Index: branches/2.8.x/CHANGELOG
===================================================================
--- branches/2.8.x/CHANGELOG	(revision 1352)
+++ branches/2.8.x/CHANGELOG	(revision 1353)
@@ -11,6 +11,13 @@
 ! = Update/Change
 
 ------------------------------------- 2.8.2 -------------------------------------
+26 Dec-2010 Frank Heyne (FrankH)
+# security fix: in modules/admin.php - check whether section belongs to page
+! security fix: changed $section_required into $no_section_required (apparently used by no module at all)
+# security fix: in path admin/users/ - added FTAN check
+# security fix: remaining vulnerabilities mentioned in http://secunia.com/secunia_research/2010-91/
+# security fix:           vulnerabilities mentioned in http://secunia.com/secunia_research/2010-92/
+# security fix: remaining vulnerabilities mentioned in http://secunia.com/secunia_research/2010-93/
 21 Dec-2010 Dietmar Woellbrink (Luisehahne)
 # fix if upgrade module can now overwrite existing newer files in modules folder
 # same for upgrade templates
Index: branches/2.8.x/wb/admin/templates/details.php
===================================================================
--- branches/2.8.x/wb/admin/templates/details.php	(revision 1352)
+++ branches/2.8.x/wb/admin/templates/details.php	(revision 1353)
@@ -34,7 +34,7 @@
 	header("Location: index.php");
 	exit(0);
 } else {
-	$file = $admin->add_slashes($_POST['file']);
+	$file = preg_replace("/\W/", "", $admin->add_slashes($_POST['file']));  // fix secunia 2010-92-2
 }
 
 // Check if the template exists
Index: branches/2.8.x/wb/admin/pages/settings2.php
===================================================================
--- branches/2.8.x/wb/admin/pages/settings2.php	(revision 1352)
+++ branches/2.8.x/wb/admin/pages/settings2.php	(revision 1353)
@@ -36,18 +36,20 @@
 // Get values
 $page_title = htmlspecialchars($admin->get_post_escaped('page_title') );
 $menu_title = htmlspecialchars($admin->get_post_escaped('menu_title') );
-$page_code = $admin->get_post_escaped('page_code');
+$page_code = (int) $admin->get_post_escaped('page_code');
 $description = htmlspecialchars($admin->add_slashes($admin->get_post('description')) );
 $keywords = htmlspecialchars($admin->add_slashes($admin->get_post('keywords')) );
-$parent = $admin->get_post_escaped('parent');
+$parent = (int) $admin->get_post_escaped('parent'); // fix secunia 2010-91-3
 $visibility = $admin->get_post_escaped('visibility');
-$template = $admin->get_post_escaped('template');
-$target = $admin->get_post_escaped('target');
+if (!in_array($visibility, array('public', 'private', 'registered', 'hidden', 'none'))) $visibility = 'public'; // fix
+$template = preg_replace("/\W/", "", $admin->get_post_escaped('template')); // fix secunia 2010-93-3
+$target = preg_replace("/\W/", "", $admin->get_post_escaped('target'));
 $admin_groups = $admin->get_post_escaped('admin_groups');
 $viewing_groups = $admin->get_post_escaped('viewing_groups');
 $searching = $admin->get_post_escaped('searching');
-$language = $admin->get_post_escaped('language');
-$menu = $admin->get_post_escaped('menu');
+$language = strtoupper($admin->get_post('language'));
+$language = (preg_match('/^[A-Z]{2}$/', $language) ? $language : DEFAULT_LANGUAGE);
+$menu = (int) $admin->get_post_escaped('menu'); // fix secunia 2010-91-3
 
 // Validate data
 if($page_title == '' || substr($page_title,0,1)=='.')
@@ -95,13 +97,13 @@
 //if(!in_array(1, $admin->get_groups_id())) {
 //	$admin_groups[] = implode(",",$admin->get_groups_id());
 //}
-$admin_groups = implode(',', $admin_groups);
+$admin_groups = preg_replace("/[^\d,]/", "", implode(',', $admin_groups));
 // Setup viewing groups
 $viewing_groups[] = 1;
 //if(!in_array(1, $admin->get_groups_id())) {
 //	$viewing_groups[] = implode(",",$admin->get_groups_id());
 //}
-$viewing_groups = implode(',', $viewing_groups);
+$viewing_groups = preg_replace("/[^\d,]/", "", implode(',', $viewing_groups));
 
