Savageman
commented
10 years ago Hello,
Thank you for reporting this issue to us. We'll be dealing with it as soon as we can. The issue is from a vendor we're using. We've reported back the issue to them, hopefully it will be merged soon.
Just an quick but important note: your advisory says that profiling => false is not the default setting. It's half the truth, because the default settings depends on the environment and IT IS DISABLED in production (it's only enabled by default when in development).
felixgilles
I did not find a security contact, so I report this issue here
=== Security Advisory ===
Novius OS 2.3 - Cross-Site-Scripting
Affected Version
novius-os.chiba.2.3
Problem Overview
Technical Risk: low Likelihood of Exploitation: medium Vendor: Novius Agency Reported by: Eric Sesterhenn snakebyte@gmx.de Advisory updates: http://www.rusty-ice.de/advisory/advisory_2013004.txt Advisory Status: Private
Problem Impact
While taking a quick look at the web interface, a XSS issue in the phpquickprofiler component was spotted. This component is enabled by default and reflects GET and POST parameters back unfiltered.
Problem Description
The issue can be be easily tested: http://localhost/novius-os/nos/front/index?
Temporary Workaround and Fix
Disable the phpquickprofiler in local/config/config.php by setting 'profiling' => false, which is recommended for production systems but not the default setting.
--- novius-os/fuel-core/vendor/phpquickprofiler/display.php.orig 2013-12-02 17:00:11.939540876 +0100 +++ novius-os/fuel-core/vendor/phpquickprofiler/display.php 2013-12-02 17:03:48.868240368 +0100 @@ -627,7 +627,7 @@ else {