From a2bd77ef5865d7316741d0638acada7f1f65356f Mon Sep 17 00:00:00 2001 From: Mufeed VH Date: Tue, 4 Feb 2020 01:02:16 +0530 Subject: [PATCH 1/2] Fix for the Cross-site Scripting (XSS) Vulnerability --- htdocs/filefunc.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php index 18e2992930c..576e6645cb2 100644 --- a/htdocs/filefunc.inc.php +++ b/htdocs/filefunc.inc.php @@ -165,7 +165,7 @@ if (! defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck)) if ($csrfattack) { //print 'NOCSRFCHECK='.defined('NOCSRFCHECK').' REQUEST_METHOD='.$_SERVER['REQUEST_METHOD'].' HTTP_HOST='.$_SERVER['HTTP_HOST'].' HTTP_REFERER='.$_SERVER['HTTP_REFERER']; - print "Access refused by CSRF protection in main.inc.php. Referer of form (".$_SERVER['HTTP_REFERER'].") is outside the server that serve this page (with method = ".$_SERVER['REQUEST_METHOD'].").\n"; + print "Access refused by CSRF protection in main.inc.php. Referer of form (".htmlspecialchars($_SERVER['HTTP_REFERER'], ENT_QUOTES, 'UTF-8').") is outside the server that serve this page (with method = ".$_SERVER['REQUEST_METHOD'].").\n"; print "If you access your server behind a proxy using url rewriting, you might check that all HTTP headers are propagated (or add the line \$dolibarr_nocsrfcheck=1 into your conf.php file to remove this security check).\n"; die; } From 2419f122c4d99aead80410347054db7e30f089ee Mon Sep 17 00:00:00 2001 From: root Date: Mon, 3 Feb 2020 23:10:04 +0000 Subject: [PATCH 2/2] referer XSS patches --- htdocs/comm/action/card.php | 4 ++-- htdocs/public/error-401.php | 2 +- htdocs/public/error-404.php | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/htdocs/comm/action/card.php b/htdocs/comm/action/card.php index c17f9cc9c1b..28241363798 100644 --- a/htdocs/comm/action/card.php +++ b/htdocs/comm/action/card.php @@ -840,7 +840,7 @@ if ($action == 'create') print ''; print ''; print ''; - if ($backtopage) print ''; + if ($backtopage) print ''; if (empty($conf->global->AGENDA_USE_EVENT_TYPE)) print ''; if (GETPOST("actioncode", 'aZ09') == 'AC_RDV') print load_fiche_titre($langs->trans("AddActionRendezVous"), '', 'title_agenda'); @@ -1249,7 +1249,7 @@ if ($id > 0) print ''; print ''; print ''; - if ($backtopage) print ''; + if ($backtopage) print ''; if (empty($conf->global->AGENDA_USE_EVENT_TYPE)) print ''; dol_fiche_head($head, 'card', $langs->trans("Action"), 0, 'action'); diff --git a/htdocs/public/error-401.php b/htdocs/public/error-401.php index d6a6ed548ff..ac921fc9f78 100644 --- a/htdocs/public/error-401.php +++ b/htdocs/public/error-401.php @@ -21,7 +21,7 @@ Sorry. You are not allowed to access this resource.
- +
diff --git a/htdocs/public/error-404.php b/htdocs/public/error-404.php index 36547d26704..34a4ac03e9e 100644 --- a/htdocs/public/error-404.php +++ b/htdocs/public/error-404.php @@ -21,7 +21,7 @@ You requested a website or a page that does not exists.
- +