Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10.

@@ -7,12 +7,12 @@ \* v. 2.0. If a copy of the MPL was not distributed with this file, You can \* obtain one at http://mozilla.org/MPL/2.0/. \* \* @package phpMyFAQ \* @author Thorsten Rinne <thorsten@phpmyfaq.de> \* @package phpMyFAQ \* @author Thorsten Rinne <thorsten@phpmyfaq.de> \* @copyright 2002-2022 phpMyFAQ Team \* @license http://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0 \* @link https://www.phpmyfaq.de \* @since 2002-09-16 \* @license http://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0 \* @link https://www.phpmyfaq.de \* @since 2002-09-16 \*/  
use phpMyFAQ\\Captcha; @@ -63,7 +63,7 @@ $question = $readonly = ''; if (!is\_null($selectedQuestion)) { $oQuestion = $questionObject\->getQuestion($selectedQuestion); $question = $oQuestion\['question'\]; $question = Strings::htmlentities($oQuestion\['question'\]); if (Strings::strlen($question)) { $readonly = ' readonly'; }

CVE-2023-0312: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@65d419c

@@ -28,6 +28,7 @@

use phpMyFAQ\\Language;

use phpMyFAQ\\LinkVerifier;

use phpMyFAQ\\Search\\SearchFactory;

use phpMyFAQ\\Strings;

use phpMyFAQ\\Visits;

  

if (!defined('IS\_VALID\_PHPMYFAQ')) {

@@ -456,8 +457,9 @@ function verifyEntryURL\_failure(XmlRequest)

</td\>

<td\>

<a href\="?action=editentry&id=<?= $record\['id'\] ?>&lang=<?= $record\['lang'\] ?>"

title\="<?= $PMF\_LANG\['ad\_user\_edit'\] ?> '<?= str\_replace('"', '´', $record\['title'\]) ?>'"\>

<?= $record\['title'\] ?>

title\="<?= $PMF\_LANG\['ad\_user\_edit'\] ?> '

<?= str\_replace('"', '´', Strings::htmlentities($record\['title'\])) ?>'"\>

<?= Strings::htmlentities($record\['title'\]) ?>

</a\>

<?php

if (isset($numCommentsByFaq\[$record\['id'\]\])) {

CVE-2023-0306: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@1815dae

Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.10.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Notifications
*   Fork 230

*   Code
*   Issues 29
*   Pull requests
*   Discussions
*   Actions
*   Projects 3
*   Security
*   Insights

Permalink

Browse files

fix: added missing check on redirect value

*   Loading branch information

1 parent 1123c08 commit 3872e7eac2ddeac182fc1335cc312d1392d56f98

Showing **1 changed file** with **1 addition** and **1 deletion**.

@@ -136,7 +136,7 @@

//

// Get possible redirect action

//

$redirectAction = Filter::filterInput(INPUT\_POST, 'redirect-action', FILTER\_UNSAFE\_RAW);

$redirectAction = Filter::filterInput(INPUT\_POST, 'redirect-action', FILTER\_SANITIZE\_SPECIAL\_CHARS);

if (is\_null($action) && '' !== $redirectAction && 'logout' !== $redirectAction) {

$action = $redirectAction;

}

**0 comments on commit 3872e7e**

Please sign in to comment.

CVE-2023-0314: fix: added missing check on redirect value · thorsten/phpMyFAQ@3872e7e

Improper Authentication in GitHub repository thorsten/phpmyfaq prior to 3.1.10.

@@ -434,7 +434,7 @@ private function drawText()

$codeLength = Strings::strlen($this\->code);

$numFonts = count($this\->fonts);

$w1 = 15;

$w2 = $this\->width / ($codeLength + 1);

$w2 = floor($this\->width / ($codeLength + 1));

  

for ($p = 0; $p < $codeLength; ++$p) {

$letter = $this\->code\[$p\];

@@ -515,7 +515,7 @@ public function checkCaptchaCode(string $code): bool

public function validateCaptchaCode(string $captchaCode): bool

{

// Sanity check

if (0 === Strings::strlen($captchaCode)) {

if (Strings::strlen($captchaCode) !== $this\->captchaLength) {

return false;

}

CVE-2023-0311: fix: check captcha length correctly and fix type error · thorsten/phpMyFAQ@fe6e9f0

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.10.

