Newbie Spellweaver
- Joined
- Dec 9, 2010
- Messages
- 41
- Reaction score
- 7
<?php echo str_replace("\n", '<br>', htmlspecialchars($Comment['comment'])); ?>
<?php echo strip_tags(str_replace("\n", '<br>', mysql_real_escape_string($Comment['comment']))) ?>
Why make it a download when you can just make a quick tutorial showing users what pieces of code to change.. Would it not be more logical doing such?
Can you post some screens, please? ThanksThis is a patch to fix the XSS Exploit in BoostCMS News Comments. I've discovered this exploit by using a special web security check software, few months ago while I'm checking the CMS. I decided to release this patch to public as it may help few users who are currently searching for the fix.
You may download the patch in the attachments below.
View attachment 150721
Instructions: Put the patch in <your web server path>/Boost/Packages/Default/Templates/ . Please be remember, backup your original Comment.tpl and place somewhere else outside your server web folder:
Note: This patch is 100% created by me, I only changed few bits of codes:
Can you post some screens, please? Thanks
<?php echo str_replace("\n", '<br>', htmlspecialchars($Comment['comment'])); ?>
<?php echo strip_tags(str_replace("\n", '<br>', mysql_real_escape_string($Comment['comment']))) ?>
Yes, its true, but in this case, the "exploiter" can input " < > ( ) " <- these tags secretly in comments to script a unique popup that displays unique codes, to steal users sessions, on the news page which had enabled comments. Well, you can replicate the XSS wth Acunetix Scanner if you want, just use the clean install of BoostCMS 2.0But the htmlspecialchars is the code that makes it non exploitable like u cant use specialchars or something lke that if i aint much wrong
Alrite, Noted [emoji4] I'll update this thread with the code snippets soon.the only thing has been changed is within line 24 also @FatalLulz is correct, you should make us aware of what fixed this exploit in future releases
real code
replaced withCode:<?php echo str_replace("\n", '<br>', htmlspecialchars($Comment['comment'])); ?>
Code:<?php echo strip_tags(str_replace("\n", '<br>', mysql_real_escape_string($Comment['comment']))) ?>
Most welcomeThanks for this release, good to see the community spirit is here.
Sorry but I can't provide any screenshots, since its only contains php snippets [emoji4]Can you post some screens, please? Thanks
You can exploit htmlspecialchars ? Explain me how can you get the cookies
htmlentities would be better to use than htmlspecialchars.
Well, if u refused to trust me, you can replicate it by using acunetix web scanner. I dont want to quarrel over these things on my thread. I released this to help some people who want get rid of such problems.Yes I know but if I remember you can only execute simple javascript code on htmlspecialchars, you can't get cookie
mysql_real_escape_string !? wtf, why mysql_real_escape_string ?!?!?!?