Flatpress- 1.2.1 - Reflected XSS on page parameter #153
Posted: Wed Nov 30, 2022 4:58 pm
Details here:
https://github.com/flatpressblog/flatpress/issues/153
There is a quick fix for Flatpress 1.2.1 Issue #153 and you only have to change the existing Flatpress code (from 2015!) in only one file.
File: /admin/panels/static/admin.static.write.php
Line: 66 ff
Replace this lines with the following lines:
regards
https://github.com/flatpressblog/flatpress/issues/153
There is a quick fix for Flatpress 1.2.1 Issue #153 and you only have to change the existing Flatpress code (from 2015!) in only one file.
File: /admin/panels/static/admin.static.write.php
Line: 66 ff
Code: Select all
if (isset($_GET['page'])) {
$id = $_GET['page'];
$arr = static_parse($id);
// if entry does not exists,
// we print the list
if ($arr) {
$this->_makePreview($arr, $id);
}
}
Code: Select all
if (isset($_GET['page'])) {
$id = $_GET['page'];
$arr = static_parse($id);
// if entry does not exists,
// we print the list
if ($arr) {
$this->_makePreview($arr, $id);
} else {
$id = '';
$arr = array();
$_GET['page'] = '';
utils_redirect('admin.php?p=static');
}
}