Index: branches/2.8.x/CHANGELOG =================================================================== --- branches/2.8.x/CHANGELOG (revision 1388) +++ branches/2.8.x/CHANGELOG (revision 1389) @@ -11,6 +11,8 @@ ! = Update/Change ------------------------------------- 2.8.2 ------------------------------------- +16 Jan-2011 Build 1389 Frank Heyne (FrankH) +# Security fixes for modules captcha_control, code and droplets 16 Jan-2011 Build 1388 Dietmar Woellbrink (Luisehahne) # more Security fix for admin/pages 16 Jan-2011 Build 1387 Dietmar Woellbrink (Luisehahne) Index: branches/2.8.x/wb/admin/interface/version.php =================================================================== --- branches/2.8.x/wb/admin/interface/version.php (revision 1388) +++ branches/2.8.x/wb/admin/interface/version.php (revision 1389) @@ -52,6 +52,6 @@ // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) if(!defined('VERSION')) define('VERSION', '2.8.2.RC4'); -if(!defined('REVISION')) define('REVISION', '1388'); +if(!defined('REVISION')) define('REVISION', '1389'); ?> Index: branches/2.8.x/wb/modules/captcha_control/info.php =================================================================== --- branches/2.8.x/wb/modules/captcha_control/info.php (revision 1388) +++ branches/2.8.x/wb/modules/captcha_control/info.php (revision 1389) @@ -31,7 +31,7 @@ $module_directory = 'captcha_control'; $module_name = 'Captcha and Advanced-Spam-Protection (ASP) Control'; $module_function = 'tool'; -$module_version = '1.0'; +$module_version = '1.1'; $module_platform = '2.7 | 2.8.x'; $module_author = 'Thomas Hornik (thorn)'; $module_license = 'GNU General Public License'; Index: branches/2.8.x/wb/modules/captcha_control/tool.php =================================================================== --- branches/2.8.x/wb/modules/captcha_control/tool.php (revision 1388) +++ branches/2.8.x/wb/modules/captcha_control/tool.php (revision 1389) @@ -1,197 +1,204 @@ - - Copyright (C) 2004-2009, Ryan Djurovich - - Website Baker is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or - (at your option) any later version. - - Website Baker is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with Website Baker; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -*/ - -// direct access prevention -defined('WB_PATH') OR die(header('Location: ../index.php')); - -// check if module language file exists for the language set by the user (e.g. DE, EN) -if(!file_exists(WB_PATH .'/modules/captcha_control/languages/'.LANGUAGE .'.php')) { - // no module language file exists for the language set by the user, include default module language file EN.php - require_once(WB_PATH .'/modules/captcha_control/languages/EN.php'); -} else { - // a module language file exists for the language defined by the user, load it - require_once(WB_PATH .'/modules/captcha_control/languages/'.LANGUAGE .'.php'); -} - -$table = TABLE_PREFIX.'mod_captcha_control'; -$js_back = "javascript: history.go(-1);"; - -// check if data was submitted -if(isset($_POST['save_settings'])) { - // get configuration settings - $enabled_captcha = ($_POST['enabled_captcha'] == '1') ? '1' : '0'; - $enabled_asp = ($_POST['enabled_asp'] == '1') ? '1' : '0'; - $captcha_type = $admin->add_slashes($_POST['captcha_type']); - - // update database settings - $database->query("UPDATE $table SET - enabled_captcha = '$enabled_captcha', - enabled_asp = '$enabled_asp', - captcha_type = '$captcha_type' - "); - - // save text-captchas - if($captcha_type == 'text') { // ct_text - $text_qa=$admin->add_slashes($_POST['text_qa']); - if(!preg_match('/### .*? ###/', $text_qa)) { - $database->query("UPDATE $table SET ct_text = '$text_qa'"); - } - } - - // check if there is a database error, otherwise say successful - if($database->is_error()) { - $admin->print_error($database->get_error(), $js_back); - } else { - $admin->print_success($MESSAGE['PAGES']['SAVED'], ADMIN_URL.'/admintools/tool.php?tool=captcha_control'); - } - -} else { - - // include captcha-file - require_once(WB_PATH .'/include/captcha/captcha.php'); - - // load text-captchas - $text_qa=''; - if($query = $database->query("SELECT ct_text FROM $table")) { - $data = $query->fetchRow(); - $text_qa = $data['ct_text']; - } - if($text_qa == '') - $text_qa = $MOD_CAPTCHA_CONTROL['CAPTCHA_TEXT_DESC']; - -// script to load image -?> - -query("SELECT * FROM $table")) { - $data = $query->fetchRow(); - $enabled_captcha = $data['enabled_captcha']; - $enabled_asp = $data['enabled_asp']; - $captcha_type = $data['captcha_type']; - } else { - // something went wrong, use dummy value - $enabled_captcha = '1'; - $enabled_asp = '1'; - $captcha_type = 'calc_text'; - } - - // write out heading - echo '

' .$MOD_CAPTCHA_CONTROL['HEADING'] .'

'; - - // output the form with values from the database - echo '

' .$MOD_CAPTCHA_CONTROL['HOWTO'] .'

'; -?> -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
:
: - -
  - captcha_example -
: - -
: - - name="enabled_captcha" value="1" /> - - name="enabled_captcha" value="0" /> -
 

:
: - - name="enabled_asp" value="1" /> - - name="enabled_asp" value="0" /> -
 
- -
- + Copyright (C) 2004-2009, Ryan Djurovich + + Website Baker is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + Website Baker is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with Website Baker; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*/ + +// direct access prevention +defined('WB_PATH') OR die(header('Location: ../index.php')); + +// check if module language file exists for the language set by the user (e.g. DE, EN) +if(!file_exists(WB_PATH .'/modules/captcha_control/languages/'.LANGUAGE .'.php')) { + // no module language file exists for the language set by the user, include default module language file EN.php + require_once(WB_PATH .'/modules/captcha_control/languages/EN.php'); +} else { + // a module language file exists for the language defined by the user, load it + require_once(WB_PATH .'/modules/captcha_control/languages/'.LANGUAGE .'.php'); +} + +$table = TABLE_PREFIX.'mod_captcha_control'; +$js_back = "javascript: history.go(-1);"; + +// check if data was submitted +if(isset($_POST['save_settings'])) { + if (!$admin->checkFTAN()) + { + $admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], ADMIN_URL); + exit(); + } + + // get configuration settings + $enabled_captcha = ($_POST['enabled_captcha'] == '1') ? '1' : '0'; + $enabled_asp = ($_POST['enabled_asp'] == '1') ? '1' : '0'; + $captcha_type = $admin->add_slashes($_POST['captcha_type']); + + // update database settings + $database->query("UPDATE $table SET + enabled_captcha = '$enabled_captcha', + enabled_asp = '$enabled_asp', + captcha_type = '$captcha_type' + "); + + // save text-captchas + if($captcha_type == 'text') { // ct_text + $text_qa=$admin->add_slashes($_POST['text_qa']); + if(!preg_match('/### .*? ###/', $text_qa)) { + $database->query("UPDATE $table SET ct_text = '$text_qa'"); + } + } + + // check if there is a database error, otherwise say successful + if($database->is_error()) { + $admin->print_error($database->get_error(), $js_back); + } else { + $admin->print_success($MESSAGE['PAGES']['SAVED'], ADMIN_URL.'/admintools/tool.php?tool=captcha_control'); + } + +} else { + + // include captcha-file + require_once(WB_PATH .'/include/captcha/captcha.php'); + + // load text-captchas + $text_qa=''; + if($query = $database->query("SELECT ct_text FROM $table")) { + $data = $query->fetchRow(); + $text_qa = $data['ct_text']; + } + if($text_qa == '') + $text_qa = $MOD_CAPTCHA_CONTROL['CAPTCHA_TEXT_DESC']; + +// script to load image +?> + +query("SELECT * FROM $table")) { + $data = $query->fetchRow(); + $enabled_captcha = $data['enabled_captcha']; + $enabled_asp = $data['enabled_asp']; + $captcha_type = $data['captcha_type']; + } else { + // something went wrong, use dummy value + $enabled_captcha = '1'; + $enabled_asp = '1'; + $captcha_type = 'calc_text'; + } + + // write out heading + echo '

' .$MOD_CAPTCHA_CONTROL['HEADING'] .'

'; + + // output the form with values from the database + echo '

' .$MOD_CAPTCHA_CONTROL['HOWTO'] .'

'; +?> +
+ getFTAN(); ?> + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
:
: + +
  + captcha_example +
: + +
: + + name="enabled_captcha" value="1" /> + + name="enabled_captcha" value="0" /> +
 

