From edb817991b99cd5538f102be26865fde7c6b7212 Mon Sep 17 00:00:00 2001 From: David Hicks Date: Thu, 2 Sep 2010 21:51:21 +1000 Subject: [PATCH] Fix #12312: NuSOAP web description XSS vulnerability Bogdan Calin from Acunetix discovered a number of XSS vulnerabilities in NuSOAP 0.9.5 (bundled with MantisBT) relating to improperly escaped URLs. A sample exploit URL is: /api/soap/mantisconnect.php?1 The upstream report for these XSS flaws in NuSOAP is located at the following URL: http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005 This patch provides an interim fix for MantisBT users until upstream makes a new release. --- library/nusoap/class.wsdl.php | 16 ++++++++-------- library/nusoap/nusoap.php | 14 +++++++------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/library/nusoap/class.wsdl.php b/library/nusoap/class.wsdl.php index 6d2a693..7dcc307 100644 --- a/library/nusoap/class.wsdl.php +++ b/library/nusoap/class.wsdl.php @@ -842,9 +842,9 @@ class wsdl extends nusoap_base {


-
'.$this->serviceName.'
+
'.htmlentities($this->serviceName).'
-

View the WSDL for the service. +

View the WSDL for the service. Click on an operation name to view it's details.

    '; foreach($this->getOperations() as $op => $data){ @@ -854,21 +854,21 @@ class wsdl extends nusoap_base { Close

    "; foreach($data as $donnie => $marie){ // loop through opdata if($donnie == 'input' || $donnie == 'output'){ // show input/output data - $b .= "".ucfirst($donnie).':
    '; + $b .= "".htmlentities(ucfirst($donnie)).':
    '; foreach($marie as $captain => $tenille){ // loop through data if($captain == 'parts'){ // loop thru parts - $b .= "  $captain:
    "; + $b .= "  ".htmlentities($captain).":
    "; //if(is_array($tenille)){ foreach($tenille as $joanie => $chachi){ - $b .= "    $joanie: $chachi
    "; + $b .= "    ".htmlentities($joanie).": ".htmlentities($chachi)."
    "; } //} } else { - $b .= "  $captain: $tenille
    "; + $b .= "  ".htmlentities($captain).": ".htmlentities($tenille)."
    "; } } } else { - $b .= "".ucfirst($donnie).": $marie
    "; + $b .= "".htmlentities(ucfirst($donnie)).": ".htmlentities($marie)."
    "; } } $b .= '
'; @@ -1935,4 +1935,4 @@ class wsdl extends nusoap_base { } } -?> \ No newline at end of file +?> diff --git a/library/nusoap/nusoap.php b/library/nusoap/nusoap.php index 4973532..10750aa 100644 --- a/library/nusoap/nusoap.php +++ b/library/nusoap/nusoap.php @@ -5424,9 +5424,9 @@ class wsdl extends nusoap_base {


-
'.$this->serviceName.'
+
'.htmlentities($this->serviceName).'
-

View the WSDL for the service. +

View the WSDL for the service. Click on an operation name to view it's details.

    '; foreach($this->getOperations() as $op => $data){ @@ -5436,21 +5436,21 @@ class wsdl extends nusoap_base { Close

    "; foreach($data as $donnie => $marie){ // loop through opdata if($donnie == 'input' || $donnie == 'output'){ // show input/output data - $b .= "".ucfirst($donnie).':
    '; + $b .= "".htmlentities(ucfirst($donnie)).':
    '; foreach($marie as $captain => $tenille){ // loop through data if($captain == 'parts'){ // loop thru parts - $b .= "  $captain:
    "; + $b .= "  ".htmlentities($captain).":
    "; //if(is_array($tenille)){ foreach($tenille as $joanie => $chachi){ - $b .= "    $joanie: $chachi
    "; + $b .= "    ".htmlentities($joanie).": ".htmlentities($chachi)."
    "; } //} } else { - $b .= "  $captain: $tenille
    "; + $b .= "  ".htmlentities($captain).": ".htmlentities($tenille)."
    "; } } } else { - $b .= "".ucfirst($donnie).": $marie
    "; + $b .= "".htmlentities(ucfirst($donnie)).": ".htmlentities($marie)."
    "; } } $b .= '
'; -- 1.7.2.2