Errata - 4.0.1 XSS in SQL debugging output


When outputting the SQL statements for debugging, a maliciously crafted query can trigger a XSS attack (thanks Thrivikram Gujarathi).

This attack only succeeds if the user is already logged in to Open-AudIT before they click the malicious link.


The issue has been patched. To view the patch, go here - https://github.com/Opmantek/open-audit/commit/870b14b3dc83bb38853a0af62f1ff91d0f4ceb78


To apply it, grab the two files from:
https://raw.githubusercontent.com/Opmantek/open-audit/870b14b3dc83bb38853a0af62f1ff91d0f4ceb78/code_igniter/application/helpers/response_helper.php
and
https://raw.githubusercontent.com/Opmantek/open-audit/870b14b3dc83bb38853a0af62f1ff91d0f4ceb78/code_igniter/application/views/theme-bootstrap/v_template.php

and replace the existing files in your installation.


Apologies for any inconvenience this causes. This has been patched and will be included in the next release.

Mark Unwin.