Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: XSS bypass in PHPNuke - FIX ?
From: Paul Laudanski <zx () castlecops com>
Date: Mon, 19 Dec 2005 19:14:40 -0500 (EST)

On Tue, 20 Dec 2005, SecurityReason - sp3x wrote:

Hi Paul
Do you have any idea to do fix or update filter of phpnuke against XSS that discovered my friend.
We were working with chaserv from nukefixes.com on this fix...
But as you wrote on bugtraq the Fix is not very good...

Any idea for good fix ??

BTW : http://castlecops.com  is  working with phpnuke team ??
just asking :)

Hi'ya, as per my previous post you can use htmlspecialchars or 
htmlentities.  So in this case take the query and run it through 
htmlspecialchars:

$query = htmlspecialchars($query);

... _before_ you do anything with it like displaying the query back to the 
user.

-- Paul Laudanski, Microsoft MVP Windows-Security 
[cal] http://events.castlecops.com 
[de] http://de.castlecops.com 
[en] http://castlecops.com 
[wiki] http://wiki.castlecops.com 
[family] http://cuddlesnkisses.com




  By Date           By Thread  

Current thread:
  • Re: XSS bypass in PHPNuke - FIX ? Paul Laudanski (Dec 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]