Skip to content
This repository has been archived by the owner on Jul 13, 2022. It is now read-only.
Permalink
Browse files Browse the repository at this point in the history
IMPORTANT: Some HotFix and some bugs fixed. 重要:一些紧急修复及错误修复。
1. IMPORTANT: Add MySQL safe execution filtering for Commercial Package API.
1. 重要:添加付费软件包API数据库安全执行过滤。
2. IMPORTANT: Add XSS filtering function for Commercial Package API.
2. 重要:添加付费软件包API添加XSS过滤。
3. Suppress errors for Installer.
3. 安装器错误抑制。
4. Fix login fail not auto reset sometimes.
4. 修复有些时候无法自动重置登录失败等待时间。(如:只输错了验证码)
  • Loading branch information
Hintay committed Apr 1, 2015
1 parent 1b3a8d5 commit 43bad79
Show file tree
Hide file tree
Showing 7 changed files with 58 additions and 10 deletions.
20 changes: 12 additions & 8 deletions main/commercial.php
Expand Up @@ -18,18 +18,22 @@
* You should have received a copy of the GNU Affero General Public License
* along with WEIPDCRM. If not, see <http://www.gnu.org/licenses/>.
*/
//This file is vulnerable, PLEASE CHECK IT AT ONCE.
exit();


if(isset($_GET['action'])){
switch($_GET['action']){
// 支付宝跳转
case 'alipay_go':
// XSS过滤
foreach($_GET as $key => $value){
$clan_data[$key] = xss_clean($value);
}
?>
<form id="alipay" accept-charset="GBK" method="POST" action="https://shenghuo.alipay.com/send/payment/fill.htm">
<?php if(isset($_GET['optEmail'])): ?><input type="hidden" value="<?php echo($_GET['optEmail']); ?>" name="optEmail"><?php endif; ?>
<?php if(isset($_GET['payAmount'])): ?><input type="hidden" value="<?php echo($_GET['payAmount']); ?>" name="payAmount"><?php endif; ?>
<?php if(isset($_GET['title'])): ?><input id="title" type="hidden" value="<?php echo($_GET['title']); ?>" name="title"><?php endif; ?>
<?php if(isset($_GET['memo'])): ?><input name="memo" type="hidden" value="<?php echo($_GET['memo']); ?>" /><?php endif; ?>
<?php if(isset($_GET['optEmail'])): ?><input type="hidden" value="<?php echo($clan_data['optEmail']); ?>" name="optEmail"><?php endif; ?>
<?php if(isset($_GET['payAmount'])): ?><input type="hidden" value="<?php echo($clan_data['payAmount']); ?>" name="payAmount"><?php endif; ?>
<?php if(isset($_GET['title'])): ?><input id="title" type="hidden" value="<?php echo($clan_data['title']); ?>" name="title"><?php endif; ?>
<?php if(isset($_GET['memo'])): ?><input name="memo" type="hidden" value="<?php echo($clan_data['memo']); ?>" /><?php endif; ?>
</form>
<script type="text/javascript">
var postForm = document.getElementById('alipay');
Expand All @@ -52,7 +56,7 @@
class_loader('Mobile_Detect');
$detect = new Mobile_Detect;
}
$package_info = DB::fetch_first("SELECT `Package`, `Name`, `Tag`, `Level`, `Price`, `Purchase_Link` FROM `".DCRM_CON_PREFIX."Packages` WHERE `Package` = '".$_GET['Package']."' AND `Stat` = '1'");
$package_info = DB::fetch_first(DB::prepare("SELECT `Package`, `Name`, `Tag`, `Level`, `Price`, `Purchase_Link` FROM `".DCRM_CON_PREFIX."Packages` WHERE `Package` = '%s' AND `Stat` = '1'", $_GET['Package']));
if(!$package_info)
exit();
?>
Expand All @@ -75,7 +79,7 @@ class_loader('Mobile_Detect');
$nowip = _ip2long(getIp());

if(isset($_GET['udid']))
$udid_status = DB::fetch_first("SELECT `Packages`, `Level`, `IP` FROM `".DCRM_CON_PREFIX."UDID` WHERE `UDID` = '".$_GET['udid']."' LIMIT 1");
$udid_status = DB::fetch_first(DB::prepare("SELECT `Packages`, `Level`, `IP` FROM `".DCRM_CON_PREFIX."UDID` WHERE `UDID` = '%s' LIMIT 1", $_GET['udid']));
else
$udid_status = DB::fetch_first("SELECT `Packages`, `Level`, `IP` FROM `".DCRM_CON_PREFIX."UDID` WHERE `IP` = '".$nowip."' LIMIT 1");
$purchased = false;
Expand Down
2 changes: 1 addition & 1 deletion main/index.php
Expand Up @@ -592,7 +592,7 @@ class_loader('Mobile_Detect');
<?php
}
$package_info = $pkg_assoc;
//require_once('commercial.php');
require_once('commercial.php');
?>
<fieldset>
<?php
Expand Down
5 changes: 5 additions & 0 deletions main/install/function.php
Expand Up @@ -24,6 +24,11 @@
define('CONF_PATH', ABSPATH.'system/config/');
define('VERSION', '1.6.15.3.18');

