modConnectorResponse::outputContent() is reflecting an improperly sanitized value of the action parameter via the processor_err_nf lexicon. This lexicon accepts a target replacement value, which is currently being passed the raw action parameter (with only sub-directory traversal being prevented).
The only caveat is that an attacker would require the HTTP_MODAUTH value to be used for a valid user session.
opengeek
commented
11 years ago
opengeek created Redmine issue ID 10182
modConnectorResponse::outputContent() is reflecting an improperly sanitized value of the action parameter via the processor_err_nf lexicon. This lexicon accepts a target replacement value, which is currently being passed the raw action parameter (with only sub-directory traversal being prevented).
The only caveat is that an attacker would require the HTTP_MODAUTH value to be used for a valid user session.