This is the bug tracking and feature request tracking system for the Mambo open source CMS project. To add a new task, or comment or vote on an existing task, please register, preferably by using the same username that you use on the forums.
Please do not open tasks for bugs in versions earlier than Mambo 4.6.5.
FS#479 - Cross Site Scripting
Opened by yehg.net (yehgdotnet) - Thursday, 28 October 2010, 14:46 GMT-5
Last edited by Andres Felipe Vargas valencia (andphe) - Wednesday, 17 November 2010, 06:25 GMT-5
|
Details
How to reproduce (Proof-of-concept):
1. Go to the following poc site
2. Move your mouse a bit
For more information about XSS, see: IMPACT
Attackers can compromise currently logged-in user/administrator
Best regards |
Hi guys, good catch.
I already have a patch for this issue and finding new ones like this.
in file components/com_content/content.php line 26, change from:
to :
$task = preg_replace('/\W/','', mosGetParam( $_REQUEST, 'task', '' ) );this will eliminate all the non word chars from the task variable, please give it a try and let me know your thoughts.
Ok, it's well patched. Please wait.
I have a few more issues to report including more XSS and possible SQL injection in Administrator backend. I'll report them in a few days.
close this thread. I'll report other issues by new threads.
Note that patch works and it fixes the flaw.
Fixed.
completely fixed. Close this ticket.