[HoloCMS Addon] XSS Fix

Printable View

28-02-09
NitroHabbz

[HoloCMS Addon] XSS Fix

Another fix for XSS in Holocms.

Credits to TheAJ of course. I did NOT make this, but i have permission to release

Instructions: Add it to core.php

PHP Code:

foreach($_GET as $check_url) { if((eregi("<[^>]*script*\"?[^>]*>", $check_url)) || (eregi("<[^>]*object*\"?[^>]*>", $check_url)) || (eregi("<[^>]*iframe*\"?[^>]*>", $check_url)) || (eregi("<[^>]*applet*\"?[^>]*>", $check_url)) || (eregi("<[^>]*meta*\"?[^>]*>", $check_url)) || (eregi("<[^>]*style*\"?[^>]*>", $check_url)) || (eregi("<[^>]*form*\"?[^>]*>", $check_url)) || (eregi("$[^>]*\"?[^)]*$", $check_url)) || (eregi("\"", $check_url))) { exit; } } unset($check_url);
28-02-09
TomSpit

Re: Another HoloCMS XSS Fix

Thankyou very much. Just added it in, hopefully they won't come back to bother me ;)
28-02-09
NitroHabbz

Re: Another HoloCMS XSS Fix

Hopefully not,

Whoever was doing it to me was using <meta to refresh my site to porn sites/shock sites/rickrolls
28-02-09
Pixalz

Re: Another HoloCMS XSS Fix

 too?
28-02-09
NitroHabbz

Re: Another HoloCMS XSS Fix

Its easy to add span....
28-02-09
Kesus

Re: Another HoloCMS XSS Fix

couldz be done simpler.
28-02-09
Alpha Ducky

Re: Another HoloCMS XSS Fix

what's with the ??
28-02-09
thijmen

Re: Another HoloCMS XSS Fix

Nice, thank you TheAJ!
28-02-09
Jakeyy

Re: Another HoloCMS XSS Fix

Thanks John & AJ of course. Adding it now.
14-06-09
Hablake

Re: [REL] Another HoloCMS XSS Fix

Thanks Alot John/Craig :P

You did this to my hotel... I Remeber that coz some noob stole your news pics so u gave urself like 100000 credits :L
14-06-09
ARMYDUDE

Re: [REL] Another HoloCMS XSS Fix

:o thanks you for this now we have some more stuff to add to our core.php thanks man.

credits to AJ :D
14-06-09
tidesj

Re: [REL] Another HoloCMS XSS Fix

Thank you very mutch ^^ needed this fix!
14-06-09
yifan_lu

Re: [REL] Another HoloCMS XSS Fix

I already told The AJ this, which is why he didn't release it:

This doesn't really fix anything. The XSS exploits are ONLY in places with POST instead of GET. The GET stuff are pretty much patched. Also, this disables administrators from posting HTML stuff. FYI. Finally, something similar can be done in one line:

PHP Code:

foreach($_GET as &$value){ HoloText($value); } foreach($_POST as &$value){ HoloText($value); }

Or for people not using HoloCMS (I doubt it):

PHP Code:

foreach($_GET as &$value){ htmlspecialchars($value); } foreach($_POST as &$value){ htmlspecialchars($value); }

htmlspecialchars basically does the ereg_replace stuff mentioned above.
15-06-09
Andrew

Re: [REL] Another HoloCMS XSS Fix

ahh, very nice Yifan!

I would just through in a htmlspecialchars_decode() o.o
15-06-09
XxSamxX

Re: [REL] Another HoloCMS XSS Fix

Sorry to disturb but What is this , what does it do? (XSS)?