Ticket #142 (closed バグ指摘: 修正済)

Opened 13 years ago

Last modified 13 years ago

郵便番号自動入力でXSS

Reported by: adachi Owned by: somebody
Priority: Milestone: EC-CUBE
Component: フロント Version: 1.3系
Keywords: Cc:
修正済み:

Description

input_zip.phpにXSS脆弱性がある。

 http://***.ec-cube.net/input_zip.php?zip1=621&zip2=0834&input1=pref&input2=addr01');%20alert('hogehoge

58,59行目

$func = "fnPutAddress('" . $_GETinput1? . "','" . $_GETinput2?. "');";

$objPage->tpl_onload = "$func";

Change History

comment:1 Changed 13 years ago by adachi

修正しました。

[対応者] 足立

[リビジョン] r15313

[ブランチ] rel

comment:2 Changed 13 years ago by adachi

  • Status changed from new to closed
  • Resolution set to 修正済
Note: See TracTickets for help on using tickets.