Index: branches/2.8.x/CHANGELOG
===================================================================
--- branches/2.8.x/CHANGELOG	(revision 1406)
+++ branches/2.8.x/CHANGELOG	(revision 1407)
@@ -11,6 +11,8 @@
 ! = Update/Change
 
 ------------------------------------- 2.8.2 -------------------------------------
+22 Jan-2011 Build 1407 Frank Heyne (FrankH)
+# various Security fixes, thanks to secunia and others 
 22 Jan-2011 Build 1406 Frank Heyne (FrankH)
 # Security fix to stop users from changing module contents without permission, thanks to Michael Schwarz 
 22 Jan-2011 Build 1405 Frank Heyne (FrankH)
Index: branches/2.8.x/wb/admin/media/browse.php
===================================================================
--- branches/2.8.x/wb/admin/media/browse.php	(revision 1406)
+++ branches/2.8.x/wb/admin/media/browse.php	(revision 1407)
@@ -49,7 +49,7 @@
 // Get file extension
 function get_filetype($fname) {
 	$pathinfo = pathinfo($fname);
-	$extension = strtolower($pathinfo['extension']);
+	$extension = (isset($pathinfo['extension'])) ? strtolower($pathinfo['extension']) : '';
 	return $extension;
 }
 
@@ -56,7 +56,7 @@
 // Get file extension for icons
 function get_filetype_icon($fname) {
 	$pathinfo = pathinfo($fname);
-	$extension = strtolower($pathinfo['extension']);
+	$extension = (isset($pathinfo['extension'])) ? strtolower($pathinfo['extension']) : '';
 	if (file_exists(THEME_PATH.'/images/files/'.$extension.'.png')) {
 		return $extension;
 	} else {
Index: branches/2.8.x/wb/admin/media/upload.php
===================================================================
--- branches/2.8.x/wb/admin/media/upload.php	(revision 1406)
+++ branches/2.8.x/wb/admin/media/upload.php	(revision 1407)
@@ -123,6 +123,18 @@
 		// error while trying to extract the archive (most likely wrong format)
 		$admin->print_error('UNABLE TO UNZIP FILE' . $archive -> errorInfo(true));
 	}
+	
+	// rename executable files!
+	foreach ($list as $val) {
+		$fn = $val['filename'];
+		$fnp = pathinfo($fn);
+		if (isset($fnp['extension'])) {
+			$fext = $fnp['extension'];
+			if (in_array($fext, $file_extensions)) {
+				rename($fn, $fn.".txt");
+			}
+		}
+	}
 }
 
 if($good_uploads == 1) {
Index: branches/2.8.x/wb/admin/pages/settings2.php
===================================================================
--- branches/2.8.x/wb/admin/pages/settings2.php	(revision 1406)
+++ branches/2.8.x/wb/admin/pages/settings2.php	(revision 1407)
@@ -49,11 +49,11 @@
 require_once(WB_PATH.'/framework/functions.php');
 
 // Get values
-$page_title = htmlspecialchars($admin->get_post_escaped('page_title') );
-$menu_title = htmlspecialchars($admin->get_post_escaped('menu_title') );
+$page_title = str_replace(array("[[", "]]"), '', htmlspecialchars($admin->get_post_escaped('page_title')));
+$menu_title = str_replace(array("[[", "]]"), '', htmlspecialchars($admin->get_post_escaped('menu_title')));
 $page_code = (int) $admin->get_post_escaped('page_code');
-$description = htmlspecialchars($admin->add_slashes($admin->get_post('description')) );
-$keywords = htmlspecialchars($admin->add_slashes($admin->get_post('keywords')) );
+$description = str_replace(array("[[", "]]"), '', htmlspecialchars($admin->add_slashes($admin->get_post('description'))));
+$keywords = str_replace(array("[[", "]]"), '', htmlspecialchars($admin->add_slashes($admin->get_post('keywords'))));
 $parent = (int) $admin->get_post_escaped('parent'); // fix secunia 2010-91-3
 $visibility = $admin->get_post_escaped('visibility');
 if (!in_array($visibility, array('public', 'private', 'registered', 'hidden', 'none'))) {$visibility = 'public';} // fix secunia 2010-93-3
@@ -61,7 +61,7 @@
 $target = preg_replace("/\W/", "", $admin->get_post_escaped('target'));
 $admin_groups = $admin->get_post_escaped('admin_groups');
 $viewing_groups = $admin->get_post_escaped('viewing_groups');
-$searching = $admin->get_post_escaped('searching');
+$searching = (int) $admin->get_post_escaped('searching');
 $language = strtoupper($admin->get_post('language'));
 $language = (preg_match('/^[A-Z]{2}$/', $language) ? $language : DEFAULT_LANGUAGE);
 $menu = (int) $admin->get_post_escaped('menu'); // fix secunia 2010-91-3
Index: branches/2.8.x/wb/admin/interface/version.php
===================================================================
--- branches/2.8.x/wb/admin/interface/version.php	(revision 1406)
+++ branches/2.8.x/wb/admin/interface/version.php	(revision 1407)
@@ -52,6 +52,6 @@
 
 // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
 if(!defined('VERSION')) define('VERSION', '2.8.2.RC5');
-if(!defined('REVISION')) define('REVISION', '1406');
+if(!defined('REVISION')) define('REVISION', '1407');
 
