Important: XSS Vulnerability

19 views
Skip to first unread message

Andrew Darby

unread,
Jun 15, 2012, 12:30:48 PM6/15/12
to subjec...@googlegroups.com
Hello, all. I came across the following pastbin entry today, which
pointed out a public vulnerability in the databases list:

http://pastebin.com/dER2NYKr

I'm not sure what version of SP these sites are running, but you need
to fix this asap. To fix, go to subjects/databases.php and look for a
line that adds some additional information to the $page_title
variable. If you have something that looks like this line, with the
$_GET["letter"] variable being displayed without first being scrubbed
for malicious intent, you have a potential problem:

$page_title .= ": " . $_GET["letter"];

I'm not sure exactly what it looks like on your site, but for now, try
commenting this line out. You should be left with a generic "Database
List" page title.

If you want to see if this is an issue, cut and paste in your database
list url and add at the end

"><script>alert(1)</script>

if it makes a box pop up, you have a problem. If you're not sure what
to do, drop me a line off list.

This should not be an issue in 1.0.1, but you might have downloaded
the new version and kept your old subjects/databases.php file. I'll
send instruction later about how to safely include your selected
letter as part of the title.
Message has been deleted
Message has been deleted
Message has been deleted

Andrew Darby

unread,
Jun 15, 2012, 3:14:49 PM6/15/12
to subjec...@googlegroups.com
Oops, I didn't realize I was responding to the whole list. But since
I am . . . I've gone through all the sites, and the only ones with
this vulnerability appear to be showing up in that pastebin link.
Wouldn't hurt to doublecheck your databases.php page, trying out those
test xss attacks.

On Fri, Jun 15, 2012 at 3:07 PM, Andrew Darby <agd...@gmail.com> wrote:
> I'll take a look at your file, but I just checked your site and you
> seem to be okay.
>
> Andrew
>
> On Fri, Jun 15, 2012 at 3:03 PM, Catherine C Tuohy <tuo...@emmanuel.edu> wrote:
>> Hi Andrew, Diane is on vacation and I am wondering if you can take a look at our databases.php file I have attached and advise me.  Thanks so much!  Cathy
>> Catherine C. Tuohy
>> Assistant Director of Technology and Technical Services
>> Emmanuel College Library
>> 400 The Fenway
>> Boston, MA 02115
>> 617-264-7658
>> ________________________________________
>> From: subjec...@googlegroups.com [subjec...@googlegroups.com] On Behalf Of Andrew Darby [agd...@gmail.com]
>> Sent: Friday, June 15, 2012 12:30 PM
>> To: subjec...@googlegroups.com
>> Subject: [SubjectsPlus] Important: XSS Vulnerability
>> --
>> You received this message because you are subscribed to the Google Groups "SubjectsPlus" group.
>> To post to this group, send email to subjec...@googlegroups.com.
>> To unsubscribe from this group, send email to subjectsplus...@googlegroups.com.
>> For more options, visit this group at http://groups.google.com/group/subjectsplus?hl=en.
>>
>> --
>> You received this message because you are subscribed to the Google Groups "SubjectsPlus" group.
>> To post to this group, send email to subjec...@googlegroups.com.
>> To unsubscribe from this group, send email to subjectsplus...@googlegroups.com.
>> For more options, visit this group at http://groups.google.com/group/subjectsplus?hl=en.
>>

Andrew Darby

unread,
Jun 15, 2012, 3:16:05 PM6/15/12
to subjec...@googlegroups.com
When I say "gone through all the sites," I mean all the sites listed
on the Sites Using SubjectsPlus page on the wiki. If you're unsure or
concerned, drop me a line at agdarby AT gmail DOT com.
Reply all
Reply to author
Forward
0 new messages