Changeset 1737 for trunk

Show
Ignore:
Timestamp:
08/27/2008 07:50:33 PM (3 months ago)
Author:
robertb
Message:

Session Fixierung
XSS ueber url-Parameter gefixt

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • trunk/admin/login.php

    r1736 r1737  
    2929                 
    3030                if ( md5( $passwort ) == JLOG_ADMIN_PASSWORD) { 
    31                 $_SESSION['logged_in'] = true; 
     31                        $_SESSION['logged_in'] = true; 
     32                        session_regenerate_id();        // neue SID 
    3233                 
    3334                if ($_SERVER['SERVER_PROTOCOL'] == 'HTTP/1.1') { 
     
    5859      <input class="userdata" id="password" type="password" name="password" /> 
    5960      <input style="display: none;" name="username" type="text" value="do-not-change" /></p> 
    60    <p><input type="hidden" name="url" value="'.(!empty($get['url']) ? $get['url'] : $post['url']).'" /> 
     61   <p><input type="hidden" name="url" value="'.htmlspecialchars(!empty($get['url']) ? $get['url'] : $post['url']).'" /> 
    6162      <input type="submit" value="'.$l['admin']['login_send'].'" /></p> 
    6263  </form>