Notices and information about enhancing security for your Siteframe website.
XSS Vulnerability in Siteframe 5.0.1
In search.php, an unmodified $_GET variable is assigned to a Smarty variable, where it can be displayed on a page. A malicious intruder could insert evil Javascript into the query string and execute it from the page.
IMMEDIATE FIX
On line 64 of search.php, wrap the $_GET['q'] in the htmlentities() function:
$PAGE->assign('search_string',...
1 comment(s)
/ glen
/ Security
/ on February 11, 2006 at 15:38
Siteframe 3: Cross-Site Scripting (XSS) Vulnerability
Siteframe has, unfortunately, been shown to be vulnerable to
cross-site scripting attacks. In this case, an attacker from a remote
site can use a security hole in Siteframe to access files on the
attacked computer. There is a fix; you need to edit the file web/siteframe.php and change this line (which appears near line 20 at the top of the file): if ($LOCAL_PATH ==...
0 comment(s)
/ glen
/ Security
/ on November 26, 2005 at 22:40
| Su | Mo | Tu | We | Th | Fr | Sa |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 | 31 |
- Folder Archives
- November, 2005
- February, 2006
- Links
- the Daily Funnies
- My Four Thirds
- Tech/Breakfast
- the Daily Photo
- My Pencil
- the Contax G Pages
- Folder Owner
- glen
