0001-Fix-12312-NuSOAP-web-description-XSS-vulnerability.patch

/library/nusoap/0001-Fix-12312-NuSOAP-web-description-XSS-vulnerability.patch

https://github.com/fusenigk/mantisbt-1 · Patch · 119 lines · 112 code · 7 blank · 0 comment · 0 complexity · d639190a9af09a00523157562b0ac27b MD5 · raw file

From edb817991b99cd5538f102be26865fde7c6b7212 Mon Sep 17 00:00:00 2001
From: David Hicks <hickseydr@optusnet.com.au>
Date: Thu, 2 Sep 2010 21:51:21 +1000
Subject: [PATCH] Fix #12312: NuSOAP web description XSS vulnerability

Bogdan Calin from Acunetix discovered a number of XSS vulnerabilities in
NuSOAP 0.9.5 (bundled with MantisBT) relating to improperly escaped
URLs.

A sample exploit URL is:
/api/soap/mantisconnect.php?1<ScRiPt>prompt(923395)</ScRiPt>

The upstream report for these XSS flaws in NuSOAP is located at the
following URL:
http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005

This patch provides an interim fix for MantisBT users until upstream
makes a new release.
---
 library/nusoap/class.wsdl.php |   16 ++++++++--------
 library/nusoap/nusoap.php     |   14 +++++++-------
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/library/nusoap/class.wsdl.php b/library/nusoap/class.wsdl.php
index 6d2a693..7dcc307 100644
--- a/library/nusoap/class.wsdl.php
+++ b/library/nusoap/class.wsdl.php
@@ -842,9 +842,9 @@ class wsdl extends nusoap_base {
 		<body>
 		<div class=content>
 			<br><br>
-			<div class=title>'.$this->serviceName.'</div>
+			<div class=title>'.htmlentities($this->serviceName).'</div>
 			<div class=nav>
-				<p>View the <a href="'.$PHP_SELF.'?wsdl">WSDL</a> for the service.
+				<p>View the <a href="'.htmlentities($PHP_SELF).'?wsdl">WSDL</a> for the service.
 				Click on an operation name to view it&apos;s details.</p>
 				<ul>';
 				foreach($this->getOperations() as $op => $data){
@@ -854,21 +854,21 @@ class wsdl extends nusoap_base {
 				    <a href='#' onclick='popout()'><font color='#ffffff'>Close</font></a><br><br>";
 				    foreach($data as $donnie => $marie){ // loop through opdata
 						if($donnie == 'input' || $donnie == 'output'){ // show input/output data
-						    $b .= "<font color='white'>".ucfirst($donnie).':</font><br>';
+						    $b .= "<font color='white'>".htmlentities(ucfirst($donnie)).':</font><br>';
 						    foreach($marie as $captain => $tenille){ // loop through data
 								if($captain == 'parts'){ // loop thru parts
-								    $b .= "&nbsp;&nbsp;$captain:<br>";
+								    $b .= "&nbsp;&nbsp;".htmlentities($captain).":<br>";
 					                //if(is_array($tenille)){
 								    	foreach($tenille as $joanie => $chachi){
-											$b .= "&nbsp;&nbsp;&nbsp;&nbsp;$joanie: $chachi<br>";
+											$b .= "&nbsp;&nbsp;&nbsp;&nbsp;".htmlentities($joanie).": ".htmlentities($chachi)."<br>";
 								    	}
 					        		//}
 								} else {
-								    $b .= "&nbsp;&nbsp;$captain: $tenille<br>";
+								    $b .= "&nbsp;&nbsp;".htmlentities($captain).": ".htmlentities($tenille)."<br>";
 								}
 						    }
 						} else {
-						    $b .= "<font color='white'>".ucfirst($donnie).":</font> $marie<br>";
+						    $b .= "<font color='white'>".htmlentities(ucfirst($donnie)).":</font> ".htmlentities($marie)."<br>";
 						}
 				    }
 					$b .= '</div>';
@@ -1935,4 +1935,4 @@ class wsdl extends nusoap_base {
 	} 
 }
 
-?>
\ No newline at end of file
+?>
diff --git a/library/nusoap/nusoap.php b/library/nusoap/nusoap.php
index 4973532..10750aa 100644
--- a/library/nusoap/nusoap.php
+++ b/library/nusoap/nusoap.php
@@ -5424,9 +5424,9 @@ class wsdl extends nusoap_base {
 		<body>
 		<div class=content>
 			<br><br>
-			<div class=title>'.$this->serviceName.'</div>
+			<div class=title>'.htmlentities($this->serviceName).'</div>
 			<div class=nav>
-				<p>View the <a href="'.$PHP_SELF.'?wsdl">WSDL</a> for the service.
+				<p>View the <a href="'.htmlentities($PHP_SELF).'?wsdl">WSDL</a> for the service.
 				Click on an operation name to view it&apos;s details.</p>
 				<ul>';
 				foreach($this->getOperations() as $op => $data){
@@ -5436,21 +5436,21 @@ class wsdl extends nusoap_base {
 				    <a href='#' onclick='popout()'><font color='#ffffff'>Close</font></a><br><br>";
 				    foreach($data as $donnie => $marie){ // loop through opdata
 						if($donnie == 'input' || $donnie == 'output'){ // show input/output data
-						    $b .= "<font color='white'>".ucfirst($donnie).':</font><br>';
+						    $b .= "<font color='white'>".htmlentities(ucfirst($donnie)).':</font><br>';
 						    foreach($marie as $captain => $tenille){ // loop through data
 								if($captain == 'parts'){ // loop thru parts
-								    $b .= "&nbsp;&nbsp;$captain:<br>";
+								    $b .= "&nbsp;&nbsp;".htmlentities($captain).":<br>";
 					                //if(is_array($tenille)){
 								    	foreach($tenille as $joanie => $chachi){
-											$b .= "&nbsp;&nbsp;&nbsp;&nbsp;$joanie: $chachi<br>";
+											$b .= "&nbsp;&nbsp;&nbsp;&nbsp;".htmlentities($joanie).": ".htmlentities($chachi)."<br>";
 								    	}
 					        		//}
 								} else {
-								    $b .= "&nbsp;&nbsp;$captain: $tenille<br>";
+								    $b .= "&nbsp;&nbsp;".htmlentities($captain).": ".htmlentities($tenille)."<br>";
 								}
 						    }
 						} else {
-						    $b .= "<font color='white'>".ucfirst($donnie).":</font> $marie<br>";
+						    $b .= "<font color='white'>".htmlentities(ucfirst($donnie)).":</font> ".htmlentities($marie)."<br>";
 						}
 				    }
 					$b .= '</div>';
-- 
1.7.2.2