Project

General

Profile

« Previous | Next » 

Revision 1353

Added by FrankH almost 14 years ago

Security fixes

View differences:

branches/2.8.x/CHANGELOG
11 11
! = Update/Change
12 12

  
13 13
------------------------------------- 2.8.2 -------------------------------------
14
26 Dec-2010 Frank Heyne (FrankH)
15
# security fix: in modules/admin.php - check whether section belongs to page
16
! security fix: changed $section_required into $no_section_required (apparently used by no module at all)
17
# security fix: in path admin/users/ - added FTAN check
18
# security fix: remaining vulnerabilities mentioned in http://secunia.com/secunia_research/2010-91/
19
# security fix:           vulnerabilities mentioned in http://secunia.com/secunia_research/2010-92/
20
# security fix: remaining vulnerabilities mentioned in http://secunia.com/secunia_research/2010-93/
14 21
21 Dec-2010 Dietmar Woellbrink (Luisehahne)
15 22
# fix if upgrade module can now overwrite existing newer files in modules folder
16 23
# same for upgrade templates
branches/2.8.x/wb/admin/templates/details.php
34 34
	header("Location: index.php");
35 35
	exit(0);
36 36
} else {
37
	$file = $admin->add_slashes($_POST['file']);
37
	$file = preg_replace("/\W/", "", $admin->add_slashes($_POST['file']));  // fix secunia 2010-92-2
38 38
}
39 39

  
40 40
// Check if the template exists
branches/2.8.x/wb/admin/pages/settings2.php
36 36
// Get values
37 37
$page_title = htmlspecialchars($admin->get_post_escaped('page_title') );
38 38
$menu_title = htmlspecialchars($admin->get_post_escaped('menu_title') );
39
$page_code = $admin->get_post_escaped('page_code');
39
$page_code = (int) $admin->get_post_escaped('page_code');
40 40
$description = htmlspecialchars($admin->add_slashes($admin->get_post('description')) );
41 41
$keywords = htmlspecialchars($admin->add_slashes($admin->get_post('keywords')) );
42
$parent = $admin->get_post_escaped('parent');
42
$parent = (int) $admin->get_post_escaped('parent'); // fix secunia 2010-91-3
43 43
$visibility = $admin->get_post_escaped('visibility');
44
$template = $admin->get_post_escaped('template');
45
$target = $admin->get_post_escaped('target');
44
if (!in_array($visibility, array('public', 'private', 'registered', 'hidden', 'none'))) $visibility = 'public'; // fix
45
$template = preg_replace("/\W/", "", $admin->get_post_escaped('template')); // fix secunia 2010-93-3
46
$target = preg_replace("/\W/", "", $admin->get_post_escaped('target'));
46 47
$admin_groups = $admin->get_post_escaped('admin_groups');
47 48
$viewing_groups = $admin->get_post_escaped('viewing_groups');
48 49
$searching = $admin->get_post_escaped('searching');
49
$language = $admin->get_post_escaped('language');
50
$menu = $admin->get_post_escaped('menu');
50
$language = strtoupper($admin->get_post('language'));
51
$language = (preg_match('/^[A-Z]{2}$/', $language) ? $language : DEFAULT_LANGUAGE);
52
$menu = (int) $admin->get_post_escaped('menu'); // fix secunia 2010-91-3
51 53

  
52 54
// Validate data
53 55
if($page_title == '' || substr($page_title,0,1)=='.')
......
95 97
//if(!in_array(1, $admin->get_groups_id())) {
96 98
//	$admin_groups[] = implode(",",$admin->get_groups_id());
97 99
//}
98
$admin_groups = implode(',', $admin_groups);
100
$admin_groups = preg_replace("/[^\d,]/", "", implode(',', $admin_groups));
99 101
// Setup viewing groups
100 102
$viewing_groups[] = 1;
101 103
//if(!in_array(1, $admin->get_groups_id())) {
102 104
//	$viewing_groups[] = implode(",",$admin->get_groups_id());
103 105
//}
104
$viewing_groups = implode(',', $viewing_groups);
106
$viewing_groups = preg_replace("/[^\d,]/", "", implode(',', $viewing_groups));
105 107

