Index: branches/2.8.x/CHANGELOG
===================================================================
--- branches/2.8.x/CHANGELOG (revision 1356)
+++ branches/2.8.x/CHANGELOG (revision 1357)
@@ -11,6 +11,9 @@
! = Update/Change
------------------------------------- 2.8.2 -------------------------------------
+27 Dec-2010 Build 1357 Frank Heyne (FrankH)
+# security fix: in path admin/pages/ - added FTAN check
+! had to enhance parameter for getFTAN() in framework/class.secureform.php
27 Dec-2010 Build 1356 Dietmar Woellbrink (Luisehahne)
# more little fixes in settings
! change to RC2
Index: branches/2.8.x/wb/admin/pages/move_down.php
===================================================================
--- branches/2.8.x/wb/admin/pages/move_down.php (revision 1356)
+++ branches/2.8.x/wb/admin/pages/move_down.php (revision 1357)
@@ -48,6 +48,12 @@
require_once(WB_PATH.'/framework/class.admin.php');
$admin = new admin('Pages', 'pages_settings');
+if (!$admin->checkFTAN('get'))
+{
+ $admin->print_error($MESSAGE['PAGES']['NOT_FOUND']);
+ exit();
+}
+
// Include the ordering class
require(WB_PATH.'/framework/class.order.php');
Index: branches/2.8.x/wb/admin/pages/save.php
===================================================================
--- branches/2.8.x/wb/admin/pages/save.php (revision 1356)
+++ branches/2.8.x/wb/admin/pages/save.php (revision 1357)
@@ -35,6 +35,12 @@
require_once(WB_PATH.'/framework/class.admin.php');
$admin = new admin('Pages', 'pages_modify');
+if (!$admin->checkFTAN())
+{
+ $admin->print_error($MESSAGE['PAGES']['NOT_FOUND']);
+ exit();
+}
+
// Get perms
$sql = 'SELECT `admin_groups`,`admin_users` FROM `'.TABLE_PREFIX.'pages` ';
$sql .= 'WHERE `page_id` = '.$page_id;
@@ -89,7 +95,8 @@
{
$admin->print_error($database->get_error(), $js_back);
} else {
- $admin->print_success($MESSAGE['PAGES']['SAVED'], ADMIN_URL.'/pages/modify.php?page_id='.$page_id);
+ $ftan2 = $admin->getFTAN(2);
+ $admin->print_success($MESSAGE['PAGES']['SAVED'], ADMIN_URL."/pages/modify.php?page_id=$page_id&$ftan2");
}
// Print admin footer
Index: branches/2.8.x/wb/admin/pages/empty_trash.php
===================================================================
--- branches/2.8.x/wb/admin/pages/empty_trash.php (revision 1356)
+++ branches/2.8.x/wb/admin/pages/empty_trash.php (revision 1357)
@@ -27,11 +27,17 @@
require_once(WB_PATH.'/framework/class.admin.php');
$admin = new admin('Pages', 'pages');
+if (!$admin->checkFTAN('get'))
+{
+ $admin->print_error($MESSAGE['PAGES']['NOT_FOUND']);
+ exit();
+}
+
// Include the WB functions file
require_once(WB_PATH.'/framework/functions.php');
// Get page list from database
-$database = new database();
+//$database = new database();
$query = "SELECT * FROM ".TABLE_PREFIX."pages WHERE visibility = 'deleted' ORDER BY level DESC";
$get_pages = $database->query($query);
Index: branches/2.8.x/wb/admin/pages/settings.php
===================================================================
--- branches/2.8.x/wb/admin/pages/settings.php (revision 1356)
+++ branches/2.8.x/wb/admin/pages/settings.php (revision 1357)
@@ -30,6 +30,12 @@
require_once(WB_PATH.'/framework/class.admin.php');
$admin = new admin('Pages', 'pages_settings');
+if (!$admin->checkFTAN('get'))
+{
+ $admin->print_error($MESSAGE['PAGES']['NOT_FOUND']);
+ exit();
+}
+
// Include the WB functions file
require_once(WB_PATH.'/framework/functions-utf8.php');
@@ -90,6 +96,7 @@
$template = new Template(THEME_PATH.'/templates');
$template->set_file('page', 'pages_settings.htt');
$template->set_block('page', 'main_block', 'main');
+$template->set_var('FTAN', $admin->getFTAN());
$template->set_var(array(
'PAGE_ID' => $results_array['page_id'],
Index: branches/2.8.x/wb/admin/pages/delete.php
===================================================================
--- branches/2.8.x/wb/admin/pages/delete.php (revision 1356)
+++ branches/2.8.x/wb/admin/pages/delete.php (revision 1357)
@@ -44,6 +44,12 @@
$admin->print_error($MESSAGE['PAGES']['INSUFFICIENT_PERMISSIONS']);
}
+if (!$admin->checkFTAN('get'))
+{
+ $admin->print_error($MESSAGE['PAGES']['NOT_FOUND']);
+ exit();
+}
+
// Find out more about the page
$query = "SELECT * FROM ".TABLE_PREFIX."pages WHERE page_id = '$page_id'";
$results = $database->query($query);
Index: branches/2.8.x/wb/admin/pages/sections_save.php
