Fixed issue #11875: XSS & SQL injection vulnerabilities in administra…

…tion

application/controllers/admin/export.php

@@ -17,8 +17,8 @@
 *
 * This controller performs export actions
 *
-* @package		LimeSurvey
-* @subpackage	Backend
+* @package        LimeSurvey
+* @subpackage    Backend
 */
 class export extends Survey_Common_Action {
 
@@ -349,7 +349,7 @@ public function exportspss()
         $iSurveyID = sanitize_int(Yii::app()->request->getParam('sid'));
         //for scale 1=nominal, 2=ordinal, 3=scale
 
-        //		$typeMap = $this->_getTypeMap();
+        //        $typeMap = $this->_getTypeMap();
 
         $filterstate = incompleteAnsFilterState();
         $spssver = returnGlobal('spssver');
@@ -358,7 +358,7 @@ public function exportspss()
         {
             if ( ! Yii::app()->session['spssversion'] )
             {
-                Yii::app()->session['spssversion'] = 2;	//Set default to 2, version 16 or up
+                Yii::app()->session['spssversion'] = 2;    //Set default to 2, version 16 or up
             }
 
             $spssver = Yii::app()->session['spssversion'];
@@ -373,14 +373,14 @@ public function exportspss()
 
         switch ( $spssver )
         {
-            case 1:	//<16
-                $iLength	 = '255'; // Set the max text length of the Value
+            case 1:    //<16
+                $iLength     = '255'; // Set the max text length of the Value
                 break;
-            case 2:	//>=16
-                $iLength	 = '16384'; // Set the max text length of the Value
+            case 2:    //>=16
+                $iLength     = '16384'; // Set the max text length of the Value
                 break;
             default:
-                $iLength	 = '16384'; // Set the max text length of the Value
+                $iLength     = '16384'; // Set the max text length of the Value
         }
 
         $headerComment = '*$Rev: 121017 $' . " $filterstate $spssver.\n";
@@ -938,6 +938,10 @@ public function exportMultipleSurveys($sSurveys, $sExportType)
 
         foreach($aSurveys as $iSurveyID)
         {
+            $iSurveyID=filter_var($iSurveyID,FILTER_VALIDATE_INT);
+            if ($iSurveyID===false) {
+                continue;
+            }
             if(Permission::model()->hasSurveyPermission($iSurveyID, 'responses', 'export'))
             {
                 $archiveName                    = "";

application/controllers/admin/update.php

@@ -234,7 +234,7 @@ public function backup()
 
                 if (Yii::app()->request->getPost('datasupdateinfo'))
                 {
-                    $updateinfos= unserialize ( base64_decode( ( Yii::app()->request->getPost('datasupdateinfo') )));
+                    $updateinfos= json_decode( base64_decode( Yii::app()->request->getPost('datasupdateinfo') ),true);
 
                     $updateModel = new UpdateForm();
                     $backupInfos = $updateModel->backupFiles($updateinfos);
@@ -286,7 +286,7 @@ function step4()
 
                 if ( Yii::app()->request->getPost('datasupdateinfo') )
                 {
-                    $updateinfos = unserialize ( base64_decode( ( Yii::app()->request->getPost('datasupdateinfo') )));
+                    $updateinfos = json_decode ( base64_decode ( Yii::app()->request->getPost('datasupdateinfo') ), true);
 
                     // this is the last step - Download the zip file, unpack it and replace files accordingly
                     $updateModel = new UpdateForm();
@@ -582,7 +582,7 @@ private function _renderErrorString($error)
      */
     private function _parseToView($updateinfos)
     {
-        $data=serialize($updateinfos);
+        $data=json_encode($updateinfos);
         return base64_encode($data);
     }
 

application/models/UpdateForm.php

@@ -317,8 +317,8 @@ public function removeDeletedFiles($updateinfos)
     {
         foreach ( $updateinfos as $file )
         {
-            $sFileToDelete = str_replace("..", "", $file->file);
-            if ($file->type =='D' && file_exists($this->rootdir.$sFileToDelete) )
+            $sFileToDelete = str_replace("..", "", $file['file']);
+            if ($file['type'] =='D' && file_exists($this->rootdir.$sFileToDelete) )
             {
                 if ( is_file($this->rootdir.$sFileToDelete ) )
                 {
@@ -489,7 +489,7 @@ public function backupFiles($updateinfos)
         {
 
             // To block the access to subdirectories
-            $sFileToZip = str_replace("..", "", $file->file);
+            $sFileToZip = str_replace("..", "", $file['file']);
 
             if (is_file($this->publicdir.$sFileToZip)===true && basename($sFileToZip)!='config.php')
             {

application/views/admin/homepagesettings/update.php

@@ -12,7 +12,7 @@
         )
     )); ?>
 
-    <h3><?php eT('Update box');?> <em><?php echo $model->title; ?></em></h3>
+    <h3><?php printf('Update box %s',"<em>".htmlspecialchars($model->title)."</em>");?> </h3>
 
