To close a XSS hole found in aMember v.4/v.5 please make the following changes to aMember files:
Edit file amember/application/default/controllers/LoginController.php with a text editor.
protected function getRedirectUrl($url)
{
$redirect_url = parse_url($url);
if (!is_array($redirect_url))
return;
immediately after return;, on the next line - add
if (isset($redirect_url['scheme']) && !in_array($redirect_url['scheme'], array('http', 'https'))) {
return;
}
It will fix the problem.
We recommend to apply this patch manually only if you have customized aMember Pro version running. In all other case we recommend to upgrade to latest version of aMember.
Return to the member area