Index: branches/2.8.x/CHANGELOG =================================================================== --- branches/2.8.x/CHANGELOG (revision 1376) +++ branches/2.8.x/CHANGELOG (revision 1377) @@ -11,6 +11,8 @@ ! = Update/Change ------------------------------------- 2.8.2 ------------------------------------- +11 Jan-2011 Build 1377 Frank Heyne (FrankH) +# Security fix for modules jsadmin, menu_link and output_filter 11 Jan-2011 Build 1376 Frank Heyne (FrankH) # Security fix for WYSIWYG module # Security fix for Wrapper module Index: branches/2.8.x/wb/admin/interface/version.php =================================================================== --- branches/2.8.x/wb/admin/interface/version.php (revision 1376) +++ branches/2.8.x/wb/admin/interface/version.php (revision 1377) @@ -52,6 +52,6 @@ // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) if(!defined('VERSION')) define('VERSION', '2.8.2.RC4'); -if(!defined('REVISION')) define('REVISION', '1376'); +if(!defined('REVISION')) define('REVISION', '1377'); ?> \ No newline at end of file Index: branches/2.8.x/wb/modules/menu_link/uninstall.php =================================================================== --- branches/2.8.x/wb/modules/menu_link/uninstall.php (revision 1376) +++ branches/2.8.x/wb/modules/menu_link/uninstall.php (revision 1377) @@ -1,28 +1,21 @@ - Copyright (C) 2004-2009, Ryan Djurovich - - Website Baker is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - Website Baker is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with Website Baker; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -*/ - // prevent this file from being accesses directly if(defined('WB_PATH') == false) { exit("Cannot access this file directly"); Index: branches/2.8.x/wb/modules/menu_link/view.php =================================================================== --- branches/2.8.x/wb/modules/menu_link/view.php (revision 1376) +++ branches/2.8.x/wb/modules/menu_link/view.php (revision 1377) @@ -1,33 +1,21 @@ - Copyright (C) 2004-2009, Ryan Djurovich - - Website Baker is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - Website Baker is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with Website Baker; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -*/ - -/* -Since there is nothing to show and users shouldn't really know this -page exists, we might as well give them a link to the home page. -*/ - // check if module language file exists for the language set by the user (e.g. DE, EN) if(!file_exists(WB_PATH .'/modules/menu_link/languages/'.LANGUAGE .'.php')) { // no module language file exists for the language set by the user, include default module language file EN.php Index: branches/2.8.x/wb/modules/menu_link/info.php =================================================================== --- branches/2.8.x/wb/modules/menu_link/info.php (revision 1376) +++ branches/2.8.x/wb/modules/menu_link/info.php (revision 1377) @@ -1,28 +1,22 @@ - Copyright (C) 2004-2009, Ryan Djurovich - - Website Baker is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - Website Baker is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with Website Baker; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -*/ - /* History: 2.8 - June 2009 - Improved the pagelist (thorn) Index: branches/2.8.x/wb/modules/menu_link/save.php =================================================================== --- branches/2.8.x/wb/modules/menu_link/save.php (revision 1376) +++ branches/2.8.x/wb/modules/menu_link/save.php (revision 1377) @@ -22,6 +22,12 @@ $update_when_modified = true; // Tells script to update when this page was last updated require(WB_PATH.'/modules/admin.php'); +if (!