@@ -776,14 +776,17 @@

break;

}

  

$userData = \[

'display\_name' => $userName,

'email' => $email,

'is\_visible' => $isVisible === 'on' ? 1 : 0

\];

$success = $user\->setUserData($userData);

  

if (0 !== strlen($password) && 0 !== strlen($confirm)) {

if (strlen($password) <= 7 || strlen($confirm) <= 7) {

$message = \['error' => $PMF\_LANG\['ad\_passwd\_fail'\]\];

break;

} else {

$userData = \[

'display\_name' => $userName,

'email' => $email,

'is\_visible' => $isVisible === 'on' ? 1 : 0

\];

$success = $user\->setUserData($userData);

  

foreach ($user\->getAuthContainer() as $author => $auth) {

if ($auth\->setReadOnly()) {

continue;

CVE-2023-0307: fix: added missing check on password length · thorsten/phpMyFAQ@8beed2f

@@ -7,21 +7,21 @@ \* v. 2.0. If a copy of the MPL was not distributed with this file, You can \* obtain one at http://mozilla.org/MPL/2.0/. \* \* @package phpMyFAQ \* @author Thorsten Rinne <thorsten@phpmyfaq.de> \* @author Matteo Scaramuccia <matteo@phpmyfaq.de> \* @package phpMyFAQ \* @author Thorsten Rinne <thorsten@phpmyfaq.de> \* @author Matteo Scaramuccia <matteo@phpmyfaq.de> \* @copyright 2003-2022 phpMyFAQ Team \* @license http://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0 \* @link https://www.phpmyfaq.de \* @since 2003-02-23 \* @license http://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0 \* @link https://www.phpmyfaq.de \* @since 2003-02-23 \*/  
use phpMyFAQ\\Comments; use phpMyFAQ\\Date; use phpMyFAQ\\Entity\\CommentType; use phpMyFAQ\\Filter; use phpMyFAQ\\Helper\\LanguageHelper; use phpMyFAQ\\News; use phpMyFAQ\\News;use phpMyFAQ\\Strings;  
if (!defined('IS\_VALID\_PHPMYFAQ')) { http\_response\_code(400); @@ -66,15 +66,19 @@ </div\>  
<div class\="form-group row"\> <label class\="col-3 col-form-label" for\="authorName"\><?= $PMF\_LANG\['ad\_news\_author\_name'\] ?></label\> <label class\="col-3 col-form-label" for\="authorName"\> <?= $PMF\_LANG\['ad\_news\_author\_name'\] ?> </label\> <div class\="col-9"\> <input class\="form-control" type\="text" name\="authorName" id\="authorName" value\="<?= $user\->getUserData('display\_name') ?>"\> </div\> </div\>  
<div class\="form-group row"\> <label class\="col-3 col-form-label" for\="authorEmail"\><?= $PMF\_LANG\['ad\_news\_author\_email'\] ?></label\> <label class\="col-3 col-form-label" for\="authorEmail"\> <?= $PMF\_LANG\['ad\_news\_author\_email'\] ?> </label\> <div class\="col-9"\> <input class\="form-control" type\="email" name\="authorEmail" id\="authorEmail" value\="<?= $user\->getUserData('email') ?>"\> @@ -94,7 +98,9 @@ </div\>  
<div class\="form-group row"\> <label class\="col-3 col-form-label" for\="comment"\><?= $PMF\_LANG\['ad\_news\_allowComments'\] ?></label\> <label class\="col-3 col-form-label" for\="comment"\> <?= $PMF\_LANG\['ad\_news\_allowComments'\] ?> </label\> <div class\="col-9 checkbox"\> <label\> <input type\="checkbox" name\="comment" id\="comment" value\="y"\> @@ -106,12 +112,15 @@ <div class\="form-group row"\> <label class\="col-3 col-form-label" for\="link"\><?= $PMF\_LANG\['ad\_news\_link\_url'\] ?></label\> <div class\="col-9"\> <input class\="form-control" type\="text" name\="link" id\="link" placeholder\="http://www.example.com/"\> <input class\="form-control" type\="text" name\="link" id\="link" placeholder\="http://www.example.com/"\> </div\> </div\>  
