Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

XSS patch tweak

  1. Home
  2. News
  3. PHPFusion
  4. XSS patch tweak
XSS patch tweak
A few sites have been encountering problems with logging in following the recent login vulnerability patch. I've identified that the preg_match line is producing false results causing valid logins to fail. This line has been dropped but the stripinput function should be ample enough to prevent any problems.

So the three lines in fusion_core.php directly after:
if (isset($_POST['login'])) {


Are now as follows:
$user_name = stripinput($_POST['user_name']);
$user_pass = md5($_POST['user_pass']);
$result = dbquery("SELECT * FROM ".$fusion_prefix."users WHERE user_name='$user_name' and user_password='$user_pass'");



I've updated the service pack and sourceforge package to include this alteration. Thanks.

Falk March 22 2005 13,056
News Categories
Popular News
PHPFusion 9.0 Beta
PHPFusion 9.0 BetaOctober 03 2014 | Downloads
136395
Tesseract, Progress Report
Tesseract, Progress ReportApril 26 2014 | Development & Design
84850
Welcome Back
Welcome BackMarch 24 2006 | PHPFusion
80514
PHPFusion 9.0 ( Andromeda ) Stable
PHPFusion 9.0 ( Andromeda ) StableApril 27 2017 | PHPFusion
69532
Critical update - v6.00.305
Critical update - v6.00.305March 12 2006 | PHPFusion
67127
PHPFusion v7.02.06
PHPFusion v7.02.06January 27 2013 | Downloads
58865