$admin->checkFTAN()) +{ + $admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], ADMIN_URL); + exit(); +} + // Update id, anchor and target if(isset($_POST['menu_link'])) { $foreign_page_id = $admin->add_slashes($_POST['menu_link']); Index: branches/2.8.x/wb/modules/menu_link/delete.php =================================================================== --- branches/2.8.x/wb/modules/menu_link/delete.php (revision 1376) +++ branches/2.8.x/wb/modules/menu_link/delete.php (revision 1377) @@ -1,28 +1,21 @@ - Copyright (C) 2004-2009, Ryan Djurovich - - Website Baker is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - Website Baker is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with Website Baker; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -*/ - // prevent this file from being accesses directly if(defined('WB_PATH') == false) { exit("Cannot access this file directly"); Index: branches/2.8.x/wb/modules/menu_link/modify.php =================================================================== --- branches/2.8.x/wb/modules/menu_link/modify.php (revision 1376) +++ branches/2.8.x/wb/modules/menu_link/modify.php (revision 1377) @@ -158,6 +158,7 @@
+getFTAN(); ?>
Index: branches/2.8.x/wb/modules/menu_link/add.php =================================================================== --- branches/2.8.x/wb/modules/menu_link/add.php (revision 1376) +++ branches/2.8.x/wb/modules/menu_link/add.php (revision 1377) @@ -1,28 +1,22 @@ - Copyright (C) 2004-2009, Ryan Djurovich - - Website Baker is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - Website Baker is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with Website Baker; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -*/ - // prevent this file from being accesses directly if(defined('WB_PATH') == false) { exit("Cannot access this file directly"); Index: branches/2.8.x/wb/modules/jsadmin/move_to.php =================================================================== --- branches/2.8.x/wb/modules/jsadmin/move_to.php (revision 1376) +++ branches/2.8.x/wb/modules/jsadmin/move_to.php (nonexistent) @@ -1,97 +0,0 @@ - - Copyright (C) 2004-2009, Ryan Djurovich - - Website Baker is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - Website Baker is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with Website Baker; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -*/ - -require('../../config.php'); - - if(isset($_GET['page_id']) AND is_numeric($_GET['page_id']) AND is_numeric(@$_GET['position'])) { - $position = $_GET['position']; - - // Include WB admin wrapper script - $update_when_modified = true; // Tells script to update when this page was last updated - require(WB_PATH.'/modules/admin.php'); - - // Get common fields - if(isset($_GET['section_id']) AND is_numeric($_GET['section_id'])) { - $page_id = $_GET['page_id']; - $id = $_GET['section_id']; - $id_field = 'section_id'; - $common_field = 'page_id'; - $table = TABLE_PREFIX.'sections'; - } else { - $id = $_GET['page_id']; - $id_field = 'page_id'; - $common_field = 'parent'; - $table = TABLE_PREFIX.'pages'; - } - - // Get current index - $sql = <<"; - $rs = $database->query($sql); - if($row = $rs->fetchRow()) { - $common_id = $row[$common_field]; - $old_position = $row['position']; - } - echo "$old_position
"; - if($old_position == $position) - return; - - // Build query to update affected rows - if($old_position < $position) - $sql = << $old_position AND position <= $position - AND $common_field = $common_id -EOT; - else - $sql = <<= $position AND position < $old_position - AND $common_field = $common_id -EOT; - echo "
$sql
"; - $database->query($sql); - - // Build query to update specified row - $sql = <<$sql"; - $database->query($sql); -} else { - die("Missing parameters"); - header("Location: index.php"); - exit(0); -} -?