CodeSOD: The Evil CMS

, Software Pundits
This post was originally published on this site

The Daily WTF

Content Management Systems always end up suffering, at least a little, from the Inner Platform Effect. There’s the additional problem that, unlike say, a big ol’ enterprise HR system or similar, CMSes are useful for just about everyone. It’s a quick and easy way to put together a site which anyone can maintain. But it never has enough features for your content. So you always install plugins- plugins of wildly varying quality and compatibility.

Lucio Crusca was doing a security audit of a Joomla site, found this block inside an installed plugin:

<?php if(!empty($MyForm->formrow->scriptcode)){ echo “<script type=’text/javascript’>n”; echo “//<![CDATA[n”; eval(“?>”.$MyForm->formrow->scriptcode); echo “//]]>n”; echo “</script>n”; } ?>

Let’s just focus on the echos to start. We’re directly outputting a <script> tag into the body of the page, and doing the bonus CDATA wrapper, ensuring compatibility with XHTML, which is nice if if your code ever slips into the mirror

To read the full article click on the 'post' link at the top.

Date

You May Also Like

A Tapestry of Threads

Error'd: Are You Old Enough to Know Better?

Perfect Uptime

Classic WTF: Working Around, Over and Through the Process

CodeSOD: Constantly Magic

CodeSOD: In House Refactoring

More Posts From: Software Pundits

Error'd: No Time Like the Present

CodeSOD: Don't Date Me

CodeSOD: Expressing a Leak

Representative Line: Broken Up With

COGNOS: Fast, Private & On-Demand Answers for Business Operations

CodeSOD: Where is the Validation At?