 ?>
Index: branches/2.8.x/wb/account/details.php
===================================================================
--- branches/2.8.x/wb/account/details.php	(revision 1406)
+++ branches/2.8.x/wb/account/details.php	(revision 1407)
@@ -21,13 +21,30 @@
 	exit(0);
 }
 
-// Get entered values
+// Get and sanitize entered values
 $display_name = $wb->add_slashes(strip_tags($wb->get_post('display_name')));
-$language = $wb->get_post_escaped('language');
-$timezone = $wb->get_post_escaped('timezone')*60*60;
-$date_format = $wb->get_post_escaped('date_format');
-$time_format = $wb->get_post_escaped('time_format');
+$language = strtoupper($wb->get_post('language'));
+$language = (preg_match('/^[A-Z]{2}$/', $language) ? $language : DEFAULT_LANGUAGE);
+$timezone = (int) $wb->get_post_escaped('timezone')*60*60;
 
+// date_format must be a key from /interface/date_formats
+$date_format = $wb->get_post('date_format');
+$date_format_key  = str_replace(' ', '|', $date_format);
+$user_time = true;
+include( ADMIN_PATH.'/interface/date_formats.php' );
+$date_format = (array_key_exists($date_format_key, $DATE_FORMATS) ? $date_format : 'system_default');
+$date_format = ($date_format == 'system_default' ? '' : $date_format);
+unset($DATE_FORMATS);
+
+// time_format must be a key from /interface/time_formats	
+$time_format = $wb->get_post('time_format');
+$time_format_key  = str_replace(' ', '|', $time_format);
+$user_time = true;
+include( ADMIN_PATH.'/interface/time_formats.php' );
+$time_format = (array_key_exists($time_format_key, $TIME_FORMATS) ? $time_format : 'system_default');
+$time_format = ($time_format == 'system_default' ? '' : $time_format);
+unset($TIME_FORMATS);
+
 if (!$wb->checkFTAN())
 {
 	$wb->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], WB_URL);
Index: branches/2.8.x/wb/modules/form/save_field.php
===================================================================
--- branches/2.8.x/wb/modules/form/save_field.php	(revision 1406)
+++ branches/2.8.x/wb/modules/form/save_field.php	(revision 1407)
@@ -40,7 +40,7 @@
 if($admin->get_post('title') == '' OR $admin->get_post('type') == '') {
 	$admin->print_error($MESSAGE['GENERIC']['FILL_IN_ALL'], WB_URL.'/modules/form/modify_field.php?page_id='.$page_id.'&section_id='.$section_id.'&field_id='.$admin->getIDKEY($field_id));
 } else {
-	$title = htmlspecialchars($admin->get_post_escaped('title'), ENT_QUOTES);
+	$title = str_replace(array("[[", "]]"), '', htmlspecialchars($admin->get_post_escaped('title'), ENT_QUOTES));
 	$type = $admin->add_slashes($admin->get_post('type'));
 	$required = (int) $admin->add_slashes($admin->get_post('required'));
 }
@@ -64,13 +64,13 @@
 // Get extra fields for field-type-specific settings
 if($admin->get_post('type') == 'textfield') {
 	$length = $admin->get_post_escaped('length');
-	$value = $admin->get_post_escaped('value');
+	$value = str_replace(array("[[", "]]"), '', $admin->get_post_escaped('value'));
 	$database->query("UPDATE ".TABLE_PREFIX."mod_form_fields SET value = '$value', extra = '$length' WHERE field_id = '$field_id'");
 } elseif($admin->get_post('type') == 'textarea') {
-	$value = $admin->get_post_escaped('value');
+	$value = str_replace(array("[[", "]]"), '', $admin->get_post_escaped('value'));
 	$database->query("UPDATE ".TABLE_PREFIX."mod_form_fields SET value = '$value', extra = '' WHERE field_id = '$field_id'");
 } elseif($admin->get_post('type') == 'heading') {
-	$extra = $admin->get_post('template');
+	$extra = str_replace(array("[[", "]]"), '', $admin->get_post('template'));
 	if(trim($extra) == '') $extra = '<tr><td class="field_heading" colspan="2">{TITLE}{FIELD}</td></tr>';
 	$extra = $admin->add_slashes($extra);
 	$database->query("UPDATE ".TABLE_PREFIX."mod_form_fields SET value = '', extra = '$extra' WHERE field_id = '$field_id'");
@@ -78,10 +78,10 @@
 	$extra = $admin->get_post_escaped('size').','.$admin->get_post_escaped('multiselect');
 	$database->query("UPDATE ".TABLE_PREFIX."mod_form_fields SET value = '$value', extra = '$extra' WHERE field_id = '$field_id'");
 } elseif($admin->get_post('type') == 'checkbox') {
-	$extra = $admin->get_post_escaped('seperator');
+	$extra = str_replace(array("[[", "]]"), '', $admin->get_post_escaped('seperator'));
 	$database->query("UPDATE ".TABLE_PREFIX."mod_form_fields SET value = '$value', extra = '$extra' WHERE field_id = '$field_id'");
 } elseif($admin->get_post('type') == 'radio') {
-	$extra = $admin->get_post_escaped('seperator');
+	$extra = str_replace(array("[[", "]]"), '', $admin->get_post_escaped('seperator'));
 	$database->query("UPDATE ".TABLE_PREFIX."mod_form_fields SET value = '$value', extra = '$extra' WHERE field_id = '$field_id'");
 }