Menu
▾
▴
[xoops-svn] SF.net SVN: xoops-svn:[10982] XoopsCore/branches/2.5.x/2.5.6
|
From: <tr...@us...> - 2013-02-04 19:59:26
|
Revision: 10982
http://sourceforge.net/p/xoops/svn/10982
Author: trabis
Date: 2013-02-04 19:59:15 +0000 (Mon, 04 Feb 2013)
Log Message:
-----------
Fixing blocks preview security issue
Modified Paths:
--------------
XoopsCore/branches/2.5.x/2.5.6/docs/changelog.250.txt
XoopsCore/branches/2.5.x/2.5.6/htdocs/modules/system/admin/blocksadmin/main.php
Modified: XoopsCore/branches/2.5.x/2.5.6/docs/changelog.250.txt
===================================================================
--- XoopsCore/branches/2.5.x/2.5.6/docs/changelog.250.txt 2013-02-04 19:37:48 UTC (rev 10981)
+++ XoopsCore/branches/2.5.x/2.5.6/docs/changelog.250.txt 2013-02-04 19:59:15 UTC (rev 10982)
@@ -10,7 +10,8 @@
- number of users when "all groups" selected was wrong (tatane/mamba)
Security fixes
- XSS/CSRF vulnerability in system/admin/groupperm.php (Dingjie Yang,Qualys/trabis)
- - XSS/CSRF vulnerability in system/admin.php (Dingjie Yang,Qualys/trabis)
+ - XSS/CSRF vulnerability in system/modulesadmin/main.php (Dingjie Yang,Qualys/trabis)
+ - XSS/CSRF vulnerability in system/admin/blocksadmin/main.php (Marcin,Ariko-Security Team/trabis)
===============================
2013/01/22: Version 2.5.6 Beta
Modified: XoopsCore/branches/2.5.x/2.5.6/htdocs/modules/system/admin/blocksadmin/main.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.6/htdocs/modules/system/admin/blocksadmin/main.php 2013-02-04 19:37:48 UTC (rev 10981)
+++ XoopsCore/branches/2.5.x/2.5.6/htdocs/modules/system/admin/blocksadmin/main.php 2013-02-04 19:59:15 UTC (rev 10982)
@@ -250,6 +250,10 @@
break;
case 'preview':
+ if (!$GLOBALS['xoopsSecurity']->check()) {
+ redirect_header('admin.php?fct=blocksadmin', 3, implode('<br />', $GLOBALS['xoopsSecurity']->getErrors()));
+ exit();
+ }
// Initialize blocks handler
$block_handler =& xoops_getmodulehandler('block');
$block =& $block_handler->create();
|