<div class\="form-group row"\> <label class\="col-3 col-form-label" for\="linkTitle"\><?= $PMF\_LANG\['ad\_news\_link\_title'\] ?></label\> <label class\="col-3 col-form-label" for\="linkTitle"\> <?= $PMF\_LANG\['ad\_news\_link\_title'\] ?> </label\> <div class\="col-9"\> <input type\="text" name\="linkTitle" id\="linkTitle" class\="form-control"\> </div\> @@ -207,7 +216,7 @@ foreach ($newsHeader as $newsItem) { ?> <tr\> <td\><?= $newsItem\['header'\] ?></td\> <td\><?= Strings::htmlentities($newsItem\['header'\]) ?></td\> <td\><?= $date\->format($newsItem\['date'\]) ?></td\> <td\> <a class\="btn btn-primary" href\="?action=edit-news&amp;id=<?= $newsItem\['id'\] ?>"\> @@ -254,7 +263,7 @@ <label class\="col-3 col-form-label" for\="newsheader"\><?= $PMF\_LANG\['ad\_news\_header'\] ?></label\> <div class\="col-9"\> <input type\="text" name\="newsheader" id\="newsheader" class\="form-control" value\="<?= $newsData\['header'\] ?? '' ?>"\> value\="<?= Strings::htmlentities($newsData\['header'\]) ?? '' ?>"\> </div\> </div\>  
@@ -270,16 +279,20 @@ </div\>  
<div class\="form-group row"\> <label class\="col-3 col-form-label" for\="authorName"\><?= $PMF\_LANG\['ad\_news\_author\_name'\] ?></label\> <label class\="col-3 col-form-label" for\="authorName"\> <?= $PMF\_LANG\['ad\_news\_author\_name'\] ?> </label\> <div class\="col-9"\> <input type\="text" name\="authorName" value\="<?= $newsData\['authorName'\] ?>" class\="form-control"\> <input type\="text" name\="authorName" class\="form-control" value\="<?= Strings::htmlentities($newsData\['authorName'\]) ?>"\> </div\> </div\>  
<div class\="form-group row"\> <label class\="col-3 col-form-label" for\="authorEmail"\><?= $PMF\_LANG\['ad\_news\_author\_email'\] ?></label\> <div class\="col-9"\> <input type\="email" name\="authorEmail" value\="<?= $newsData\['authorEmail'\] ?>" class\="form-control"\> <input type\="email" name\="authorEmail" class\="form-control" value\="<?= Strings::htmlentities($newsData\['authorEmail'\]) ?>"\> </div\> </div\>  
@@ -315,15 +328,16 @@ <div class\="form-group row"\> <label class\="col-3 col-form-label" for\="link"\><?= $PMF\_LANG\['ad\_news\_link\_url'\] ?></label\> <div class\="col-9"\> <input type\="text" id\="link" name\="link" value\="<?= $newsData\['link'\] ?>" class\="form-control"\> <input type\="text" id\="link" name\="link" value\="<?= Strings::htmlentities($newsData\['link'\]) ?>" class\="form-control"\> </div\> </div\>  
<div class\="form-group row"\> <label class\="col-3 col-form-label" for\="linkTitle"\><?= $PMF\_LANG\['ad\_news\_link\_title'\] ?></label\> <div class\="col-9"\> <input type\="text" id\="linkTitle" name\="linkTitle" value\="<?= $newsData\['linkTitle'\] ?>" class\="form-control"\> <input type\="text" id\="linkTitle" name\="linkTitle" value\="<?= Strings::htmlentities($newsData\['linkTitle'\]) ?>" class\="form-control"\> </div\> </div\>  
@@ -429,14 +443,14 @@ class="form-control"> <?php $dateStart = Filter::filterInput(INPUT\_POST, 'dateStart', FILTER\_UNSAFE\_RAW); $dateEnd = Filter::filterInput(INPUT\_POST, 'dateEnd', FILTER\_UNSAFE\_RAW); $header = Filter::filterInput(INPUT\_POST, 'newsheader', FILTER\_UNSAFE\_RAW); $header = Filter::filterInput(INPUT\_POST, 'newsheader', FILTER\_SANITIZE\_SPECIAL\_CHARS); $content = Filter::filterInput(INPUT\_POST, 'news', FILTER\_SANITIZE\_SPECIAL\_CHARS); $author = Filter::filterInput(INPUT\_POST, 'authorName', FILTER\_UNSAFE\_RAW); $email = Filter::filterInput(INPUT\_POST, 'authorEmail', FILTER\_VALIDATE\_EMAIL); $active = Filter::filterInput(INPUT\_POST, 'active', FILTER\_UNSAFE\_RAW); $comment = Filter::filterInput(INPUT\_POST, 'comment', FILTER\_UNSAFE\_RAW); $link = Filter::filterInput(INPUT\_POST, 'link', FILTER\_UNSAFE\_RAW); $linkTitle = Filter::filterInput(INPUT\_POST, 'linkTitle', FILTER\_UNSAFE\_RAW); $link = Filter::filterInput(INPUT\_POST, 'link', FILTER\_SANITIZE\_SPECIAL\_CHARS); $linkTitle = Filter::filterInput(INPUT\_POST, 'linkTitle', FILTER\_SANITIZE\_SPECIAL\_CHARS); $newsLang = Filter::filterInput(INPUT\_POST, 'langTo', FILTER\_UNSAFE\_RAW); $target = Filter::filterInput(INPUT\_POST, 'target', FILTER\_UNSAFE\_RAW);

