XSS in piCal-0.91h

Date 2009-02-23 04:40:20 | Category: XOOPS

in englishin japanese
a XSS is found in piCal-0.91h

You'd better to select just ONE of these actions

(1) update piCal into the latest version >= 0.92
- recommend for site owners using piCal as is

(2) overwrite just piCal/index.php in the latest archive
- recommend for site owners using piCal with some hacks

(3) patch piCal/index.php manually
- recommend for experts. it's an easy patch

line 154 in index.php

		$xoopsTpl->assign( 'print_link' , "$mod_url/print.php?event_id={$_GET['event_id']}&action=View" ) ;
		$xoopsTpl->assign( 'print_link' , "$mod_url/print.php?event_id=".intval($_GET['event_id'])."&action=View" ) ;


If you use Protector and turning "enable anti-XSS (BigUmbrella)" on, don't worry about it. The feature of "anti-XSS" can protect attacks via XSS entirely.

Anyway, you'd better update piCal if you use older piCal.

And I strongly recommend you to turn "enable anti-XSS (BigUmbrella)" on, even if you use piCal.




You can read more news at PEAK XOOPS.
http://xoops.peak.ne.jp

The URL for this story is:
http://xoops.peak.ne.jp/md/news/index.php?page=article&storyid=476