Security Fix 09

To close a XSS hole found in aMember v.4/v.5 please make the following changes to aMember files:

Edit file amember/application/default/controllers/LoginController.php with a text editor.
Find lines
    protected function getRedirectUrl($url)
        $redirect_url = parse_url($url);
        if (!is_array($redirect_url))
immediately after return;, on the next line - add
        if (isset($redirect_url['scheme']) && !in_array($redirect_url['scheme'], array('http', 'https'))) {
It will fix the problem.

We recommend to apply this patch manually only if you have customized aMember Pro version running. In all other case we recommend to upgrade to latest version of aMember.

Return to the member area