CVE-2023-0313: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@1123c08

@@ -20,6 +20,7 @@

use phpMyFAQ\\Date;

use phpMyFAQ\\Entity\\CommentType;

use phpMyFAQ\\Faq;

use phpMyFAQ\\Strings;

  

if (!defined('IS\_VALID\_PHPMYFAQ')) {

http\_response\_code(400);

@@ -73,7 +74,7 @@

<td\>

<span style\="font-weight: bold;"\>

<a href\="mailto:<?= $faqComment\->getEmail() ?>"\>

<?= $faqComment\->getUsername() ?>

<?= Strings::htmlentities($faqComment\->getUsername()) ?>

</a\> |

<?= $date\->format(date('Y-m-d H:i', $faqComment\->getDate())) ?> |

<a href\="<?php printf(

@@ -84,8 +85,8 @@

) ?>"\>

<?= $faq\->getRecordTitle($faqComment\->getRecordId()) ?>

</a\>

</span\><br/\>

<?= $faqComment\->getComment() ?>

</span\><br\>

<?= Strings::htmlentities($faqComment\->getComment()) ?>

</td\>

</tr\>

<?php

CVE-2023-0310: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@53099a9

CVE-2023-0308: huntr – Security Bounties for any GitHub repository

CVE-2023-0309: huntr – Security Bounties for any GitHub repository

** UNSUPPPORTED WHEN ASSIGNED **** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as problematic, was found in calesanz gibb-modul-151. This affects the function bearbeiten/login. The manipulation leads to open redirect. It is possible to initiate the attack remotely. The name of the patch is 88a517dc19443081210c804b655e72770727540d. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218379. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Permalink

Browse files

fixed security vulnerability in redirect (missing validation)

*   Loading branch information

1 parent 36298e9 commit 88a517dc19443081210c804b655e72770727540d

Showing **15 changed files** with **29 additions** and **3,650 deletions**.

*   *   DAGuestBookEntry.php
*   *   gaestebuchController.php
    *   userController.php
*   *   foundation.css
*   *   foundation.min.js
    *   *   fastclick.js
        *   jquery.cookie.js
        *   jquery.js
        *   modernizr.js
        *   placeholder.js
*   *   Dispatcher.php
    *   Redirector.php
*   modernizr.js
*   *   gaestebuch.anzeigen.php
    *   gaestebuch.php

@@ -17,7 +17,7 @@ function find($id) {

return $entry;

}

function findAll() {

$sql = 'SELECT \* FROM GuestBookEntry';

$sql = 'SELECT \* FROM GuestBookEntry ORDER BY CreatedAt DESC';

$stmt = self::getConnection ()->prepare ( $sql );

$stmt\->execute ();

  

@@ -43,8 +43,7 @@ public function bearbeiten($param, $data, $session) {

$errors .= \\BO\\BOGuestBook::save ( $guestbook );

if ($errirs == "") {

// Redirect back

header ( "Location: $backurl" );

header ( "HTTP/1.1 302 Found" );

\\Redirector::redirect($backurl);

return;

}

}

@@ -42,9 +42,7 @@ public function login($param, $data, $session) {

$\_SESSION \['userId'\] = $user\->Id;

$\_SESSION \['FullName'\] = $user\->FullName;

// Logged In

  

header ( "Location: $backurl" );

header ( "HTTP/1.1 302 Found" );

\\Redirector::redirect($backurl);

return;

} else

$errorMessage = "Incorrect credentials!";

**0 comments on commit 88a517d**

Please sign in to comment.

Tag

#php