Re: Agoracgi v3.3e Cross Site Scripting Vulnerability

[Steve Kneizys <skneizys () yahoo com>]

In-Reply-To: <068b01c1874a$7b1296b0$cb9c2bd5@ts>

Sites desiring to eliminate the issue in diagnostic mode as well as remove all < and > 
characters from all user input can install the library below.  

Steve...
--

# Special Security add-on library for agora versions 3.2b to 4.0d
#
# Puts the store in 'paranoia' mode, all < and > chars are converted
# to # chars if they are found in the input stream.
#
# May fix unknown and undiscovered problems, eliminates problems in
# diagnostic mode in 4.0x.
#
# Install in store/custom directory, set permissions to 555
#
# Not required if running ashim40update.pl version 1/24/02 or later
#
# SPK Jan 24, 2002
$versions{'security_01242002'} = '01242002';
&add_codehook("alias_and_override_top","special_security_f1_01242002");
sub special_security_f1_01242002 {
 $form_data{'cart_id'} =~ s/</&lt;/g;
 $form_data{'cart_id'} =~ s/>/&gt;/g;
 for $inx (keys %form_data) { 
   $form_data{$inx} =~ s/</#/g;
   $form_data{$inx} =~ s/>/#/g;
  }
 }
&add_codehook("alias_and_override_end","special_security_f2_01242002");
sub special_security_f2_01242002 {
  if (!($form_data{'cart_id'} =~ /^([\w\-\=\+\/]+)\.(\w+)/)) {
    $form_data{'cart_id'} = ''; 
   }
 }
#
1; # Library