Author Topic: Security warning!!  (Read 1433 times)

Nash77

  • Prime Member
  • ****
  • Posts: 152
  • Karma: +12/-2
Security warning!!
« on: June 05, 2014, 06:10:57 PM »
Hey thought I would let you know you may want to change your info.php

Find case 'acctactiv': and add htmlspecialchars to it see the code below

Code: [Select]
case 'acctactiv': // activate account
$template='info_acctactiv.html';
$tplvars['page_title']=$GLOBALS['_lang'][231];
$tplvars['page']='info_acctactiv';
$output['uid']=htmlspecialchars(sanitize_and_format_gpc($_GET,'uid',TYPE_INT,0,0)); //Stops browser injections
$output['email']=htmlspecialchars(sanitize_and_format_gpc($_GET,'email',TYPE_STRING,$__field2format[FIELD_TEXTFIELD],''));//Stops browser injections

I would tell you when you can do browser injections but I don't want anyone reading this to know. But it isn't really hard to find out. but the above will stop this from happening.

amare

  • Confirmed Member
  • **
  • Posts: 16
  • Karma: +0/-0
Re: Security warning!!
« Reply #1 on: June 17, 2014, 08:14:31 PM »
is this something important that needs to be done i have no idea about browser injections so dont understand it,  is there a threat to my website.

thanks nash77 for this information

sante

  • Active Member
  • ***
  • Posts: 26
  • Karma: +0/-0
Re: Security warning!!
« Reply #2 on: October 08, 2016, 03:07:59 PM »
I just had someone trying to do an injection attack on my contact.php.

On closer look I noticed this page has an input with sanitize_and_format_gpc() but no HTML special chars. I've deleted my contact.php to be safe but wanted to warn others to look at this to be on the safe side too.