Changeset 704 for trunk/phpbms/modules/base/adminsettings.php

Timestamp:

01/01/10 23:10:02 (2 years ago)

Author:

brieb

Message:

• Fixed several SQL injection vulnerabilities
• Fixed several XSS vulnerabilities due to PHP_SELF and REQUREST_URI
• Fixed severa path disclosure errors

Files:

• trunk/phpbms/modules/base/adminsettings.php (modified) (2 diffs)

trunk/phpbms/modules/base/adminsettings.php

@@ -145 +145 @@
 ?>
 <div class="bodyline">
-    <form action="<?php echo $_SERVER["PHP_SELF"]?>" method="post" enctype="multipart/form-data" id="record" name="record" onsubmit="return false;">
+    <form action="<?php echo htmlentities($_SERVER["PHP_SELF"]); ?>" method="post" enctype="multipart/form-data" id="record" name="record" onsubmit="return false;">
     <input type="hidden" id="command" name="command" value="save"/>
 
@@ -270 +270 @@
                     <div class="fauxP">
                         print logo
-                        <div id="graphicHolder"><img alt="logo" src="<?php echo APP_PATH?>dbgraphic.php?t=files&amp;f=file&amp;mf=type&amp;r=1" /></div>
+                        <div id="graphicHolder"><img alt="logo" src="<?php echo APP_PATH?>dbgraphic.php?t=file&amp;r=1" /></div>
                     </div>