On Sat 02 Oct 2010 16:56 +0000, Viktor Leonhardt wrote:
Hello, While working on a better E-mail validation, i found some cross-site vulnerabilities in the lib/accfuncs.inc. Here is the Patch, witch is fixing this problem. I hope, that i found all relevant parts, because I'm not so familiar with this site. You can try it by your own by setting a user name or e-mail with a single quote. Like:
"foo'><script>alert('XSS');</script>"
I will soon commit a patch for the E-mail validation using this website[1]. The most is working, except an problem with the double quotes.
[1] http://www.linuxjournal.com/article/9585
greetings Viktor
From eaea9a4d11c1cd2740079864d28d9a10329fe849 Mon Sep 17 00:00:00 2001 From: Viktor Leonhardt <leonharv@unix-ag.uni-kl.de> Date: Sat, 2 Oct 2010 16:47:52 +0000 Subject: [PATCH] Fixing XSS vulnerability
--- web/lib/acctfuncs.inc | 30 +++++++++++++++--------------- 1 files changed, 15 insertions(+), 15 deletions(-)
Wow I thought that was fixed a long time ago. Thanks.