diff --git a/ChangeLog b/ChangeLog
index c633d5e..f967de0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,10 @@
---------------------------------------------------------------------------
+Version 4.1.12 (stable), 2021-04-29
+---------------------------------------------------------------------------
+- Secured username field against XSS attacks, thanks for reporting to:
+ Michael Strametz of SySS Cyber Security GmbH (Austria).
+- UserDB: Allow NULL value for defaultfilter fields, updated to v13
+---------------------------------------------------------------------------
Version 4.1.11 (stable), 2020-07-09
- ThirdParty: Updated jpgraph to 4.3.1 (2020-04-24)
- Thanks to Javier Pastor for the following fixes and changes:
diff --git a/src/include/functions_users.php b/src/include/functions_users.php
index 216947d..b84cabe 100644
--- a/src/include/functions_users.php
+++ b/src/include/functions_users.php
@@ -283,7 +283,7 @@ function CheckUserLogin( $username, $password )
}
*/
if ( GetConfigSetting("DebugUserLogin", 0) == 1 )
- DieWithFriendlyErrorMsg( "Debug Error: Could not find user '" . $username . "'
Sessionarray " . var_export($_SESSION, true) . "
");
+ DieWithFriendlyErrorMsg( "Debug Error: Could not find user '" . htmlspecialchars($username) . "'
Sessionarray " . var_export($_SESSION, true) . "
");
// Default return false
return false;
diff --git a/src/login.php b/src/login.php
index acbbe31..6475040 100644
--- a/src/login.php
+++ b/src/login.php
@@ -65,8 +65,7 @@ else
$szRedir = "index.php"; // Default
$szRedir = SecureRedirect($szRedir);
-if ( isset($_POST['op']) && $_POST['op'] == "login" )
-{
+if ( isset($_POST['op']) && $_POST['op'] == "login" ) {
// Perform login!
if ( $_POST['op'] == "login" )
{
@@ -74,29 +73,24 @@ if ( isset($_POST['op']) && $_POST['op'] == "login" )
(isset($_POST['uname']) && strlen($_POST['uname']) > 0)
&&
(isset($_POST['pass']) && strlen($_POST['pass']) > 0)
- )
- {
- // Set Username and password
- $content['uname'] = DB_RemoveBadChars($_POST['uname']);
- $content['pass'] = $_POST['pass']; // RAW Copy of password string, otherwise passwords with special characters can be broken.
+ ) {
+ // Copy Username and password for template system
+ $content['uname'] = htmlspecialchars(DB_RemoveBadChars($_POST['uname'])); // URL Decode the username to avoid XSS issues!
+ $content['pass'] = htmlspecialchars($_POST['pass']); // RAW Copy of password string, otherwise passwords with special characters can be broken.
- if ( !CheckUserLogin( $content['uname'], $content['pass']) )
- {
+ // Use raw properties for database login check
+ if ( !CheckUserLogin( DB_RemoveBadChars($_POST['uname']), $_POST['pass']) ) {
$content['ISERROR'] = "true";
$content['ERROR_MSG'] = $content['LN_LOGIN_ERRWRONGPASSWORD'];
}
else
RedirectPage( urldecode($szRedir) );
- }
- else
- {
+ } else {
$content['ISERROR'] = "true";
$content['ERROR_MSG'] = $content['LN_LOGIN_USERPASSMISSING'];
}
}
-}
-else if ( isset($_GET['op']) && $_GET['op'] == "logoff" )
-{
+} else if ( isset($_GET['op']) && $_GET['op'] == "logoff" ) {
// logoff in this case
DoLogOff();
}