 // If needed, get new order
 if($parent != $old_parent)
@@ -193,7 +195,7 @@
 $sql .= '`language` = "'.$language.'", ';
 $sql .= '`admin_groups` = "'.$admin_groups.'", ';
 $sql .= '`viewing_groups` = "'.$viewing_groups.'"';
-$sql .= (defined('PAGE_LANGUAGES') && PAGE_LANGUAGES) && $field_set && (file_exists(WB_PATH.'/modules/mod_multilingual/update_keys.php')) ? ', `page_code` = '.(int)$page_code.' ' : ' ';
+$sql .= (defined('PAGE_LANGUAGES') && PAGE_LANGUAGES) && $field_set && (file_exists(WB_PATH.'/modules/mod_multilingual/update_keys.php')) ? ', `page_code` = '.$page_code.' ' : ' ';
 $sql .= 'WHERE `page_id` = '.$page_id;
 $database->query($sql);
 
Index: branches/2.8.x/wb/admin/pages/sections.php
===================================================================
--- branches/2.8.x/wb/admin/pages/sections.php	(revision 1352)
+++ branches/2.8.x/wb/admin/pages/sections.php	(revision 1353)
@@ -78,7 +78,7 @@
 } elseif(isset($_POST['module']) && $_POST['module'] != '')
 {
 	// Get section info
-	$module = $admin->add_slashes($_POST['module']);
+	$module = preg_replace("/\W/", "", $admin->add_slashes($_POST['module']));  // fix secunia 2010-91-4
 	// Include the ordering class
 	require(WB_PATH.'/framework/class.order.php');
 	// Get new order
Index: branches/2.8.x/wb/admin/pages/add.php
===================================================================
--- branches/2.8.x/wb/admin/pages/add.php	(revision 1352)
+++ branches/2.8.x/wb/admin/pages/add.php	(revision 1353)
@@ -27,9 +27,10 @@
 // Get values
 $title = $admin->get_post_escaped('title');
 $title = htmlspecialchars($title);
-$module = $admin->get_post('type');
-$parent = $admin->get_post('parent');
+$module = preg_replace("/\W/", "", $admin->get_post('type')); // fix secunia 2010-93-4
+$parent = (int) $admin->get_post('parent'); // fix secunia 2010-91-2
 $visibility = $admin->get_post('visibility');
+if (!in_array($visibility, array('public', 'private', 'registered', 'hidden', 'none'))) $visibility = 'public'; // fix secunia 2010-91-2
 $admin_groups = $admin->get_post('admin_groups');
 $viewing_groups = $admin->get_post('viewing_groups');
 
@@ -88,8 +89,8 @@
 	}
 }
 
-$admin_groups = implode(',', $admin_groups);
-$viewing_groups = implode(',', $viewing_groups);
+$admin_groups =   preg_replace("/[^\d,]/", "", implode(',', $admin_groups));
+$viewing_groups = preg_replace("/[^\d,]/", "", implode(',', $viewing_groups));
 
 // Work-out what the link and page filename should be
 if($parent == '0')
Index: branches/2.8.x/wb/admin/interface/version.php
===================================================================
--- branches/2.8.x/wb/admin/interface/version.php	(revision 1352)
+++ branches/2.8.x/wb/admin/interface/version.php	(revision 1353)
@@ -52,6 +52,6 @@
 
 // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
 if(!defined('VERSION')) define('VERSION', '2.8.2.RC1');
-if(!defined('REVISION')) define('REVISION', '1352');
+if(!defined('REVISION')) define('REVISION', '1353');
 