// 错误抑制
define('DEBUG_ENABLED', isset($_GET['debug']));
error_reporting(DEBUG_ENABLED ? E_ALL & !E_NOTICE & !E_STRICT : E_ERROR | E_PARSE);
@ini_set('display_errors', DEBUG_ENABLED);

/* 载入语言 */
$localetype = 'install';
include_once ABSPATH . 'system/languages/l10n.php';
Expand Down
1 change: 1 addition & 0 deletions main/manage/header.php
Expand Up @@ -27,6 +27,7 @@
define('MANAGE_ROOT', dirname(__FILE__).'/');
define('ABSPATH', dirname(MANAGE_ROOT).'/');
require_once ABSPATH.'system/common.inc.php';
header('Content-type: text/html; charset=utf-8');

$sidebars = array(
array(
Expand Down
4 changes: 3 additions & 1 deletion main/manage/login.php
Expand Up @@ -72,21 +72,23 @@ class_loader('ValidateCode');
if (strtolower($_POST['authcode']) != strtolower($_SESSION['VCODE'])) {
unset($_SESSION['VCODE']);
$_SESSION['try'] = $_SESSION['try'] + 1;
$_SESSION['lasttry'] = time();
$error = "authcode";
goto endlabel;
} else {
unset($_SESSION['VCODE']);
}
if (!preg_match("#^[0-9a-zA-Z\_]*$#i", $_POST['username'])) {
$_SESSION['try'] = $_SESSION['try'] + 1;
$_SESSION['lasttry'] = time();
$error = "badlogin";
goto endlabel;
}
$login_query = DB::query("SELECT * FROM `".DCRM_CON_PREFIX."Users` WHERE `Username` = '".DB::real_escape_string($_POST['username'])."' LIMIT 1");
if (DB::affected_rows() > 0) {
$login = mysql_fetch_assoc($login_query);
if ($login['Username'] === $_POST['username'] AND strtoupper($login['SHA1']) === strtoupper(sha1($_POST['password']))) {
$login_query = DB::query("UPDATE `".DCRM_CON_PREFIX."Users` SET `LastLoginTime` = '".date('Y-m-d H:i:s')."' WHERE `ID` = '".$login['ID']."'");
$login_query = DB::update(DCRM_CON_PREFIX.'Users', array('LastLoginTime' => date('Y-m-d H:i:s')), array('ID' => $login['ID']));
$_SESSION['power'] = $login['Power'];
$_SESSION['userid'] = $login['ID'];
$_SESSION['username'] = $login['Username'];
Expand Down
5 changes: 5 additions & 0 deletions main/system/class/db.php
Expand Up @@ -210,6 +210,10 @@ function &object() {
if (empty($db)) $db = new db_mysql();
return $db;
}
public function escape_by_ref( &$string ) {
if ( ! is_float( $string ) )
$string = DB::real_escape_string( $string );
}
/**
* Prepares a SQL query for safe execution. Uses sprintf()-like syntax.
*
Expand Down Expand Up @@ -262,6 +266,7 @@ public function prepare( $query, $args ) {
$query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting
$query = preg_replace( '|(?<!%)%f|' , '%F', $query ); // Force floats to be locale unaware
$query = preg_replace( '|(?<!%)%s|', "'%s'", $query ); // quote the strings, avoiding escaped strings like %%s
array_walk( $args, "DB::escape_by_ref" );
return @vsprintf( $query, $args );
}
}
Expand Down
31 changes: 31 additions & 0 deletions main/system/function/core.php
Expand Up @@ -314,6 +314,37 @@ function add_option( $option, $value = '', $deprecated = '') {

return true;
}
function xss_clean($data) {
// Fix &entity\n;
$data = str_replace(array('&amp;','&lt;','&gt;'), array('&amp;amp;','&amp;lt;','&amp;gt;'), $data);
$data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
$data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
$data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');

// Remove any attribute starting with "on" or xmlns
$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);

// Remove javascript: and vbscript: protocols
$data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);

// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);

// Remove namespaced elements (we do not need them)
$data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);
do{
// Remove really unwanted tags
$old_data = $data;
$data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
}
while ($old_data !== $data);
// we are done...
return $data;
}
// Function link
function randstr($len = 40) {
require_once SYSTEM_ROOT.'./function/manage.php';
Expand Down

0 comments on commit 43bad79

Please sign in to comment.