| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.44.0512191906340.21856-100000@bugsbunny.castlecops.com> Date: Mon, 19 Dec 2005 19:14:40 -0500 (EST) From: Paul Laudanski <zx@...tlecops.com> To: SecurityReason - sp3x <sp3x@...urityreason.com> Cc: bugtraq@...urityfocus.com Subject: Re: XSS bypass in PHPNuke - FIX ? On Tue, 20 Dec 2005, SecurityReason - sp3x wrote: > Hi Paul > Do you have any idea to do fix or update filter of phpnuke against XSS that discovered my friend. > We were working with chaserv from nukefixes.com on this fix... > But as you wrote on bugtraq the Fix is not very good... > > Any idea for good fix ?? > > BTW : http://castlecops.com is working with phpnuke team ?? > just asking :) Hi'ya, as per my previous post you can use htmlspecialchars or htmlentities. So in this case take the query and run it through htmlspecialchars: $query = htmlspecialchars($query); ... _before_ you do anything with it like displaying the query back to the user. -- Paul Laudanski, Microsoft MVP Windows-Security [cal] http://events.castlecops.com [de] http://de.castlecops.com [en] http://castlecops.com [wiki] http://wiki.castlecops.com [family] http://cuddlesnkisses.com
Powered by blists - more mailing lists