TutorialMS Community Forum

Style variables aren't properly escaped / validated, this can cause php code execution from the style variables admin panel.

For example try enter this in one of the style variables to print a message saying "Injection":


This is a rather critical security bug and should be fixed as soon as possible.


This is also affecting the settings as far as I read from the code.

Well this is assuming you are trying to attack your own script but it will be fixed.

Scott Wrote:Well this is assuming you are trying to attack your own script but it will be fixed.

If you have an XSS hole hackers are able to attack your users site and execute remote php code and you can never be too sure that you don't have any holes.

Well I added the code


to filter them out in both editing the configuration and editing the style vars which should filter out any attacks because they won't be able to escape the array.

Scott Wrote:Well I added the code

Code:

preg_replace('/"/', '', $value);

to filter them out in both editing the configuration and editing the style vars which should filter out any attacks because they won't be able to escape the array.

Just say this insted, its faster than using a regular expression =)

Alright, it already added slashes once using the check_slashes() (which checks for magical quotes) but on these two pages, I added an additional addslashes() which should be fine.

Sounds good Scott

Just out of curiosity. Was has this been applied to the package yet or is this something to do manually?

Yes, most of the bugs have been fixed in the latest download, including this one.

Just out of interest;

Why are you using an eval() to define the array when you don't really allow php code inside the configurable options?

And does the patch also patch the eval() for site options? I think I spotted one there =)