Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fixed XSS vulnerability reported by hitisec. This is low threat since…
… it is in the installer, which is disabled by default, and should only be enabled temporarily by trusted parties. E.g. in order to even reach the vulnerability, the user would need to have a valid username/password for the MySQL database.
  • Loading branch information
shannah committed Oct 4, 2021
1 parent dfa9534 commit 94143a4
Showing 1 changed file with 4 additions and 5 deletions.
9 changes: 4 additions & 5 deletions install/install_form.js.php
Expand Up @@ -15,18 +15,17 @@ function testftp(form){

postDataReturnText('installer.php','-action=testftp&-ftphost='+escape(form.ftp_host.value)+'&-ftpuser='+escape(form.ftp_username.value)+'&-ftppass='+escape(form.ftp_password.value)+'&-ftppath='+escape(form.ftp_path.value), function(result){
var resultDiv = document.getElementById('ftp-test-results');
eval('var results = '+result+';');
resultDiv.innerHTML = results.message;
var results = JSON.parse(result);
resultDiv.innerText = results.message;
});


}

function testdb(form){
postDataReturnText('installer.php','-action=testdb&-dbname='+escape(form.database_name.options[form.database_name.selectedIndex].value)+'&-dbuser='+escape(form.mysql_user.value)+'&-dbpass='+escape(form.mysql_password.value), function(result){
var resultDiv = document.getElementById('db-test-results');
eval('var results = '+result+';');
resultDiv.innerHTML = results.message;
var results = JSON.parse(result);
resultDiv.innerText = results.message;
});
}

Expand Down

0 comments on commit 94143a4

Please sign in to comment.