Ticket #103 (closed バグ指摘: 無効)

Opened 13 years ago

Last modified 12 years ago

XSS脆弱性にする対策

Reported by: adati Owned by: adachi
Priority: Milestone: EC-CUBE
Component: フロント Version: 1.3系
Keywords: Cc:
修正済み:

Description (last modified by adati) (diff)

Change History

comment:1 Changed 13 years ago by adati

  • Status changed from new to closed
  • Resolution set to 修正済
  • Description modified (diff)

対応しました。

足立

comment:2 Changed 13 years ago by nanasess

  • Status changed from closed to reopened
  • Resolution 修正済 deleted

comment:3 in reply to: ↑ description Changed 13 years ago by nanasess

  • Owner changed from somebody to adachi
  • Status changed from reopened to new

adati への返信

一部のページにXSS脆弱性がある。

 http://xoops.ec-cube.net/modules/newbb/viewtopic.php?topic_id=653&forum=8&post_id=1981

SC_PaveNavi.php の 59行目付近の, HTMLタグを生成している箇所のサニタイズが不完全。

<?php
            if ($this->now_page > 1) {
                $before="<a href=\"". $_SERVER['PHP_SELF']. "\" onclick=\"$func_name('" . (($this->now_page) - 1) . "'); return false;\"><<前へ</a> ";
                $this->arrPagenavi['before'] = ($this->now_page) - 1;
            }else{
                $this->arrPagenavi['before'] = $this->now_page;
            }

            if ($this->now_page < $this->max_page) {
                $next="<a href=\"". $_SERVER['PHP_SELF']. "\" onclick=\"$func_name('" . (($this->now_page) + 1) ."'); return false;\">次へ>></a> ";
                $this->arrPagenavi['next'] = ($this->now_page) + 1;
            }else{
                $this->arrPagenavi['next'] = $this->now_page;
            }
?>

comment:4 in reply to: ↑ description Changed 13 years ago by nanasess

html/products/detail.php にもあり.

        // 選択されている規格2ID
        $this->tpl_onload = "lnSetSelect('form1', 'classcategory_id1', 'classcategory_id2', '" . $_POST['classcategory_id2'] . "');";

comment:5 Changed 12 years ago by takegami

  • Status changed from new to closed
  • Resolution set to 無効
Note: See TracTickets for help on using tickets.