Filter conf_group, subgroup, and sub_group parameters (potential XSS, reported by Aung Khant, YGN Ethical Hacker Group) geeklog_1_7_1_1
authorDirk Haun <dirk@haun-online.de>
Sun, 02 Jan 2011 10:10:28 +0100
branchgeeklog_1_7_1_1
changeset 8033 20a98e6bab20
parent 8001 be281d9fa515
child 8034 8d1c260d9873
Filter conf_group, subgroup, and sub_group parameters (potential XSS, reported by Aung Khant, YGN Ethical Hacker Group)
public_html/admin/configuration.php
--- a/public_html/admin/configuration.php	Sun Oct 31 09:43:15 2010 +0100
+++ b/public_html/admin/configuration.php	Sun Jan 02 10:10:28 2011 +0100
@@ -128,7 +128,7 @@
 $display = '';
 
 $conf_group = array_key_exists('conf_group', $_POST)
-            ? $_POST['conf_group'] : 'Core';
+            ? COM_applyFilter($_POST['conf_group']) : 'Core';
 $config =& config::get_instance();
 
 if (array_key_exists('set_action', $_POST) && SEC_checkToken()){
@@ -139,8 +139,9 @@
             $config->unset_param($_POST['name'], $conf_group);
         }
     }
-    $display = $config->get_ui($conf_group, array_key_exists('subgroup', $_POST)
-                                            ?  $_POST['subgroup'] : null);
+    $subgroup = array_key_exists('subgroup', $_POST)
+              ? COM_applyFilter($_POST['subgroup']) : null;
+    $display = $config->get_ui($conf_group, $subgroup);
 } elseif (array_key_exists('form_submit', $_POST) && SEC_checkToken()) {
     $result = null;
     if (! array_key_exists('form_reset', $_POST)) {
@@ -151,10 +152,13 @@
             PLG_configChange($conf_group, array_keys($result));
         }
     }
-    $display = $config->get_ui($conf_group, $_POST['sub_group'], $result);
+    $sub_group = array_key_exists('sub_group', $_POST)
+               ? COM_applyFilter($_POST['sub_group']) : '0';
+    $display = $config->get_ui($conf_group, $sub_group, $result);
 } else {
-    $display = $config->get_ui($conf_group, array_key_exists('subgroup', $_POST)
-                                            ?  $_POST['subgroup'] : null);
+    $subgroup = array_key_exists('subgroup', $_POST)
+              ? COM_applyFilter($_POST['subgroup']) : null;
+    $display = $config->get_ui($conf_group, $subgroup);
 }
 
 COM_output($display);