fernando/luos
1
0
Fork 0
Code Releases Activity

I solved XSS in Thirdparty files

Browse Source
This commit is contained in:
Paula V. Quispe
2015-04-06 16:54:57 -04:00
parent 4824edcf80
commit ec26547def
9 changed files with 45 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
workflow/engine/controllers/adminProxy.php
View File

@@ -1086,6 +1086,8 @@ class adminProxy extends HttpProxyController
} elseif ($files_img_type != '') {
$failed = "1";
}
$uploaded = $filter->validateInput($uploaded,'int');
$files_img_type = $filter->xssFilterHard($files_img_type);
echo '{success: true, failed: ' . $failed . ', uploaded: ' . $uploaded . ', type: "' . $files_img_type . '"}';
exit();
}

9
workflow/engine/methods/controls/buscador.php
View File

@@ -22,14 +22,15 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
$frm = $HTTP_GET_VARS;
G::LoadSystem('inputfilter');
$filter = new InputFilter();
?>
<h1>demo de buscador</h1>
<form method=post action="buscador2.php">
<input type=hidden name=ticket value="<?php echo $frm['ticket'] ?>"> <input
type=hidden name=tipo value="<?php echo $frm['tipo'] ?>">
Buscador tipo : <?php echo $frm['tipo'] ?><br>
<input type=hidden name=ticket value="<?php echo $filter->xssFilterHard($frm['ticket']) ?>"> <input
type=hidden name=tipo value="<?php echo $filter->xssFilterHard($frm['tipo']) ?>">
Buscador tipo : <?php echo $filter->xssFilterHard($frm['tipo']) ?><br>
<table>
<tr>

4
workflow/engine/methods/oauth2/grant.php
View File

@@ -14,7 +14,7 @@ $code = empty($_GET['code']) ? 'NN' : $_GET['code'];
$clientId = 'x-pm-local-client';
$secret = '179ad45c6ce2cb97cf1029e212046e81';
$userPwd = $clientId.':'.$secret;
$data = array(
'grant_type' => 'authorization_code',
'code' => $code
@@ -23,7 +23,7 @@ $data = array(
$ch = curl_init($endpoint);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_USERPWD, $clientId.':'.$secret);
curl_setopt($ch, CURLOPT_USERPWD, $userPwd);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);

2
workflow/engine/methods/services/login_getStarted.php
View File

@@ -42,7 +42,7 @@ $oTemplatePower->assign('USR_UID', $aUser['USR_UID']);
$oTemplatePower->assign('USR_FULLNAME', $aData['USR_FIRSTNAME'] . ' ' . $aData['USR_LASTNAME'] . ' (' . $aData['USR_USERNAME'] . ')');
*/
$userName = 'admin';
$userPass = 'The password introduced at the time of installing the application. (If you did not change the password by default is "admin")';
$userPass = "The password introduced at the time of installing the application. (If you did not change the password by default is $userName)";
if(isset($_SESSION['NW_PASSWORD'])){
if($_SESSION['NW_PASSWORD'] != ''){
$userPass = $_SESSION['NW_PASSWORD'];

4
workflow/engine/methods/setup/webServicesAjax.php
View File

@@ -1510,8 +1510,8 @@ try {
die();
break;
default:
$_POST = $filter->xssFilterHard($_POST);
print_r( $_POST );
$post = $filter->xssFilterHard($_POST);
print_r( $post );
}
}