> Property changes on: branches/2.8.x/wb/modules/jsadmin/move_to.php ___________________________________________________________________ Deleted: svn:executable ## -1 +0,0 ## -* \ No newline at end of property Deleted: svn:keywords ## -1 +0,0 ## -Id \ No newline at end of property Index: branches/2.8.x/wb/modules/jsadmin/uninstall.php =================================================================== --- branches/2.8.x/wb/modules/jsadmin/uninstall.php (revision 1376) +++ branches/2.8.x/wb/modules/jsadmin/uninstall.php (revision 1377) @@ -1,32 +1,19 @@ - Copyright (C) 2004-2009, Ryan Djurovich - - Website Baker is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - Website Baker is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with Website Baker; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - +/** + * + * @category modules + * @package JsAdmin + * @author WebsiteBaker Project, modified by Swen Uth for Website Baker 2.7 + * @copyright (C) 2006, Stepan Riha + * @copyright 2009-2011, Website Baker Org. e.V. + * @link http://www.websitebaker2.org/ + * @license http://www.gnu.org/licenses/gpl.html + * @platform WebsiteBaker 2.8.x + * @requirements PHP 5.2.2 and higher + * @version $Id$ + * @filesource $HeadURL: http://svn.websitebaker2.org/branches/2.8.x/wb/modules/menu_link/save.php $ + * @lastmodified $Date: 2011-01-10 13:21:47 +0100 (Mo, 10 Jan 2011) $ + * */ // prevent this file from being accessed directly Index: branches/2.8.x/wb/modules/jsadmin/tool.php =================================================================== --- branches/2.8.x/wb/modules/jsadmin/tool.php (revision 1376) +++ branches/2.8.x/wb/modules/jsadmin/tool.php (revision 1377) @@ -1,32 +1,19 @@ - Copyright (C) 2004-2009, Ryan Djurovich - - Website Baker is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - Website Baker is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with Website Baker; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - +/** + * + * @category modules + * @package JsAdmin + * @author WebsiteBaker Project, modified by Swen Uth for Website Baker 2.7 + * @copyright (C) 2006, Stepan Riha + * @copyright 2009-2011, Website Baker Org. e.V. + * @link http://www.websitebaker2.org/ + * @license http://www.gnu.org/licenses/gpl.html + * @platform WebsiteBaker 2.8.x + * @requirements PHP 5.2.2 and higher + * @version $Id$ + * @filesource $HeadURL: http://svn.websitebaker2.org/branches/2.8.x/wb/modules/menu_link/save.php $ + * @lastmodified $Date: 2011-01-10 13:21:47 +0100 (Mo, 10 Jan 2011) $ + * */ // direct access prevention @@ -52,6 +39,12 @@ // Check if user selected what add-ons to reload if(isset($_POST['submit']) AND $_POST['submit'] != '') { + if (!$admin->checkFTAN()) + { + $admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], ADMIN_URL); + exit(); + } + // Include functions file require_once(WB_PATH.'/framework/functions.php'); save_setting('mod_jsadmin_persist_order', isset($_POST['persist_order'])); @@ -90,6 +83,7 @@ { ?> + getFTAN(); ?> Index: branches/2.8.x/wb/modules/jsadmin/jsadmin_backend_include.php =================================================================== --- branches/2.8.x/wb/modules/jsadmin/jsadmin_backend_include.php (revision 1376) +++ branches/2.8.x/wb/modules/jsadmin/jsadmin_backend_include.php (revision 1377) @@ -1,32 +1,19 @@ - Copyright (C) 2004-2009, Ryan Djurovich - - Website Baker is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - Website Baker is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with Website Baker; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - +/** + * + * @category modules + * @package JsAdmin + * @author WebsiteBaker Project, modified by Swen Uth for Website Baker 2.7 + * @copyright (C) 2006, Stepan Riha + * @copyright 2009-2011, Website Baker Org. e.V. + * @link http://www.websitebaker2.org/ + * @license http://www.gnu.org/licenses/gpl.html + * @platform WebsiteBaker 2.8.x + * @requirements PHP 5.2.2 and higher + * @version $Id$ + * @filesource $HeadURL: http://svn.websitebaker2.org/branches/2.8.x/wb/modules/menu_link/save.php $ + * @lastmodified $Date: 2011-01-10 13:21:47 +0100 (Mo, 10 Jan 2011) $ + * */ // Direct access prevention Index: branches/2.8.x/wb/modules/jsadmin/jsadmin.php =================================================================== --- branches/2.8.x/wb/modules/jsadmin/jsadmin.php (revision 1376) +++ branches/2.8.x/wb/modules/jsadmin/jsadmin.php (revision 