From f23f95941a400702f525923973f3612df6da82cb Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Wed, 18 Mar 2015 22:16:34 +0100
Subject: [PATCH] SECURITY escape user properties in user manager #1081
The user properties (login, real name, etc) where not properly escaped
in the user manager's edit form. This allowed a XSS attack on the
superuser by registered users.
Thanks to Filippo Cavallarin from www.segment.technology for discovering
this bug.
---
lib/plugins/usermanager/admin.php | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/lib/plugins/usermanager/admin.php b/lib/plugins/usermanager/admin.php
index cc4c4ae47..9cb9b0c40 100644
--- a/lib/plugins/usermanager/admin.php
+++ b/lib/plugins/usermanager/admin.php
@@ -222,9 +222,9 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin {
*/
$groups = join(', ',$grps);
ptln(" <tr class=\"user_info\">");
- ptln(" <td class=\"centeralign\"><input type=\"checkbox\" name=\"delete[".$user."]\" ".$delete_disable." /></td>");
+ ptln(" <td class=\"centeralign\"><input type=\"checkbox\" name=\"delete[".hsc($user)."]\" ".$delete_disable." /></td>");
if ($editable) {
- ptln(" <td><a href=\"".wl($ID,array('fn[edit]['.hsc($user).']' => 1,
+ ptln(" <td><a href=\"".wl($ID,array('fn[edit]['.$user.']' => 1,
'do' => 'admin',
'page' => 'usermanager',
'sectok' => getSecurityToken())).
@@ -356,7 +356,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin {
// save current $user, we need this to access details if the name is changed
if ($user)
- ptln(" <input type=\"hidden\" name=\"userid_old\" value=\"".$user."\" />",$indent);
+ ptln(" <input type=\"hidden\" name=\"userid_old\" value=\"".hsc($user)."\" />",$indent);
$this->_htmlFilterSettings($indent+10);
@@ -401,6 +401,7 @@ class admin_plugin_usermanager extends DokuWiki_Admin_Plugin {
$fieldtype = 'text';
$autocomp = '';
}
+ $value = hsc($value);
echo "<tr $class>";
echo "<td><label for=\"$id\" >$label: </label></td>";
--
GitLab