| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050305152523.32235.qmail@www.securityfocus.com>
Date: 5 Mar 2005 15:25:23 -0000
From: Some one <someone@...nabismail.com>
To: bugtraq@...urityfocus.com
Subject: Re: Advisory #08 - phpBB 2.0.13 Bad filtered in usercp_register.php
In-Reply-To: <20050303055339.3109.qmail@....securityfocus.com>
>phpBB 2.0.13 Bad filtered in usercp_register.php
The error isn't in usercp_register.php, it is perfectly fine that the user can set these options. The Problem is the HTML filtering in privmsg.php and viewtopic.php.
In privmsg.php you'll find these lines:
if ( !$board_config['allow_html'] )
{
if ( $user_sig != '' && $privmsg['privmsgs_enable_sig'] && $userdata['user_allowhtml'] )
{
If you look closely at the DB you'll see there is no field privmsgs_enable_sig in phpbb_privmsgs, the field is named privmsgs_attach_sig, also the $userdata['user_allowhtml'] really shouldn't be there. So change the code to:
if ( !$board_config['allow_html'] )
{
if ( $user_sig != '' && $privmsg['privmsgs_attach_sig'] )
{
and HTML filtering will work for the signature. The same goes for the viewtopic.php, find the code:
if ( !$board_config['allow_html'] )
{
if ( $user_sig != '' && $userdata['user_allowhtml'] )
{
and remove the $userdata['user_allowhtml'] so that it looks like this:
if ( !$board_config['allow_html'] )
{
if ( $user_sig != '' )
{
and HTML filtering of the signature in posts will always work when HTML is forbidden on the board.
Powered by blists - more mailing lists