     <div class="row">
         <div class="col-lg-12 content-right">

application/views/admin/templates/templatesummary_view.php

@@ -108,13 +108,6 @@
                     <input type='hidden' name='screenname' value='<?php echo HTMLEscape($screenname); ?>' />
                     <input type='hidden' name='templatename' value='<?php echo $templatename; ?>' />
                     <input type='hidden' name='action' value='templateuploadfile' />
-                    <?php if(isset($_GET['editfile'])):?>
-                        <input type='hidden' name='editfileindex' value='<?php echo $_GET['editfile']; ?>' />
-                        <?php endif;?>
-                    <?php if(isset($_GET['useindex'])):?>
-                        <input type='hidden' name='useindex' value='<?php echo $_GET['useindex']; ?>' />
-                        <?php endif;?>
-
                     </form>
                     <?php
                 }

application/views/admin/update/_ajaxVariables.php

@@ -13,6 +13,7 @@
   * Test UPDATE
   */
 $p = new CHtmlPurifier();
+/* The Purifier makes not mucg sense as it does not really prevent SQL injection */
 ?>
 
 <script>
@@ -21,18 +22,17 @@
 </script>
 
 <?php if(isset($_REQUEST['update'])):?>
-    <input type="hidden" id="update_step" value="<?php echo $p->purify($_REQUEST['update']); ?>"/>
-
+    <?php echo CHtml::hiddenField('update_step',$p->purify($_REQUEST['update']),array('id'=>'update_step'));?>
 <?php else:?>
-    <input type="hidden" id="update_step" value=""/>
+    <?php echo CHtml::hiddenField('update_step','',array('id'=>'update_step'));?>
 <?php endif;?>
 
 <?php if(isset($_REQUEST['destinationBuild'])):?>
-    <input type="hidden" id="destinationBuildForAjax" value="<?php echo $p->purify($_REQUEST['destinationBuild']); ?>"/>
+    <?php echo CHtml::hiddenField('destinationBuildForAjax',(int)$_REQUEST['destinationBuild'],array('id'=>'destinationBuildForAjax'));?>
 <?php endif;?>
 
 <?php if(isset($_REQUEST['access_token'])):?>
-    <input type="hidden" id="access_tokenForAjax" value="<?php echo $p->purify($_REQUEST['access_token']); ?>"/>
+    <?php echo CHtml::hiddenField('access_tokenForAjax',$p->purify($_REQUEST['access_token']),array('id'=>'access_tokenForAjax'));?>
 <?php endif;?>
 
  <input id="updatebothbranchdatas" type="hidden" data-url="<?php echo Yii::app()->createUrl("admin/update/sa/getbothbuttons"); ?>"/>

application/views/admin/update/updater/steps/_backup.php

@@ -1,7 +1,7 @@
 <?php
 /**
  * This view display the result of backup process, and warn about database
- * 
+ *
  * @var int $destinationBuild the destination build
  * @var string $basefilename the base file name of the backup file
  * @var string $tempdir the temp dir where the backup file is saved

application/views/admin/update/updater/welcome/_subscribe.php

@@ -23,22 +23,29 @@
     <?php
         $aopen  = '<a href="https://www.limesurvey.org/en/cb-registration/registers">';
         $aclose = '</a>';
-    ?><br>
+        ?><br>
     <?php echo sprintf(gT("If you don't have an account on limesurvey.org, please %sregister first%s."),$aopen, $aclose);?></p>
 
     <?php
-        $url = Yii::app()->createUrl('/admin/update/sa/submitkey');
-        echo CHtml::beginForm($url, 'post', array("id"=>"submitKeyForm"));
-        echo CHtml::hiddenField('destinationBuild', $_REQUEST['destinationBuild']);
-		echo CHtml::label(gT('Enter your update key:'),'inputKey');
-        echo CHtml::textField('keyid', '', array("id"=>"inputKey"));
-        echo CHtml::submitButton('submit', array("class"=>"btn btn-default", "id"=>"submitKeyButton"));
+    $url = Yii::app()->createUrl('/admin/update/sa/submitkey');
+    echo CHtml::beginForm($url, 'post', array("id"=>"submitKeyForm"));
+    echo CHtml::hiddenField('destinationBuild', $_REQUEST['destinationBuild']);?>
+    <div class="form-group">
+        <?php
+        echo CHtml::label(gT('Enter your update key:'),'inputKey', array('class'=>'col-sm-2'));
+        ?>
+        <div class='col-sm-1'>
+        <?php
+        echo CHtml::textField('keyid', '', array("id"=>"inputKey",'class'=>'form-control'));
+        ?>
+        </div>
+    </div>
+    <?php
+    echo CHtml::submitButton('submit', array("class"=>"btn btn-default", "id"=>"submitKeyButton"));
     ?>
-
     <a class="btn btn-default" href="<?php echo Yii::app()->createUrl("admin/update"); ?>" role="button" aria-disabled="false">
         <?php eT("Cancel"); ?>
     </a>
-
     <?php echo CHtml::endForm();?>
 
 </div>

docs/license.txt

@@ -1,6 +1,6 @@
   LimeSurvey - The free & open-source survey software tool
 
-  Copyright 2003-2011 LimeSurvey Project Team / Carsten Schmitz
+  Copyright 2003-2016 LimeSurvey Project Team / Carsten Schmitz
 
   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by