mailing list archives
Re: XSS bypass in PHPNuke - FIX ?
From: Paul Laudanski <zx () castlecops com>
Date: Mon, 19 Dec 2005 19:14:40 -0500 (EST)
On Tue, 20 Dec 2005, SecurityReason - sp3x wrote:
Do you have any idea to do fix or update filter of phpnuke against XSS that discovered my friend.
We were working with chaserv from nukefixes.com on this fix...
But as you wrote on bugtraq the Fix is not very good...
Any idea for good fix ??
BTW : http://castlecops.com is working with phpnuke team ??
just asking :)
Hi'ya, as per my previous post you can use htmlspecialchars or
htmlentities. So in this case take the query and run it through
$query = htmlspecialchars($query);
... _before_ you do anything with it like displaying the query back to the
-- Paul Laudanski, Microsoft MVP Windows-Security
- Re: XSS bypass in PHPNuke - FIX ? Paul Laudanski (Dec 21)