  
106 108
// If needed, get new order
107 109
if($parent != $old_parent)
......
193 195
$sql .= '`language` = "'.$language.'", ';
194 196
$sql .= '`admin_groups` = "'.$admin_groups.'", ';
195 197
$sql .= '`viewing_groups` = "'.$viewing_groups.'"';
196
$sql .= (defined('PAGE_LANGUAGES') && PAGE_LANGUAGES) && $field_set && (file_exists(WB_PATH.'/modules/mod_multilingual/update_keys.php')) ? ', `page_code` = '.(int)$page_code.' ' : ' ';
198
$sql .= (defined('PAGE_LANGUAGES') && PAGE_LANGUAGES) && $field_set && (file_exists(WB_PATH.'/modules/mod_multilingual/update_keys.php')) ? ', `page_code` = '.$page_code.' ' : ' ';
197 199
$sql .= 'WHERE `page_id` = '.$page_id;
198 200
$database->query($sql);
199 201

  
branches/2.8.x/wb/admin/pages/sections.php
78 78
} elseif(isset($_POST['module']) && $_POST['module'] != '')
79 79
{
80 80
	// Get section info
81
	$module = $admin->add_slashes($_POST['module']);
81
	$module = preg_replace("/\W/", "", $admin->add_slashes($_POST['module']));  // fix secunia 2010-91-4
82 82
	// Include the ordering class
83 83
	require(WB_PATH.'/framework/class.order.php');
84 84
	// Get new order
branches/2.8.x/wb/admin/pages/add.php
27 27
// Get values
28 28
$title = $admin->get_post_escaped('title');
29 29
$title = htmlspecialchars($title);
30
$module = $admin->get_post('type');
31
$parent = $admin->get_post('parent');
30
$module = preg_replace("/\W/", "", $admin->get_post('type')); // fix secunia 2010-93-4
31
$parent = (int) $admin->get_post('parent'); // fix secunia 2010-91-2
32 32
$visibility = $admin->get_post('visibility');
33
if (!in_array($visibility, array('public', 'private', 'registered', 'hidden', 'none'))) $visibility = 'public'; // fix secunia 2010-91-2
33 34
$admin_groups = $admin->get_post('admin_groups');
34 35
$viewing_groups = $admin->get_post('viewing_groups');
35 36

  
......
88 89
	}
89 90
}
90 91

  
91
$admin_groups = implode(',', $admin_groups);
92
$viewing_groups = implode(',', $viewing_groups);
92
$admin_groups =   preg_replace("/[^\d,]/", "", implode(',', $admin_groups));
93
$viewing_groups = preg_replace("/[^\d,]/", "", implode(',', $viewing_groups));
93 94

  
94 95
// Work-out what the link and page filename should be
95 96
if($parent == '0')
branches/2.8.x/wb/admin/interface/version.php
52 52

  
53 53
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
54 54
if(!defined('VERSION')) define('VERSION', '2.8.2.RC1');
55
if(!defined('REVISION')) define('REVISION', '1352');
55
if(!defined('REVISION')) define('REVISION', '1353');
56 56

  
57 57
?>
branches/2.8.x/wb/admin/users/save.php
22 22
$admin = new admin('Access', 'users_modify');
23 23

  
24 24
// Create new database object
25
$database = new database();
25
//$database = new database();
26
if( !$admin->checkFTAN() )
27
{
28
	$admin->print_error($MESSAGE['PAGES_NOT_SAVED'],'index.php');
29
	exit();
30
}
26 31

  
27 32
// Check if user id is a valid number and doesnt equal 1
28 33
if(!isset($_POST['user_id']) OR !is_numeric($_POST['user_id']) OR $_POST['user_id'] == 1) {
branches/2.8.x/wb/admin/users/users.php
53 53
	$template->set_file('page', 'users_form.htt');
54 54
	$template->set_block('page', 'main_block', 'main');
55 55
	$template->set_var(	array(
56
										'ACTION_URL' => ADMIN_URL.'/users/save.php',
57
										'SUBMIT_TITLE' => $TEXT['SAVE'],
58
										'USER_ID' => $user['user_id'],
59
										'USERNAME' => $user['username'],
60
										'DISPLAY_NAME' => $user['display_name'],
61
										'EMAIL' => $user['email'],
62
										'ADMIN_URL' => ADMIN_URL,
63
										'WB_URL' => WB_URL,
64
										'WB_PATH' => WB_PATH,
65
										'THEME_URL' => THEME_URL
66
										)
67
								);
56
							'ACTION_URL' => ADMIN_URL.'/users/save.php',
57
							'SUBMIT_TITLE' => $TEXT['SAVE'],
58
							'USER_ID' => $user['user_id'],
59
							'USERNAME' => $user['username'],
60
							'DISPLAY_NAME' => $user['display_name'],
61
							'EMAIL' => $user['email'],
62
							'ADMIN_URL' => ADMIN_URL,
63
							'WB_URL' => WB_URL,
64
							'WB_PATH' => WB_PATH,
65
							'THEME_URL' => THEME_URL
66
							)
67
					);
68
	