1377) @@ -1,32 +1,19 @@ - Copyright (C) 2004-2009, Ryan Djurovich - - Website Baker is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - Website Baker is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with Website Baker; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - +/** + * + * @category modules + * @package JsAdmin + * @author WebsiteBaker Project, modified by Swen Uth for Website Baker 2.7 + * @copyright (C) 2006, Stepan Riha + * @copyright 2009-2011, Website Baker Org. e.V. + * @link http://www.websitebaker2.org/ + * @license http://www.gnu.org/licenses/gpl.html + * @platform WebsiteBaker 2.8.x + * @requirements PHP 5.2.2 and higher + * @version $Id$ + * @filesource $HeadURL: http://svn.websitebaker2.org/branches/2.8.x/wb/modules/menu_link/save.php $ + * @lastmodified $Date: 2011-01-10 13:21:47 +0100 (Mo, 10 Jan 2011) $ + * */ function get_setting($name, $default = '') { Index: branches/2.8.x/wb/modules/jsadmin/install.php =================================================================== --- branches/2.8.x/wb/modules/jsadmin/install.php (revision 1376) +++ branches/2.8.x/wb/modules/jsadmin/install.php (revision 1377) @@ -1,32 +1,19 @@ - Copyright (C) 2004-2009, Ryan Djurovich - - Website Baker is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - Website Baker is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with Website Baker; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - +/** + * + * @category modules + * @package JsAdmin + * @author WebsiteBaker Project, modified by Swen Uth for Website Baker 2.7 + * @copyright (C) 2006, Stepan Riha + * @copyright 2009-2011, Website Baker Org. e.V. + * @link http://www.websitebaker2.org/ + * @license http://www.gnu.org/licenses/gpl.html + * @platform WebsiteBaker 2.8.x + * @requirements PHP 5.2.2 and higher + * @version $Id$ + * @filesource $HeadURL: http://svn.websitebaker2.org/branches/2.8.x/wb/modules/menu_link/save.php $ + * @lastmodified $Date: 2011-01-10 13:21:47 +0100 (Mo, 10 Jan 2011) $ + * */ // prevent this file from being accessed directly Index: branches/2.8.x/wb/modules/jsadmin/index.php =================================================================== --- branches/2.8.x/wb/modules/jsadmin/index.php (revision 1376) +++ branches/2.8.x/wb/modules/jsadmin/index.php (revision 1377) @@ -1,32 +1,19 @@ - Copyright (C) 2004-2009, Ryan Djurovich - - Website Baker is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - Website Baker is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with Website Baker; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - +/** + * + * @category modules + * @package JsAdmin + * @author WebsiteBaker Project, modified by Swen Uth for Website Baker 2.7 + * @copyright (C) 2006, Stepan Riha + * @copyright 2009-2011, Website Baker Org. e.V. + * @link http://www.websitebaker2.org/ + * @license http://www.gnu.org/licenses/gpl.html + * @platform WebsiteBaker 2.8.x + * @requirements PHP 5.2.2 and higher + * @version $Id$ + * @filesource $HeadURL: http://svn.websitebaker2.org/branches/2.8.x/wb/modules/menu_link/save.php $ + * @lastmodified $Date: 2011-01-10 13:21:47 +0100 (Mo, 10 Jan 2011) $ + * */ header('Location: ../index.php'); Index: branches/2.8.x/wb/modules/output_filter/tool.php =================================================================== --- branches/2.8.x/wb/modules/output_filter/tool.php (revision 1376) +++ branches/2.8.x/wb/modules/output_filter/tool.php (revision 1377) @@ -30,6 +30,12 @@ } // check if data was submitted if(isset($_POST['save_settings'])) { + + if (!$admin->checkFTAN()) + { + $admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], ADMIN_URL); + exit(); + } // get overall output filter settings $email_filter = (isset($_POST['email_filter']) && $_POST['email_filter'] == '1') ? '1' : '0'; $mailto_filter = (isset($_POST['mailto_filter']) && $_POST['mailto_filter'] == '1') ? '1' : '0'; @@ -66,6 +72,7 @@ echo $MOD_MAIL_FILTER['WARNING']; ?> +getFTAN(); ?>
:
: