Shopping Cart Operations > Security
Light cross-site scripting vulnerability fix
(1/1)
abantecart:
Light cross-site scripting vulnerability has been detected in AbanteCart.
Detected vulnerability does not cause any harm to AbanteCart or content.
To fix the problem, please read below.
Effected versions: Up to 1.1.3
About Risk: This is a low risk cross-site scripting vulnerability. Not potential harm to code, database or server structure.
About the fix:
Fix is only 1 file that can be replaces or change manually
Option 1 (version 1.1.3):
Locate file: /core/engine/html.php and replace with attached file
Option 2 (prior to version 1.1.3)
Locate and open file: /core/engine/html.php
Locate below code (about line # 114)
--- Code: --- public function removeQueryVar($url, $vars) {
list($url_part, $q_part) = explode('?', $url);
parse_str($q_part, $q_vars);
if (!is_array($vars)) {
$vars = array( $vars );
}
foreach ($vars as $v)
unset($q_vars[ $v ]);
$new_qs = urldecode(http_build_query($q_vars));
return $url_part . '?' . $new_qs;
}
--- End code ---
Replace with below code:
--- Code: --- public function removeQueryVar($url, $vars) {
list($url_part, $q_part) = explode('?', $url);
parse_str($q_part, $q_vars);
if (!is_array($vars)) {
$vars = array( $vars );
}
foreach ($vars as $v)
unset($q_vars[ $v ]);
foreach ($q_vars as $key => $value)
$q_vars[$key] = $this->request->clean($value);
$new_qs = urldecode(http_build_query($q_vars));
return $url_part . '?' . $new_qs;
}
--- End code ---
This issue is toughly addressed and eliminated in coming version of AbanteCart
DamonPadilla:
--- Quote from: abantecart on February 16, 2013, 02:55:47 PM ---Light cross-site scripting vulnerability has been detected in AbanteCart.
Detected vulnerability does not cause any harm to AbanteCart or content.
To fix the problem, please read below.
--- End quote ---
Thanks for sharing the code.. I am facing similar vulnerability and now I think my problem is solved.. Thanks again
Navigation
[0] Message Index
Go to full version