:
: + + name="enabled_asp" value="1" /> + + name="enabled_asp" value="0" /> +
 
+ +
+ \ No newline at end of file Index: branches/2.8.x/wb/modules/code/htt/modify.htt =================================================================== --- branches/2.8.x/wb/modules/code/htt/modify.htt (revision 1388) +++ branches/2.8.x/wb/modules/code/htt/modify.htt (revision 1389) @@ -5,7 +5,7 @@ - +{FTAN} Index: branches/2.8.x/wb/modules/code/info.php =================================================================== --- branches/2.8.x/wb/modules/code/info.php (revision 1388) +++ branches/2.8.x/wb/modules/code/info.php (revision 1389) @@ -19,7 +19,7 @@ $module_directory = 'code'; $module_name = 'Code'; $module_function = 'page'; -$module_version = '2.8.1'; +$module_version = '2.8.2'; $module_platform = '2.7 | 2.8.x'; $module_author = 'Ryan Djurovich'; $module_license = 'GNU General Public License'; Index: branches/2.8.x/wb/modules/code/save.php =================================================================== --- branches/2.8.x/wb/modules/code/save.php (revision 1388) +++ branches/2.8.x/wb/modules/code/save.php (revision 1389) @@ -22,6 +22,12 @@ $update_when_modified = true; // Tells script to update when this page was last updated require(WB_PATH.'/modules/admin.php'); +if (!$admin->checkFTAN()) +{ + $admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], ADMIN_URL); + exit(); +} + // Update the mod_wysiwygs table with the contents if(isset($_POST['content'])) { $tags = array('' , ' $content, 'TEXT_SAVE' => $TEXT['SAVE'], 'TEXT_CANCEL' => $TEXT['CANCEL'], - 'SECTION' => $section_id + 'SECTION' => $section_id, + 'FTAN' => $admin->getFTAN() ) ); Index: branches/2.8.x/wb/modules/droplets/delete_droplet.php =================================================================== --- branches/2.8.x/wb/modules/droplets/delete_droplet.php (revision 1388) +++ branches/2.8.x/wb/modules/droplets/delete_droplet.php (revision 1389) @@ -19,17 +19,17 @@ require('../../config.php'); -// Get id -if(!isset($_GET['droplet_id']) OR !is_numeric($_GET['droplet_id'])) { - header("Location: ".ADMIN_URL."/pages/index.php"); -} else { - $droplet_id = $_GET['droplet_id']; -} - // Include WB admin wrapper script require_once(WB_PATH.'/framework/class.admin.php'); require_once(WB_PATH.'/framework/functions.php'); +// Get id +$droplet_id = $admin->checkIDKEY('droplet_id', false, 'GET'); +if (!$droplet_id) { + $admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], ADMIN_URL); + exit(); +} + // check website baker platform (with WB 2.7, Admin-Tools were moved out of settings dialogue) if(file_exists(ADMIN_PATH .'/admintools/tool.php')) { $admintool_link = ADMIN_URL .'/admintools/index.php'; Index: branches/2.8.x/wb/modules/droplets/info.php =================================================================== --- branches/2.8.x/wb/modules/droplets/info.php (revision 1388) +++ branches/2.8.x/wb/modules/droplets/info.php (revision 1389) @@ -20,7 +20,7 @@ $module_directory = 'droplets'; $module_name = 'Droplets'; $module_function = 'tool'; -$module_version = '1.0.3'; +$module_version = '1.0.4'; $module_platform = '2.8.x'; $module_author = 'Ruud and pcwacht'; $module_license = 'GNU General Public License'; Index: branches/2.8.x/wb/modules/droplets/tool.php =================================================================== --- branches/2.8.x/wb/modules/droplets/tool.php (revision 1388) +++ branches/2.8.x/wb/modules/droplets/tool.php (revision 1389) @@ -58,7 +58,7 @@


- + ' .$DR_TEXT['BACKUP']; ?>
@@ -108,12 +108,12 @@ - + Modify - + @@ -126,7 +126,7 @@ '. $TEXT['YES']. ''; } else { echo ''.$TEXT['NO'].''; } ?> - + X Index: branches/2.8.x/wb/modules/droplets/modify_droplet.php =================================================================== --- branches/2.8.x/wb/modules/droplets/modify_droplet.php (revision 1388) +++ branches/2.8.x/wb/modules/droplets/modify_droplet.php (revision 1389) @@ -19,16 +19,16 @@ require('../../config.php'); +require_once(WB_PATH.'/framework/class.admin.php'); +require_once(WB_PATH.'/framework/functions.php'); + // Get id -if(!isset($_GET['droplet_id']) OR !is_numeric($_GET['droplet_id'])) { - header("Location: ".ADMIN_URL."/pages/index.php"); -} else { - $droplet_id = $_GET['droplet_id']; +$droplet_id = $admin->checkIDKEY('droplet_id', false, 'GET'); +if (!$droplet_id) { + $admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], ADMIN_URL); + exit(); } -require_once(WB_PATH.'/framework/class.admin.php'); -require_once(WB_PATH.'/framework/functions.php'); - $admintool_link = ADMIN_URL .'/admintools/index.php'; $module_edit_link = ADMIN_URL .'/admintools/tool.php?tool=droplets'; $admin = new admin('admintools', 'admintools'); @@ -70,6 +70,7 @@ +getFTAN(); ?> Index: branches/2.8.x/wb/modules/droplets/add_droplet.php =================================================================== --- branches/2.8.x/wb/modules/droplets/add_droplet.php (revision 1388) +++ branches/2.8.x/wb/modules/droplets/add_droplet.php (revision 1389) @@ -41,7 +41,7 @@ if($database->is_error()) { $admin->print_error($database->get_error(), $module_edit_link); } else { - $admin->print_success($TEXT['SUCCESS'], WB_URL.'/modules/droplets/modify_droplet.php?droplet_id='.$droplet_id); + $admin->print_success($TEXT['SUCCESS'], WB_URL.'/modules/droplets/modify_droplet.php?droplet_id='. $admin->getIDKEY($droplet_id)); } // Print admin footer Index: branches/2.8.x/wb/modules/droplets/backup_droplets.php =================================================================== --- branches/2.8.x/wb/modules/droplets/backup_droplets.php (revision 1388) +++ branches/2.8.x/wb/modules/droplets/backup_droplets.php (revision 1389) @@ -20,6 +20,7 @@ // tool_edit.php require_once('../../config.php'); require_once(WB_PATH.'/framework/class.admin.php'); + require_once(WB_PATH.'/framework/functions.php'); // create admin object depending on platform (admin tools were moved out of settings with WB 2.7) $admin = new admin('admintools', 'admintools'); @@ -27,6 +28,12 @@ $module_edit_link = ADMIN_URL .'/admintools/tool.php?tool=droplets'; $template_edit_link = ADMIN_URL .'/admintools/tool.php?tool=templateedit'; +// protect from CSRF +$id = $admin->checkIDKEY('id', false, 'GET'); +if (!$id or $id != 999) { + $admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], ADMIN_URL); + exit(); +} ?>

Index: branches/2.8.x/wb/modules/droplets/save_droplet.php =================================================================== --- branches/2.8.x/wb/modules/droplets/save_droplet.php (revision 1388) +++ branches/2.8.x/wb/modules/droplets/save_droplet.php (revision 1389) @@ -23,12 +23,18 @@ if(!isset($_POST['droplet_id']) OR !is_numeric($_POST['droplet_id'])) { header("Location: ".ADMIN_URL."/pages/index.php"); } else { - $droplet_id = $_POST['droplet_id']; + $droplet_id = (int) $_POST['droplet_id']; } // Include WB admin wrapper script require_once(WB_PATH.'/framework/class.admin.php'); require_once(WB_PATH.'/framework/functions.php'); +if (!$admin->checkFTAN()) +{ + $admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], ADMIN_URL); + exit(); +} + // check website baker platform (with WB 2.7, Admin-Tools were moved out of settings dialogue) if(file_exists(ADMIN_PATH .'/admintools/tool.php')) { $admintool_link = ADMIN_URL .'/admintools/index.php'; @@ -45,10 +51,10 @@ $admin->print_error($MESSAGE['GENERIC']['FILL_IN_ALL'], WB_URL.'/modules/droplets/modify_droplet.php?droplet_id='.$droplet_id); } else { $title = $admin->add_slashes($admin->get_post('title')); - $active = $admin->get_post('active'); - $admin_view = $admin->get_post('admin_view'); - $admin_edit = $admin->get_post('admin_edit'); - $show_wysiwyg = $admin->get_post('show_wysiwyg'); + $active = (int) $admin->get_post('active'); + $admin_view = (int) $admin->get_post('admin_view'); + $admin_edit = (int) $admin->get_post('admin_edit'); + $show_wysiwyg = (int) $admin->get_post('show_wysiwyg'); $description = $admin->add_slashes($admin->get_post('description')); $tags = array('' , 'add_slashes(str_replace($tags, '', $_POST['savecontent'])); @@ -55,7 +61,7 @@ $comments = $admin->add_slashes($admin->get_post('comments')); $modified_when = time(); - $modified_by = $admin->get_user_id(); + $modified_by = (int) $admin->get_user_id(); } // Update row @@ -63,7 +69,7 @@ // Check if there is a db error, otherwise say successful if($database->is_error()) { - $admin->print_error($database->get_error(), WB_URL.'/modules/droplets/modify_droplet.php?droplet_id='.$droplet_id); + $admin->print_error($database->get_error(), WB_URL.'/modules/droplets/modify_droplet.php?droplet_id='. $admin->getIDKEY($droplet_id)); } else { $admin->print_success($TEXT['SUCCESS'], $module_edit_link); }