We use cookies to ensure you get the best experience on our website
Home Explore Help
Register Sign In
0ct0pu5
/
squirrelmail
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

5) XSS in addressbook (different):

Manually entered nicks, email addresses, first names, last names, and
info sections in the addressbook are not filtered so script can be
placed and executed through them the next time the page is viewed.
philippe_mingo 23 years ago
parent
80e1e6a99e
commit
d2d3b8a10a
1 changed files with 8 additions and 8 deletions
Split View Show Diff Stats
  1. 8 8
      src/addressbook.php

+ 8 - 8
src/addressbook.php
View File 

@@ -27,7 +27,7 @@ function adressbook_inp_field($label, $field, $name, $size, $values, $add) {
 
     global $color;
 
     $td_str = '<INPUT NAME="' . $name . '[' . $field . ']" SIZE="' . $size . '" VALUE="';
 
     if (isset($values[$field])) {
 
-        $td_str .= htmlspecialchars($values[$field]);
 
+        $td_str .= htmlspecialchars( strip_tags( $values[$field] ) );
 
     }
 
     $td_str .= '">' . $add . '';
 
     return html_tag( 'tr' ,
 
@@ -40,9 +40,10 @@ function adressbook_inp_field($label, $field, $name, $size, $values, $add) {
 
 /* Output form to add and modify address data */
 
 function address_form($name, $submittext, $values = array()) {
 
     global $color;
 
+    
     echo html_tag( 'table',
 
                        adressbook_inp_field(_("Nickname"),     'nickname', $name, 15, $values,
 
-                           '<SMALL>' . _("Must be unique") . '</SMALL>') .
 
+                           ' <SMALL>' . _("Must be unique") . '</SMALL>') .
 
                        adressbook_inp_field(_("E-mail address"),  'email', $name, 45, $values, '') .
 
                        adressbook_inp_field(_("First name"),  'firstname', $name, 45, $values, '') .
 
                        adressbook_inp_field(_("Last name"),    'lastname', $name, 45, $values, '') .
 
@@ -56,7 +57,6 @@ function address_form($name, $submittext, $values = array()) {
 
     , 'center', '', 'border="0" cellpadding="1" width="90%"') ."\n";
 
 }
 
 
-
 
 /* Open addressbook, with error messages on but without LDAP (the *
 
  * second "true"). Don't need LDAP here anyway                    */
 
 $abook = addressbook_init(true, true);
 
@@ -69,7 +69,6 @@ if($abook->localbackend == 0) {
 
 
 displayPageHeader($color, 'None');
 
 
-
 
 $defdata   = array();
 
 $formerror = '';
 
 $abortform = false;
 
@@ -85,7 +84,9 @@ if($REQUEST_METHOD == 'POST') {
 
      * Add new address                                *
 
      **************************************************/
 
     if (!empty($addaddr['nickname'])) {
 
-
 
+        foreach( $addaddr as $k => $adr ) {
 
+            $addaddr[$k] = strip_tags( $adr );
 
+        }
 
         $r = $abook->add($addaddr, $abook->localbackend);
 
 
         /* Handle error messages */
 
@@ -98,7 +99,6 @@ if($REQUEST_METHOD == 'POST') {
 
             $showaddrlist = false;
 
             $defdata = $addaddr;
 
         }
 
-
 
     } else {
 
 
         /************************************************
 
@@ -369,7 +369,7 @@ if ($showaddrlist) {
 
 /* Display the "new address" form */
 
 echo '<a name="AddAddress"></a>' . "\n" .
 
     '<FORM ACTION="' . $form_url . '" NAME=f_add METHOD="POST">' . "\n" .
 
-    html_tag( 'table',
 
+    html_tag( 'table',  
         html_tag( 'tr',
 
             html_tag( 'td', "\n". '<strong>' . sprintf(_("Add to %s"), $abook->localbackendname) . '</strong>' . "\n",
 
                 'center', $color[0]
 
@@ -383,4 +383,4 @@ echo '</FORM>';
 
 do_hook('addressbook_bottom');
 
 ?>
 
 
-</BODY></HTML>
 
+</BODY></HTML>

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5