[Vtigercrm-developers] Nasty little Announcement bug
Prasad
prasad at vtiger.com
Mon Jun 11 03:36:40 PDT 2012
Alan,
Each administrator can add announcements. The owner can clear the same.
Look at the following:
- include/utils/CommonUtils.php - function get_announcements()
- Smarty/templates/Header.tpl - ANNOUNCEMENT output to HTML
Let us know if you get over a solution.
Regards,
Prasad
vtiger Team
On Mon, Jun 11, 2012 at 2:57 PM, Alan Lord (News) <alanslists at gmail.com>wrote:
> Hmm something else is a bit nasty with this.
>
> The original announcement with the apostrophe was created by a user with
> an normal id number (i.e. not 1).
>
> I logged into their system (as admin) and edited their announcement to
> remove the apostrophes. But rather than removing the original
> announcement, it added a second one to the database table! Meaning the
> apostrophe bug was still present as the marquee was now showing both
> announcements.
>
> The only way to fix this was to go into MySQL and manually delete the
> original announcement record from the vtiger_announcement table.
>
> My colleague also made an interesting comment. This is likely to be
> quite a security bug too as you could probably inject javascript into
> the announcement...
>
> Cheers
>
> Al
>
>
> On 11/06/12 07:54, Alan Lord (News) wrote:
> > Caught this one this morning...
> >
> > http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/7440
> >
> > Should be easy enough to fix (I guess the ' isn't being escaped or
> > converted but it's quite a nasty one. Using an apostrophe is common
> > place and no access to the More menu is rather limiting.
> >
> > Cheers
> >
> > Al
> >
>
>
> --
> Libertus Solutions
> http://www.libertus.co.uk
>
> _______________________________________________
> http://www.vtiger.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20120611/17369456/attachment.html
More information about the vtigercrm-developers
mailing list