69
	$template->set_var('FTAN', $admin->getFTAN());
68 70
	if($user['active'] == 1) {
69 71
		$template->set_var('ACTIVE_CHECKED', ' checked="checked"');
70 72
	} else {
branches/2.8.x/wb/admin/users/index.php
101 101
$template->set_var('ACTIVE_CHECKED', ' checked="checked"');
102 102
$template->set_var('ACTION_URL', ADMIN_URL.'/users/add.php');
103 103
$template->set_var('SUBMIT_TITLE', $TEXT['ADD']);
104
$template->set_var('FTAN', $admin->getFTAN());
104 105
// insert urls
105 106
$template->set_var(array(
106 107
		'ADMIN_URL' => ADMIN_URL,
branches/2.8.x/wb/admin/users/add.php
22 22
$admin = new admin('Access', 'users_add');
23 23

  
24 24
// Create new database object
25
$database = new database();
25
//$database = new database();
26
if( !$admin->checkFTAN() )
27
{
28
	$admin->print_error($MESSAGE['PAGES_NOT_SAVED'],'index.php');
29
	exit();
30
}
26 31

  
27 32
// Get details entered
28 33
$groups_id = implode(",", $admin->add_slashes($_POST['groups'])); //should check permissions
branches/2.8.x/wb/admin/languages/details.php
28 28

  
29 29
// Get language name
30 30
if(!isset($_POST['code']) OR $_POST['code'] == "") {
31
	header("Location: index.php");
32
	exit(0);
31
	$code = '';
33 32
} else {
34 33
	$code = $_POST['code'];
35 34
}
36 35

  
36
// fix secunia 2010-93-2
37
if (!preg_match('/^[A-Z]{2}$/', $code)) {
38
	header("Location: index.php");
39
	exit(0);
40
}
41

  
37 42
// Check if the language exists
38 43
if(!file_exists(WB_PATH.'/languages/'.$code.'.php')) {
39 44
	header("Location: index.php");
branches/2.8.x/wb/admin/modules/details.php
38 38
}
39 39
else
40 40
{
41
	$file = $admin->add_slashes($_POST['file']);
41
	$file = preg_replace("/\W/", "", $admin->add_slashes($_POST['file']));  // fix secunia 2010-92-1
42 42
}
43 43

  
44 44
// Check if the module exists
branches/2.8.x/wb/templates/wb_theme/templates/users_form.htt
12 12
<form name="user" action="{ACTION_URL}" method="post" class="{DISPLAY_ADD}">
13 13
<input type="hidden" name="user_id" value="{USER_ID}" />
14 14
<input type="hidden" name="username_fieldname" value="{USERNAME_FIELDNAME}" />
15

  
15
{FTAN}
16 16
<table cellpadding="5" cellspacing="0" border="0" width="100%">
17 17
<tr>
18 18
	<td width="150">{TEXT_USERNAME}:</td>
branches/2.8.x/wb/templates/argos_theme/templates/users_form.htt
12 12
<form name="user" action="{ACTION_URL}" method="post" class="{DISPLAY_ADD}">
13 13
<input type="hidden" name="user_id" value="{USER_ID}" />
14 14
<input type="hidden" name="username_fieldname" value="{USERNAME_FIELDNAME}" />
15

  
15
{FTAN}
16 16
<table cellpadding="5" cellspacing="0" border="0" width="100%">
17 17
<tr>
18 18
	<td width="150">{TEXT_USERNAME}:</td>
branches/2.8.x/wb/modules/admin.php
43 43
	$section_id = $_POST['section_id'];
44 44
} else {
45 45
	// Check if we should redirect the user if there is no section id
46
	if(!isset($section_required))
46
	if (isset($no_section_required))
47 47
	{
48 48
		$section_id = 0;
49 49
	} else {
......
84 84
	$admin->print_error($MESSAGE['PAGES']['INSUFFICIENT_PERMISSIONS']);
85 85
}
86 86

  
87
// Check whether the section_id belongs to the page_id at all
88
if ($section_id != 0) {
89
	$sql  = "SELECT `position` FROM `".TABLE_PREFIX."sections` WHERE `page_id` = '$page_id' AND `section_id` = '$section_id'";
90
	$res_sec = $database->query($sql);
91
	if ($database->is_error())
92
	{
93
		$admin->print_error($database->get_error());
94
	}
95
	if ($res_sec->numRows() == 0)
96
	{
97
		$admin->print_error($MESSAGE['PAGES']['NOT_FOUND']);
98
	} 
99
}
100

  
87 101
// Workout if the developer wants to show the info banner
88 102
if(isset($print_info_banner) && $print_info_banner == true)
89 103
{

Also available in: Unified diff