tyler.durden/loganalyzer
1
0
Fork 0
mirror of https://github.com/rsyslog/loganalyzer.git synced 2025-09-26 03:09:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixed Cross site scripting issue of id parameter on admin/searches.php page

Browse Source
This commit is contained in:
Andre Lorbach 2012-05-22 12:12:45 +02:00
parent 2e62839897
commit a0ffd04bfb
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/admin/searches.php
View File

@ -120,7 +120,7 @@ if ( isset($_GET['op']) )
if ( isset($_GET['id']) )
{
//PreInit these values
$content['SEARCHID'] = DB_RemoveBadChars($_GET['id']);
$content['SEARCHID'] = strip_tags(DB_RemoveBadChars($_GET['id']));
$sqlquery = "SELECT * " .
" FROM " . DB_SEARCHES .
@ -183,7 +183,7 @@ if ( isset($_GET['op']) )
if ( isset($_GET['id']) )
{
//PreInit these values
$content['SEARCHID'] = DB_RemoveBadChars($_GET['id']);
$content['SEARCHID'] = strip_tags(DB_RemoveBadChars($_GET['id']));
// Get UserInfo
$result = DB_Query("SELECT DisplayName FROM " . DB_SEARCHES . " WHERE ID = " . $content['SEARCHID'] );