The following warnings occurred:
Warning [2] Undefined array key "avatartype" - Line: 783 - File: global.php PHP 8.1.31 (Linux)
File Line Function
/global.php 783 errorHandler->error
/showthread.php 26 require_once
Warning [2] Undefined array key "avatartype" - Line: 783 - File: global.php PHP 8.1.31 (Linux)
File Line Function
/global.php 783 errorHandler->error
/showthread.php 26 require_once
Warning [2] Undefined variable $newpmmsg - Line: 40 - File: global.php(841) : eval()'d code PHP 8.1.31 (Linux)
File Line Function
/global.php(841) : eval()'d code 40 errorHandler->error
/global.php 841 eval
/showthread.php 26 require_once
Warning [2] Undefined array key "style" - Line: 909 - File: global.php PHP 8.1.31 (Linux)
File Line Function
/global.php 909 errorHandler->error
/showthread.php 26 require_once
Warning [2] Undefined property: MyLanguage::$lang_select_default - Line: 5024 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 5024 errorHandler->error
/global.php 909 build_theme_select
/showthread.php 26 require_once
Warning [2] Undefined array key "additionalgroups" - Line: 7162 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 7162 errorHandler->error
/inc/functions.php 5044 is_member
/global.php 909 build_theme_select
/showthread.php 26 require_once
Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 1415 errorHandler->error
/inc/functions.php 1370 fetch_forum_permissions
/showthread.php 137 forum_permissions
Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 1415 errorHandler->error
/inc/functions.php 1380 fetch_forum_permissions
/inc/functions.php 2909 forum_permissions
/showthread.php 621 build_forum_jump
Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 1415 errorHandler->error
/inc/functions.php 1380 fetch_forum_permissions
/inc/functions.php 2909 forum_permissions
/showthread.php 621 build_forum_jump
Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 1415 errorHandler->error
/inc/functions.php 1380 fetch_forum_permissions
/inc/functions.php 2909 forum_permissions
/showthread.php 621 build_forum_jump
Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 1415 errorHandler->error
/inc/functions.php 1380 fetch_forum_permissions
/inc/functions.php 2909 forum_permissions
/showthread.php 621 build_forum_jump
Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 1415 errorHandler->error
/inc/functions.php 1380 fetch_forum_permissions
/inc/functions.php 2909 forum_permissions
/showthread.php 621 build_forum_jump
Warning [2] Undefined array key 1 - Line: 1415 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 1415 errorHandler->error
/inc/functions.php 1380 fetch_forum_permissions
/inc/functions.php 2909 forum_permissions
/showthread.php 621 build_forum_jump
Warning [2] Undefined property: MyLanguage::$ratings_update_error - Line: 5 - File: showthread.php(732) : eval()'d code PHP 8.1.31 (Linux)
File Line Function
/showthread.php(732) : eval()'d code 5 errorHandler->error
/showthread.php 732 eval
Warning [2] Undefined array key "additionalgroups" - Line: 7162 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 7162 errorHandler->error
/inc/functions_user.php 844 is_member
/inc/functions_post.php 406 purgespammer_show
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "profilefield" - Line: 6 - File: inc/functions_post.php(474) : eval()'d code PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php(474) : eval()'d code 6 errorHandler->error
/inc/functions_post.php 474 eval
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "canonlyreplyownthreads" - Line: 660 - File: inc/functions_post.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php 660 errorHandler->error
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "showimages" - Line: 741 - File: inc/functions_post.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php 741 errorHandler->error
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "showvideos" - Line: 746 - File: inc/functions_post.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php 746 errorHandler->error
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "additionalgroups" - Line: 7162 - File: inc/functions.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions.php 7162 errorHandler->error
/inc/functions_user.php 844 is_member
/inc/functions_post.php 406 purgespammer_show
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "profilefield" - Line: 6 - File: inc/functions_post.php(474) : eval()'d code PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php(474) : eval()'d code 6 errorHandler->error
/inc/functions_post.php 474 eval
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "canonlyreplyownthreads" - Line: 660 - File: inc/functions_post.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php 660 errorHandler->error
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "showimages" - Line: 741 - File: inc/functions_post.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php 741 errorHandler->error
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "showvideos" - Line: 746 - File: inc/functions_post.php PHP 8.1.31 (Linux)
File Line Function
/inc/functions_post.php 746 errorHandler->error
/showthread.php 1070 build_postbit
Warning [2] Undefined array key "invisible" - Line: 1506 - File: showthread.php PHP 8.1.31 (Linux)
File Line Function
/showthread.php 1506 errorHandler->error
Warning [2] Undefined variable $threadnotesbox - Line: 30 - File: showthread.php(1533) : eval()'d code PHP 8.1.31 (Linux)
File Line Function
/showthread.php(1533) : eval()'d code 30 errorHandler->error
/showthread.php 1533 eval
Warning [2] Undefined variable $addremovesubscription - Line: 79 - File: showthread.php(1533) : eval()'d code PHP 8.1.31 (Linux)
File Line Function
/showthread.php(1533) : eval()'d code 79 errorHandler->error
/showthread.php 1533 eval



FORUMS


The Form Tools forums are no longer active, but the old posts have been archived here. Please see the Help page on how to get help / report issues.
Form Tools Form Tools General Discussion v
Non-persistent Cross-Site Scripting Vulnerability - XSS

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Thread Modes
Non-persistent Cross-Site Scripting Vulnerability - XSS
tropical Offline
Junior Member
**
Posts: 1
Threads: 1
Joined: Mar 2009
Reputation: 0
#1
Mar 15th, 2009, 11:51 AM
Hi,

I am using Form Tools 1.x together with a SSL connection to collect personal information from an online form. A few weeks ago, I did a PCI audit scan and the results noted a security warning referred to as CGI abuses: XSS, or that the login page (index.php) for Form Tools had a "Non-persistent Cross-Site Scripting Vulnerability".

I would like to know whether there is a fix for this in FT 2.0? Also, how can this be fixed in the current stable version of FT 1.x?

Cheers,

Joseph
Reply
Find
Ben Offline
Administrator
*******
Posts: 2,456
Threads: 39
Joined: Dec 2008
Reputation: 6
#2
Mar 16th, 2009, 9:09 PM
Hi Joseph,

Hmmm! I really don't think this is a problem.

To prevent XSS / code injection attacks, PHP best practices recommend using calling mysql_real_escape_string() on incoming values prior to using them in any DB queries. This is what FT2 does (and I think FT1, too). It wards against these type of attacks.

Hope this info helps.

If you're still worried, would it be possible to get some more details? Perhaps an illustration of such a hack could take place (email it to me, rather than post it here!). Security problems are always a BIG concern, so I'll be sure to address it first.

- Ben
Reply
Find


Forum Jump:


Users browsing this thread: 1 Guest(s)