Index: branches/2.8.x/CHANGELOG =================================================================== --- branches/2.8.x/CHANGELOG (revision 1394) +++ branches/2.8.x/CHANGELOG (revision 1395) @@ -11,6 +11,8 @@ ! = Update/Change ------------------------------------- 2.8.2 ------------------------------------- +17 Jan-2011 Build 1395 Frank Heyne (FrankH) +# Security fix in admin/addons 16 Jan-2011 Build 1394 Dietmar Woellbrink (Luisehahne) ! set construct to FRONTEND class.wb ! set 2.8.2 to RC5 Index: branches/2.8.x/wb/admin/interface/version.php =================================================================== --- branches/2.8.x/wb/admin/interface/version.php (revision 1394) +++ branches/2.8.x/wb/admin/interface/version.php (revision 1395) @@ -52,6 +52,6 @@ // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) if(!defined('VERSION')) define('VERSION', '2.8.2.RC5'); -if(!defined('REVISION')) define('REVISION', '1394'); +if(!defined('REVISION')) define('REVISION', '1395'); ?> Index: branches/2.8.x/wb/admin/addons/reload.php =================================================================== --- branches/2.8.x/wb/admin/addons/reload.php (revision 1394) +++ branches/2.8.x/wb/admin/addons/reload.php (revision 1395) @@ -36,6 +36,12 @@ $admin = new admin('Admintools', 'admintools', false, false); if ($admin->get_permission('admintools') == false) die(header('Location: ../../index.php')); +if (!$admin->checkFTAN()) +{ + $admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], ADMIN_URL); + exit(); +} + // check if the referer URL if available $referer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : (isset($HTTP_SERVER_VARS['HTTP_REFERER']) ? $HTTP_SERVER_VARS['HTTP_REFERER'] : ''); Index: branches/2.8.x/wb/admin/addons/index.php =================================================================== --- branches/2.8.x/wb/admin/addons/index.php (revision 1394) +++ branches/2.8.x/wb/admin/addons/index.php (revision 1395) @@ -73,7 +73,7 @@ ? '' . $TEXT['ADVANCED'] . '' : '', 'ADVANCED_URL' => $admin->get_permission('admintools') ? ADMIN_URL . '/addons/index.php' : '', 'TEXT_ADVANCED' => $TEXT['ADVANCED'], - + 'FTAN' => $admin->getFTAN() ) ); Index: branches/2.8.x/wb/templates/wb_theme/templates/addons.htt =================================================================== --- branches/2.8.x/wb/templates/wb_theme/templates/addons.htt (revision 1394) +++ branches/2.8.x/wb/templates/wb_theme/templates/addons.htt (revision 1395) @@ -48,6 +48,7 @@
+ {FTAN} {MESSAGE_RELOAD_ADDONS}
Index: branches/2.8.x/wb/templates/argos_theme/templates/addons.htt =================================================================== --- branches/2.8.x/wb/templates/argos_theme/templates/addons.htt (revision 1394) +++ branches/2.8.x/wb/templates/argos_theme/templates/addons.htt (revision 1395) @@ -39,6 +39,7 @@ {TXT_ADMIN_SETTINGS} {TXT_ADMIN_SETTINGS} + {FTAN} {MESSAGE_RELOAD_ADDONS}
Index: branches/2.8.x/wb/modules/edit_module_files.php =================================================================== --- branches/2.8.x/wb/modules/edit_module_files.php (revision 1394) +++ branches/2.8.x/wb/modules/edit_module_files.php (revision 1395) @@ -115,7 +115,7 @@ // output content of module file to textareas ?> - + Index: branches/2.8.x/wb/modules/news/submit_comment.php =================================================================== --- branches/2.8.x/wb/modules/news/submit_comment.php (revision 1394) +++ branches/2.8.x/wb/modules/news/submit_comment.php (revision 1395) @@ -52,6 +52,9 @@ $comment = $wb->add_slashes(strip_tags($comment)); $title = $wb->add_slashes(strip_tags($_POST['title'])); + // do not allow droplets in user input! + $title = str_replace(array("[[", "]]"), array("[[", "]]"), $title); + $comment = str_replace(array("[[", "]]"), array("[[", "]]"), $comment); $page_id = $_GET['page_id']; $section_id = $_GET['section_id']; $post_id = $_GET['post_id'];