: </label></td>";
-- 
cgit v1.2.3