From 62f8b3aa56b287cb0f451c5c431085857bafd5fb Mon Sep 17 00:00:00 2001
From: Andre Lorbach <alorbach@adiscon.com>
Date: Tue, 19 Jun 2012 11:42:36 +0200
Subject: [PATCH 1/2] Fixed cross-site scripting vulnerability of highlight
 parameter on index.php page

---
 src/index.php            | 32 ++++++++++++++++++--------------
 src/templates/index.html |  4 ++--
 2 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/src/index.php b/src/index.php
index 2f41b3f..4001f94 100644
--- a/src/index.php
+++ b/src/index.php
@@ -118,6 +118,7 @@ $content['sorting'] = "";
 $content['searchstr'] = "";
 $content['searchstr_htmlform'] = "";
 $content['highlightstr'] = "";
+$content['highlightstr_htmlform'] = "";
 $content['EXPAND_HIGHLIGHT'] = "false";
 
 // --- Read and process filters from search dialog!
@@ -136,18 +137,21 @@ if ( (isset($_POST['search']) || isset($_GET['search'])) || (isset($_POST['filte
 
 	// Optionally read highlight words
 	if ( isset($_POST['highlight']) )
-		$content['highlightstr'] = $_POST['highlight'];
-	else if ( isset($_GET['highlight']) )
-		$content['highlightstr'] = $_GET['highlight'];
-	
-//	else if ( $mysearch == $content['LN_SEARCH']) 
 	{
-		// Message is just appended
-		if ( isset($myfilter) && strlen($myfilter) > 0 )
-		{
-			$content['searchstr'] = $myfilter;
-			$content['searchstr_htmlform'] = htmlspecialchars($myfilter);
-		}
+		$content['highlightstr'] = $_POST['highlight'];
+		$content['highlightstr_htmlform'] = htmlspecialchars($_POST['highlight']);
+	}
+	else if ( isset($_GET['highlight']) )
+	{
+		$content['highlightstr'] = $_GET['highlight'];
+		$content['highlightstr_htmlform'] = htmlspecialchars($_GET['highlight']);
+	}
+	
+	// Message is just appended
+	if ( isset($myfilter) && strlen($myfilter) > 0 )
+	{
+		$content['searchstr'] = $myfilter;
+		$content['searchstr_htmlform'] = htmlspecialchars($myfilter);
 	}
 
 	if ( strlen($content['highlightstr']) > 0 ) 
@@ -159,7 +163,7 @@ if ( (isset($_POST['search']) || isset($_GET['search'])) || (isset($_POST['filte
 		if ( strpos($content['highlightstr'], ",") === false)
 		{
 
-			$content['highlightwords'][0]['highlight_raw'] = $content['highlightstr'];
+			$content['highlightwords'][0]['highlight_html'] = htmlspecialchars($content['highlightstr']);
 			$content['highlightwords'][0]['highlight'] = str_replace( $searchArray, $replaceArray, $content['highlightstr']);
 			$content['highlightwords'][0]['cssclass'] = "highlight_1";
 			$content['highlightwords'][0]['htmlcode'] = '<span class="' . $content['highlightwords'][0]['cssclass'] . '">' . $content['highlightwords'][0]['highlight']. '</span>';
@@ -169,12 +173,12 @@ if ( (isset($_POST['search']) || isset($_GET['search'])) || (isset($_POST['filte
 			// Split array into words
 			$tmparray = explode( ",", $content['highlightstr'] );
 			foreach( $tmparray as $word ) 
-				$content['highlightwords'][]['highlight_raw'] = $word;
+				$content['highlightwords'][]['highlight_html'] = htmlspecialchars($word);
 			
 			// Assign other variables needed for this array entry
 			for ($i = 0; $i < count($content['highlightwords']); $i++)
 			{
-				$content['highlightwords'][$i]['highlight'] = str_replace( $searchArray, $replaceArray, $content['highlightwords'][$i]['highlight_raw']);
+				$content['highlightwords'][$i]['highlight'] = str_replace( $searchArray, $replaceArray, $content['highlightwords'][$i]['highlight_html']);
 				$content['highlightwords'][$i]['cssclass'] = "highlight_" . ($i+1);
 				$content['highlightwords'][$i]['htmlcode'] = '<span class="' . $content['highlightwords'][$i]['cssclass'] . '">' . $content['highlightwords'][$i]['highlight']. '</span>';
 			}
diff --git a/src/templates/index.html b/src/templates/index.html
index dfdd9ee..10f32b7 100644
--- a/src/templates/index.html
+++ b/src/templates/index.html
@@ -65,7 +65,7 @@
 	</tr>
 	<tr>
 		<td align="left" class="line1" nowrap>
-			<input maxlength="2048" name="highlight" size="75" title="Search" value="{highlightstr}">
+			<input maxlength="2048" name="highlight" size="75" title="Search" value="{highlightstr_htmlform}">
 			<input name="search" type="submit" value="{LN_SEARCH}" class="SearchFormControl">
 		</td>
 	</tr>
@@ -75,7 +75,7 @@
 			<table border="0" cellpadding="1" cellspacing="1" width="100%" align="center">
 			<tr>
 			<!-- BEGIN highlightwords -->
-				<td class="{cssclass}" align="center"><b>{highlight_raw}</b></td>
+				<td class="{cssclass}" align="center"><b>{highlight_html}</b></td>
 			<!-- END highlightwords -->
 			</tr>
 			</table>

From 9c127f67521f000628e7d18c0502a65892d27399 Mon Sep 17 00:00:00 2001
From: Andre Lorbach <alorbach@adiscon.com>
Date: Tue, 19 Jun 2012 11:44:36 +0200
Subject: [PATCH 2/2] Added changelog entry and incremented version history

---
 ChangeLog                        | 5 +++++
 src/include/functions_common.php | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index e7f6711..84da3ea 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+---------------------------------------------------------------------------
+Version 3.4.4 (stable), 2012-06-19
+- Fixed cross-site scripting vulnerability of highlight parameter 
+  on index.php page. 
+
 ---------------------------------------------------------------------------
 Version 3.4.3 (stable), 2012-05-22
 - Fixed several security vulnerabilities discovered by Filippo Cavallarin. 
diff --git a/src/include/functions_common.php b/src/include/functions_common.php
index c8616db..e72fa73 100644
--- a/src/include/functions_common.php
+++ b/src/include/functions_common.php
@@ -66,7 +66,7 @@ $LANG_EN = "en";	// Used for fallback
 $LANG = "en";		// Default language
 
 // Default Template vars
-$content['BUILDNUMBER'] = "3.4.3";
+$content['BUILDNUMBER'] = "3.4.4";
 $content['UPDATEURL'] = "http://loganalyzer.adiscon.com/files/version.txt";
 $content['TITLE'] = "Adiscon LogAnalyzer :: Release " . $content['BUILDNUMBER'];	// Default page title 
 $content['BASEPATH'] = $gl_root_path;