 ?>
\ No newline at end of file
Index: branches/2.8.x/wb/admin/users/save.php
===================================================================
--- branches/2.8.x/wb/admin/users/save.php	(revision 1352)
+++ branches/2.8.x/wb/admin/users/save.php	(revision 1353)
@@ -22,7 +22,12 @@
 $admin = new admin('Access', 'users_modify');
 
 // Create new database object
-$database = new database();
+//$database = new database();
+if( !$admin->checkFTAN() )
+{
+	$admin->print_error($MESSAGE['PAGES_NOT_SAVED'],'index.php');
+	exit();
+}
 
 // Check if user id is a valid number and doesnt equal 1
 if(!isset($_POST['user_id']) OR !is_numeric($_POST['user_id']) OR $_POST['user_id'] == 1) {
Index: branches/2.8.x/wb/admin/users/users.php
===================================================================
--- branches/2.8.x/wb/admin/users/users.php	(revision 1352)
+++ branches/2.8.x/wb/admin/users/users.php	(revision 1353)
@@ -53,18 +53,20 @@
 	$template->set_file('page', 'users_form.htt');
 	$template->set_block('page', 'main_block', 'main');
 	$template->set_var(	array(
-										'ACTION_URL' => ADMIN_URL.'/users/save.php',
-										'SUBMIT_TITLE' => $TEXT['SAVE'],
-										'USER_ID' => $user['user_id'],
-										'USERNAME' => $user['username'],
-										'DISPLAY_NAME' => $user['display_name'],
-										'EMAIL' => $user['email'],
-										'ADMIN_URL' => ADMIN_URL,
-										'WB_URL' => WB_URL,
-										'WB_PATH' => WB_PATH,
-										'THEME_URL' => THEME_URL
-										)
-								);
+							'ACTION_URL' => ADMIN_URL.'/users/save.php',
+							'SUBMIT_TITLE' => $TEXT['SAVE'],
+							'USER_ID' => $user['user_id'],
+							'USERNAME' => $user['username'],
+							'DISPLAY_NAME' => $user['display_name'],
+							'EMAIL' => $user['email'],
+							'ADMIN_URL' => ADMIN_URL,
+							'WB_URL' => WB_URL,
+							'WB_PATH' => WB_PATH,
+							'THEME_URL' => THEME_URL
+							)
+					);
+	
+	$template->set_var('FTAN', $admin->getFTAN());
 	if($user['active'] == 1) {
 		$template->set_var('ACTIVE_CHECKED', ' checked="checked"');
 	} else {
Index: branches/2.8.x/wb/admin/users/index.php
===================================================================
--- branches/2.8.x/wb/admin/users/index.php	(revision 1352)
+++ branches/2.8.x/wb/admin/users/index.php	(revision 1353)
@@ -101,6 +101,7 @@
 $template->set_var('ACTIVE_CHECKED', ' checked="checked"');
 $template->set_var('ACTION_URL', ADMIN_URL.'/users/add.php');
 $template->set_var('SUBMIT_TITLE', $TEXT['ADD']);
+$template->set_var('FTAN', $admin->getFTAN());
 // insert urls
 $template->set_var(array(
 		'ADMIN_URL' => ADMIN_URL,
Index: branches/2.8.x/wb/admin/users/add.php
===================================================================
--- branches/2.8.x/wb/admin/users/add.php	(revision 1352)
+++ branches/2.8.x/wb/admin/users/add.php	(revision 1353)
@@ -22,7 +22,12 @@
 $admin = new admin('Access', 'users_add');
 
 // Create new database object
-$database = new database();
+//$database = new database();
+if( !$admin->checkFTAN() )
+{
+	$admin->print_error($MESSAGE['PAGES_NOT_SAVED'],'index.php');
+	exit();
+}
 
 // Get details entered
 $groups_id = implode(",", $admin->add_slashes($_POST['groups'])); //should check permissions
Index: branches/2.8.x/wb/admin/languages/details.php
===================================================================
--- branches/2.8.x/wb/admin/languages/details.php	(revision 1352)
+++ branches/2.8.x/wb/admin/languages/details.php	(revision 1353)
@@ -28,12 +28,17 @@
 
