I understand you are working on security updates to Archon, so I'm passing archonproject#75 over to you. The issue regards a XXS vuln which a college of mine found here: https://www.openbugbounty.org/incidents/202333/. I did the following on the page in question, which curbs the particular attach, but I'm not sure if it breaks something and fgrep '\"$' -r * --include \*.php suggests there may be similar issues.
--- packages/core/pub/contact.php 2017-02-23 18:00:19.289374542 +0100
+++ packages/core/pub/contact.php.orig 2014-01-17 21:24:06.000000000 +0100
@@ -67,7 +67,7 @@
$in_referer = $_REQUEST['referer'] ? $_REQUEST['referer'] : urlencode($_REQUEST['HTTP_REFERER']);
- $repositoryid = $_REQUEST['repositoryid'] ? int($_REQUEST['repositoryid']) : 0;
+ $repositoryid = $_REQUEST['repositoryid'] ? $_REQUEST['repositoryid'] : 0;
@@ -111,8 +111,8 @@
$form = "<input type=\"hidden\" name=\"f\" value=\"sendemail\" />\n";
$form .= "<input type=\"hidden\" name=\"p\" value=\"core/contact\" />\n";
- $form .= "<input type=\"hidden\" name=\"referer\" value=\"".htmlspecialchars($in_referer)."\" />\n";
- $form .= "<input type=\"hidden\" name=\"query_string\" value=\"".htmlspecialchars($query_string)."\" />\n";
+ $form .= "<input type=\"hidden\" name=\"referer\" value=\"$in_referer\" />\n";
+ $form .= "<input type=\"hidden\" name=\"query_string\" value=\"$query_string\" />\n";
$form .= "<input type=\"hidden\" name=\"RepositoryID\" value=\"$repositoryid\" />\n";
$strRequiredMarker = "<span style=\"color:red\">*</span>";
I understand you are working on security updates to Archon, so I'm passing archonproject#75 over to you. The issue regards a XXS vuln which a college of mine found here: https://www.openbugbounty.org/incidents/202333/. I did the following on the page in question, which curbs the particular attach, but I'm not sure if it breaks something and
fgrep '\"$' -r * --include \*.phpsuggests there may be similar issues.