2011-02-25, 07:14 PM
(This post was last modified: 2011-02-25, 07:15 PM by NewEraCracker.)
Hello.
I've installed this plugin in my board. Unfortunately today an hacker used it to do a XSS attack by placing html code in topic title.
I'd suggest you to take a look at line 133 of \inc\plugins\recenttopicsindex.php
$subject should be changed to htmlspecialchars($subject)
Regards,
NewEraCracker.
I've installed this plugin in my board. Unfortunately today an hacker used it to do a XSS attack by placing html code in topic title.
I'd suggest you to take a look at line 133 of \inc\plugins\recenttopicsindex.php
<a href="showthread.php?tid=' . $threadRow['tid'] . '&action=lastpost">' . $subject .'</a> ' . $lang->recenttopics_by . (!empty($threadRow['lastposteruid']) ? ' <a href="member.php?action=profile&uid=' . $threadRow['lastposteruid'] . '">' . $threadRow['lastposter'] . '</a>' : $threadRow['lastposter']) . ' (<a href="forumdisplay.php?fid=' . $threadRow['fid'] . '">' . $threadRow['name'] . '</a>)$subject should be changed to htmlspecialchars($subject)
Regards,
NewEraCracker.
-- NewEraCracker