Youjoomla Support Forums (http://www.youjoomla.com/joomla_support/index.php)
-   YJ Whois Module (http://www.youjoomla.com/joomla_support/forumdisplay.php?f=76)
-   -   XSS Security Patch for YJ Whois (http://www.youjoomla.com/joomla_support/showthread.php?t=4950)

neo 12-04-2009 03:47 AM

XSS Security Patch for YJ Whois
 
Thanks to Mr andresg888 and Mr Lafrance , we have discovered low risk XSS vulnerability in YJ Whois and YJ Whois 2.0 Joomla versions 1.0x and 1.5.x. All files on the server have been updated. If you are using these extensions please download the new versions and reinstall...

If you use any of these demo installations the buggy versions of YJ Whois are included ,

* H-Connect for Joomla 1.0 and Joomla 1.5
* Youhostit for Joomla 1.5

Files affected is ,
modules/mod_yj_whois.php. Joomla 1.0
modules/mod_yj_whois/mod_yj_whois.php. Joomla 1.5

line 147

Code:

$domainName = (isset($_POST['domain'])) ? $_POST['domain'] : '';
change to

Code:

$domainName = (isset($_POST['domain'])) ? htmlspecialchars(strip_tags($_POST['domain'])) : '';


All times are GMT -4. The time now is 11:46 PM.

Powered by vBulletin®
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.