[xoops-svn] SF.net SVN: xoops-svn:[10346] XoopsCore/branches/2.5.x/2.5.6

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Revision: 10346
          http://sourceforge.net/p/xoops/svn/10346
Author:   beckmi
Date:     2012-12-10 04:48:14 +0000 (Mon, 10 Dec 2012)
Log Message:
-----------
XSS (Cross Site Scripting) vulnerability in Maintenance (Dingjie Yang,Qualys/trabis)

Modified Paths:
--------------
    XoopsCore/branches/2.5.x/2.5.6/docs/changelog.250.txt
    XoopsCore/branches/2.5.x/2.5.6/htdocs/modules/system/admin/maintenance/main.php

Modified: XoopsCore/branches/2.5.x/2.5.6/docs/changelog.250.txt
===================================================================

--- XoopsCore/branches/2.5.x/2.5.6/docs/changelog.250.txt	2012-12-10 01:13:08 UTC (rev 10345)
+++ XoopsCore/branches/2.5.x/2.5.6/docs/changelog.250.txt	2012-12-10 04:48:14 UTC (rev 10346)
@@ -3,6 +3,9 @@
 ===============================
 2012/08/06: Version 2.5.6 Alpha
 ===============================
+Security fixes:
+ - XSS (Cross Site Scripting) vulnerability in Maintenance (Dingjie Yang,Qualys/trabis)
+
 Bugfixes:
  - fixed errors related to static functions, so it works on PHP 5.4 (Mamba)
  

Modified: XoopsCore/branches/2.5.x/2.5.6/htdocs/modules/system/admin/maintenance/main.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.6/htdocs/modules/system/admin/maintenance/main.php	2012-12-10 01:13:08 UTC (rev 10345)
+++ XoopsCore/branches/2.5.x/2.5.6/htdocs/modules/system/admin/maintenance/main.php	2012-12-10 04:48:14 UTC (rev 10346)
@@ -102,6 +102,11 @@
     break;
 
 	case 'maintenance_save':
+        // Check security
+        if ( !$GLOBALS['xoopsSecurity']->check() ) {
+            redirect_header( 'admin.php?fct=maintenance', 3, implode('<br />', $GLOBALS['xoopsSecurity']->getErrors() ) );
+            exit();
+        }
 		//Define Breadcrumb and tips
         $xoBreadCrumb->addLink(_AM_SYSTEM_MAINTENANCE_NAV_MANAGER, system_adminVersion('maintenance', 'adminpath'));
 		//$xoBreadCrumb->addLink(_AM_SYSTEM_MAINTENANCE_NAV_MAINTENANCE);
@@ -157,6 +162,11 @@
 	break;
 
 	case 'dump_save':
+        // Check security
+        if ( !$GLOBALS['xoopsSecurity']->check() ) {
+            redirect_header( 'admin.php?fct=maintenance', 3, implode('<br />', $GLOBALS['xoopsSecurity']->getErrors() ) );
+            exit();
+        }
 		//Define Breadcrumb and tips
         $xoBreadCrumb->addLink(_AM_SYSTEM_MAINTENANCE_NAV_MANAGER, system_adminVersion('maintenance', 'adminpath'));
 		$xoBreadCrumb->addLink(_AM_SYSTEM_MAINTENANCE_NAV_DUMP);





[xoops-svn] SF.net SVN: xoops-svn:[10346] XoopsCore/branches/2.5.x/2.5.6

The world's leading content management systems (CMS) written in PHP

[xoops-svn] SF.net SVN: xoops-svn:[10346] XoopsCore/branches/2.5.x/2.5.6