Since the vendor appears to be asleep at the wheel, and Google turned
up nothing helpful, I've attempted my own fix for this vulnerability.
As I've found no exploit code to speak of, can anyone confirm that
this fix does indeed correct the issue?
--
Michael Jennings (a.k.a. KainX) http://www.kainx.org/ <mej (at) kainx (dot) org [email concealed]>
n + 1, Inc., http://www.nplus1.net/ Author, Eterm (www.eterm.org)
-----------------------------------------------------------------------
"My shoes are too tight, but it doesn't matter because I have
forgotten how to dance."
-- Peter Jurasik (Ambassador Londo Mollari), "Babylon Five"
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4299
http://www.securityfocus.com/bid/19654
Since the vendor appears to be asleep at the wheel, and Google turned
up nothing helpful, I've attempted my own fix for this vulnerability.
As I've found no exploit code to speak of, can anyone confirm that
this fix does indeed correct the issue?
tikiwiki-1.9.4-cve_2006_4299.patch:
diff -Nur -x '*.orig' -x '*.rej' tikiwiki-1.9.4/tiki-searchindex.php mezzanine_patched_tikiwiki-1.9.4/tiki-searchindex.php
--- tikiwiki-1.9.4/tiki-searchindex.php 2006-08-25 20:04:38.000000000 -0400
+++ mezzanine_patched_tikiwiki-1.9.4/tiki-searchindex.php 2006-08-25 20:04:25.000000000 -0400
@@ -22,7 +22,7 @@
}
if(isset($_REQUEST["highlight"]) && !empty($_REQUEST["highlight"])) {
- $_REQUEST["words"]=$_REQUEST["highlight"];
+ $_REQUEST["words"]=htmlspecialchars($_REQUEST["highlight"]);
}
if ($feature_search_stats == 'y') {
Thanks,
Michael
--
Michael Jennings (a.k.a. KainX) http://www.kainx.org/ <mej (at) kainx (dot) org [email concealed]>
n + 1, Inc., http://www.nplus1.net/ Author, Eterm (www.eterm.org)
-----------------------------------------------------------------------
"My shoes are too tight, but it doesn't matter because I have
forgotten how to dance."
-- Peter Jurasik (Ambassador Londo Mollari), "Babylon Five"
[ reply ]