===================================================================
--- branches/2.8.x/wb/admin/pages/sections_save.php (revision 1356)
+++ branches/2.8.x/wb/admin/pages/sections_save.php (revision 1357)
@@ -46,6 +46,12 @@
require_once(WB_PATH.'/framework/class.admin.php');
$admin = new admin('Pages', 'pages_modify');
+if (!$admin->checkFTAN())
+{
+ $admin->print_error($MESSAGE['PAGES']['NOT_FOUND']);
+ exit();
+}
+
// Get perms
$database = new database();
$results = $database->query("SELECT admin_groups,admin_users FROM ".TABLE_PREFIX."pages WHERE page_id = '$page_id'");
@@ -120,7 +126,8 @@
if($database->is_error()) {
$admin->print_error($database->get_error(), ADMIN_URL.'/pages/sections.php?page_id='.$page_id);
} else {
- $admin->print_success($MESSAGE['PAGES']['SECTIONS_PROPERTIES_SAVED'], ADMIN_URL.'/pages/sections.php?page_id='.$page_id);
+ $ftan2 = $admin->getFTAN(2);
+ $admin->print_success($MESSAGE['PAGES']['SECTIONS_PROPERTIES_SAVED'], ADMIN_URL."/pages/sections.php?page_id=$page_id&$ftan2");
}
// Print admin footer
Index: branches/2.8.x/wb/admin/pages/index.php
===================================================================
--- branches/2.8.x/wb/admin/pages/index.php (revision 1356)
+++ branches/2.8.x/wb/admin/pages/index.php (revision 1357)
@@ -19,6 +19,9 @@
require('../../config.php');
require_once(WB_PATH.'/framework/class.admin.php');
$admin = new admin('Pages', 'pages');
+
+$ftan = $admin->getFTAN(2);
+
// Include the WB functions file
require_once(WB_PATH.'/framework/functions.php');
// eggsurplus: add child pages for a specific page
@@ -125,7 +128,7 @@
get_permission('pages_modify') == true AND $can_modify == true) { ?>
get_permission('pages_settings') == true AND $can_modify == true) { ?>
-
+ " title="">
![<?php echo $TEXT['SETTINGS']; ?>](<?php echo THEME_URL; ?>/images/modify_16.png)
-
+ " title="">
![<?php echo $TEXT['RESTORE']; ?>](<?php echo THEME_URL; ?>/images/restore_16.png)
@@ -214,11 +217,11 @@
{
$file=$admin->page_is_active($page)?"clock_16.png":"clock_red_16.png";
?>
-
+ " title="">
 " border="0" alt="" />
-
+ " title="">
![<?php echo $HEADING['MANAGE_SECTIONS']; ?>](<?php echo THEME_URL; ?>/images/noclock_16.png)
@@ -228,7 +231,7 @@
get_permission('pages_settings') == true AND $can_modify == true) { ?>
-
+ " title="">
![<?php echo $TEXT['MOVE_UP']; ?>](<?php echo THEME_URL; ?>/images/up_16.png)
@@ -239,7 +242,7 @@
get_permission('pages_settings') == true AND $can_modify == true) { ?>
-
+ " title="">
![<?php echo $TEXT['MOVE_DOWN']; ?>](<?php echo THEME_URL; ?>/images/down_16.png)
@@ -248,7 +251,7 @@
|
get_permission('pages_delete') == true AND $can_modify == true) { ?>
-
+ ');" title="">
![<?php echo $TEXT['DELETE']; ?>](<?php echo THEME_URL; ?>/images/delete_16.png)
@@ -301,7 +304,7 @@
$query_trash = $database->query("SELECT page_id FROM ".TABLE_PREFIX."pages WHERE visibility = 'deleted'");
if($query_trash->numRows() > 0) {
?>
-
+ ">
set_file('page', 'pages.htt');
$template->set_block('page', 'main_block', 'main');
+$template->set_var('FTAN', $admin->getFTAN());
// Figure out if the no pages found message should be shown or not
if($editable_pages == 0) {
Index: branches/2.8.x/wb/admin/pages/move_up.php
===================================================================
--- branches/2.8.x/wb/admin/pages/move_up.php (revision 1356)
+++ branches/2.8.x/wb/admin/pages/move_up.php (revision 1357)
@@ -48,6 +48,12 @@
require_once(WB_PATH.'/framework/class.admin.php');
$admin = new admin('Pages', 'pages_settings');
+if (!$admin->checkFTAN('get'))
+{
+ $admin->print_error($MESSAGE['PAGES']['NOT_FOUND']);
+ exit();
+}
+
// Include the ordering class
require(WB_PATH.'/framework/class.order.php');
Index: branches/2.8.x/wb/admin/pages/trash.php
===================================================================
--- branches/2.8.x/wb/admin/pages/trash.php (revision 1356)
+++ branches/2.8.x/wb/admin/pages/trash.php (revision 1357)
@@ -27,6 +27,12 @@
require_once(WB_PATH.'/framework/class.admin.php');
$admin = new admin('Pages', 'pages');
+if (!$admin->checkFTAN('get'))
+{
+ $admin->print_error($MESSAGE['PAGES']['NOT_FOUND']);
+ exit();
+}
+
?>
| ![<?php echo $TEXT['VISIBILITY']; ?>: <?php echo $TEXT['PUBLIC']; ?>](<?php echo THEME_URL; ?>/images/visible_16.png)
@@ -176,12 +179,12 @@