* Fichier core/internal_components/admin_sites/launch_system_bo.inc o Remplacer + $g_object_sessionscope =& $g_object_loader->getTSessionScope(); o Par + $g_object_sessionscope =& $g_object_loader->getTSessionScope(); $url_parsed = parse_url($_SERVER[’HTTP_REFERER’]); if ((substr($url_parsed[’path’],0,strlen($g_object_siteinformation->getBaseHttp())) != $g_object_siteinformation->getBaseHttp())) { $g_object_sessionscope->forceDestroy(); } * Fichier core/internal_components/common/globals/php_functions.inc.php o Remplacer + return isset($p_array[$p_var_name])?$p_array[$p_var_name]:$p_default_value; o Par + global $g_object_siteinformation; + if (isset($g_object_siteinformation) && !$g_object_siteinformation->isAdmin()) + return remove_HTML(isset($p_array[$p_var_name])?$p_array[$p_var_name]:$p_default_value); + else + return (isset($p_array[$p_var_name])?$p_array[$p_var_name]:$p_default_value); o Puis à la fin du fichier (avant ?>), ajouter + function remove_HTML($str){ //return $str; $new_str = strip_tags($str); + if ($new_str != $str) return "XSS Why ?"; return $str; + } * Fichier core/internal_components/common/globals/site_information.inc.php o Remplacer + $array_params = array_merge($p_from_array, $p_add_array); o Par + $array_params = array_merge($p_from_array, $p_add_array); foreach($array_params as $key => $value) { $array_params[$key] = remove_HTML($value); } * Fichier core/internal_components/common/listpaging/listpaging.class.php o Remplacer + $this->m_current_page = $_REQUEST[’f_lcp’]; o Par + $this->m_current_page = remove_HTML($_REQUEST[’f_lcp’]); * Fichier view/external_components/module.php o Remplacer toutes les occurances (2 en tout) de + $plici_config_master."./ o Par + dirname(__FILE__)."/../../ * Fichier view/external_components/stats/phpmv2/index.php et view/esternal_components/stats/phpmv2/phpmyvisites.php o Remplacer + global $g_phpmv_full_integrated_params; o Par + if (isset($_REQUEST[’g_phpmv_full_integrated_params’])) {echo(’Why?’);die();} global $g_phpmv_full_integrated_params;