Another XSS exploit has been discovered that allows a malicious user to steal your cookie. Thankfully it was rather easy to fix, thanks to the help of CrappoMan and me. The fix is available as a separate patch (6-00-108up.zip) and has been added to the sourceforge files. Patch 6-00-108 upgrades both version 6.00.106 or 6.00.107. If you wish to update manually please click read more for details. Thanks to ratboy and pacifico for their information. This patch also contains some more corrections in messages.php following a security advisory from gnucitizen.
Download 6-00-108.zip 11Kb.
Update: There was a small mistake in maincore.php and messages.php in the update package. It has been corrected, please re-download and re-apply the package or fix the problem manually as instructed in the comments of this news item. Open up maincore.php, look for this line in function parseubb (approx 373)
$message = preg_replace('#(<[^>]+[\\"\'])(onmouseover|onmousedown|onmouseup|onmouseout|onmousemove|onclick|ondblclick|onload|xmlns)[^>]*>#iUu',">",$message);
Replace it with
$message = preg_replace('#(<[^>]+[\\"\'\s])(onmouseover|onmousedown|onmouseup|onmouseout|onmousemove|onclick|ondblclick|onload|xmlns)[^>]*>#iUu',">",$message);
Then, Insert this line
Before
Then look for this line in function descript (approx line 406)
$text = preg_replace('#(<[^>]+[\\"\'])(onmouseover|onmousedown|onmouseup|onmouseout|onmousemove|onclick|ondblclick|onload|xmlns)[^>]*>#iUu',">",$text);
Replace it with
$text = preg_replace('#(<[^>]+[\\"\'\s])(onmouseover|onmousedown|onmouseup|onmouseout|onmousemove|onclick|ondblclick|onload|xmlns)[^>]*>#iUu',">",$text);
Then, Insert this line
Before
