Strict Standards: Non-static method Flyspray::absoluteURI() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/constants.inc.php on line 29 Strict Standards: Non-static method Flyspray::get_tmp_dir() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/constants.inc.php on line 78 Strict Standards: Non-static method Flyspray::base_version() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 29 Strict Standards: Non-static method Flyspray::base_version() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 29 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 39 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Req::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 40 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Filters::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Req::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 42 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Filters::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Req::enum() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 20 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 37 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Filters::enum() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 37 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 26 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 26 Strict Standards: Non-static method Cookie::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 33 Strict Standards: Non-static method Get::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 41 Strict Standards: Non-static method Get::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 100 Strict Standards: Non-static method Get::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 100 Strict Standards: Non-static method Get::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 100 Strict Standards: Non-static method Flyspray::requestDuplicated() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 109 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 148 Strict Standards: Non-static method Req::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 15 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Filters::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Flyspray::GetTaskDetails() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 17 Strict Standards: Non-static method Flyspray::GetAssignees() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 358 Strict Standards: Non-static method Get::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 34 Strict Standards: Non-static method Get::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 100 Strict Standards: Non-static method Post::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 34 Strict Standards: Non-static method TextFormatter::render() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 128 FS#135 : XSS issue

Anwiki CMS

Anwiki CMS : the first wiki/CMS dedicated to multilingual contents
Tasklist

FS#135 - XSS issue

Attached to Project: Anwiki CMS
Opened by Strict Standards: array_map() expects parameter 1 to be a valid callback, non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 281 Wladimir Palant (trev) - Strict Standards: Non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 613 Friday, 08 October 2010, 09:07 GMT
Last edited by Strict Standards: array_map() expects parameter 1 to be a valid callback, non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 281 anw (anw) - Strict Standards: Non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 613 Sunday, 10 October 2010, 21:39 GMT
Task Type Security issue
Category Core
Status Closed
Assigned To anw (anw)
Operating System All
Severity Critical
Priority Normal
Reported Version Anwiki 0.2.3
Due in Version Anwiki 0.2.4
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

I create this simply to have the issue tracked, all the details are in the mail I sent to anw.fr owner on 2010-09-30 12:06:18 +0200. Feel free to fill in the details after the issue has been fixed.
This task depends upon

Closed by  anw (anw)
Strict Standards: Non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 613 Sunday, 10 October 2010, 21:39 GMT
Reason for closing:  Fixed
Additional comments about closing:  Thanks again. There is no problem to unveil the details if you wish, now that the security release is out
Comment by anw (anw) - Strict Standards: Non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 613 Friday, 08 October 2010, 19:28 GMT
Hi,
Thanks for your notification. Unfortunately I can't find your mail, could you tell me on which email it was sent, and maybe send it again ?
I suspect it to be lost through a spam filter. Many thanks.
Comment by Wladimir Palant (trev) - Strict Standards: Non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 613 Friday, 08 October 2010, 20:20 GMT
The address mentioned here: http://www.anw.fr/en/contact
I didn't get a response to my first mail sent there either so I guess the spam filter kills everything where sender has a strange Russian name :)

Will resend, also to the email address in whois info.
Comment by Wladimir Palant (trev) - Strict Standards: Non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 613 Friday, 15 October 2010, 08:06 GMT
Issue details, for the record:

This problem is live on anwiki.com however as well as every other site using Anwiki. Here is a link to test script injection:

> http://www.anwiki.com/?xss=%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E

What happens here:

* Page translation links (action_view.tpl.php, function pageTranslations) will copy all incoming parameters to generate the links.
* AnwUtils::link() calls AnwUtils::linkParams() to attach the parameters to the link.
* AnwUtils::linkParams() simply does "$name=$value", totally ignoring the fact that these parameters might not be safe. It should call urlencode() both on the name and the value.

Loading...