 // Get language name
 if(!isset($_POST['code']) OR $_POST['code'] == "") {
-	header("Location: index.php");
-	exit(0);
+	$code = '';
 } else {
 	$code = $_POST['code'];
 }
 
+// fix secunia 2010-93-2
+if (!preg_match('/^[A-Z]{2}$/', $code)) {
+	header("Location: index.php");
+	exit(0);
+}
+
 // Check if the language exists
 if(!file_exists(WB_PATH.'/languages/'.$code.'.php')) {
 	header("Location: index.php");
Index: branches/2.8.x/wb/admin/modules/details.php
===================================================================
--- branches/2.8.x/wb/admin/modules/details.php	(revision 1352)
+++ branches/2.8.x/wb/admin/modules/details.php	(revision 1353)
@@ -38,7 +38,7 @@
 }
 else
 {
-	$file = $admin->add_slashes($_POST['file']);
+	$file = preg_replace("/\W/", "", $admin->add_slashes($_POST['file']));  // fix secunia 2010-92-1
 }
 
 // Check if the module exists
Index: branches/2.8.x/wb/templates/wb_theme/templates/users_form.htt
===================================================================
--- branches/2.8.x/wb/templates/wb_theme/templates/users_form.htt	(revision 1352)
+++ branches/2.8.x/wb/templates/wb_theme/templates/users_form.htt	(revision 1353)
@@ -12,7 +12,7 @@
 <form name="user" action="{ACTION_URL}" method="post" class="{DISPLAY_ADD}">
 <input type="hidden" name="user_id" value="{USER_ID}" />
 <input type="hidden" name="username_fieldname" value="{USERNAME_FIELDNAME}" />
-
+{FTAN}
 <table cellpadding="5" cellspacing="0" border="0" width="100%">
 <tr>
 	<td width="150">{TEXT_USERNAME}:</td>
Index: branches/2.8.x/wb/templates/argos_theme/templates/users_form.htt
===================================================================
--- branches/2.8.x/wb/templates/argos_theme/templates/users_form.htt	(revision 1352)
+++ branches/2.8.x/wb/templates/argos_theme/templates/users_form.htt	(revision 1353)
@@ -12,7 +12,7 @@
 <form name="user" action="{ACTION_URL}" method="post" class="{DISPLAY_ADD}">
 <input type="hidden" name="user_id" value="{USER_ID}" />
 <input type="hidden" name="username_fieldname" value="{USERNAME_FIELDNAME}" />
-
+{FTAN}
 <table cellpadding="5" cellspacing="0" border="0" width="100%">
 <tr>
 	<td width="150">{TEXT_USERNAME}:</td>
Index: branches/2.8.x/wb/modules/admin.php
===================================================================
--- branches/2.8.x/wb/modules/admin.php	(revision 1352)
+++ branches/2.8.x/wb/modules/admin.php	(revision 1353)
@@ -43,7 +43,7 @@
 	$section_id = $_POST['section_id'];
 } else {
 	// Check if we should redirect the user if there is no section id
-	if(!isset($section_required))
+	if (isset($no_section_required))
 	{
 		$section_id = 0;
 	} else {
@@ -84,6 +84,20 @@
 	$admin->print_error($MESSAGE['PAGES']['INSUFFICIENT_PERMISSIONS']);
 }
 
+// Check whether the section_id belongs to the page_id at all
+if ($section_id != 0) {
+	$sql  = "SELECT `position` FROM `".TABLE_PREFIX."sections` WHERE `page_id` = '$page_id' AND `section_id` = '$section_id'";
+	$res_sec = $database->query($sql);
+	if ($database->is_error())
+	{
+		$admin->print_error($database->get_error());
+	}
+	if ($res_sec->numRows() == 0)
+	{
+		$admin->print_error($MESSAGE['PAGES']['NOT_FOUND']);
+	} 
+}
+
 // Workout if the developer wants to show the info banner
 if(isset($print_info_banner) && $print_info_banner == true)
 {