Skip to content
Permalink
Browse files Browse the repository at this point in the history
FIX security vulnerability reported by ADLab of Venustech
  • Loading branch information
eldy committed Dec 21, 2017
1 parent 3f6b3b5 commit 4a5988a
Show file tree
Hide file tree
Showing 10 changed files with 68 additions and 17 deletions.
6 changes: 3 additions & 3 deletions htdocs/adherents/subscription/info.php
Expand Up @@ -36,18 +36,18 @@
if (!$user->rights->adherent->lire)
accessforbidden();

$rowid=isset($_GET["rowid"])?$_GET["rowid"]:$_POST["rowid"];
$rowid=GETPOST("rowid",'int');



/*
* View
*/

llxHeader();

$form = new Form($db);

llxHeader();

$object = new Subscription($db);
$result = $object->fetch($rowid);

Expand Down
8 changes: 8 additions & 0 deletions htdocs/cashdesk/tpl/facturation1.tpl.php
Expand Up @@ -19,6 +19,14 @@
*
*/

// Protection to avoid direct call of template
if (empty($langs) || ! is_object($langs))
{
print "Error, template page can't be called as URL";
exit;
}


$langs->load("main");
$langs->load("bills");
$langs->load("cashdesk");
Expand Down
8 changes: 8 additions & 0 deletions htdocs/cashdesk/tpl/liste_articles.tpl.php
Expand Up @@ -17,6 +17,14 @@
*
*/

// Protection to avoid direct call of template
if (empty($langs) || ! is_object($langs))
{
print "Error, template page can't be called as URL";
exit;
}


require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';
require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php';

Expand Down
8 changes: 8 additions & 0 deletions htdocs/cashdesk/tpl/menu.tpl.php
Expand Up @@ -19,6 +19,14 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

// Protection to avoid direct call of template
if (empty($langs) || ! is_object($langs))
{
print "Error, template page can't be called as URL";
exit;
}


include_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';
include_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php';
include_once DOL_DOCUMENT_ROOT.'/product/stock/class/entrepot.class.php';
Expand Down
9 changes: 9 additions & 0 deletions htdocs/cashdesk/tpl/ticket.tpl.php
Expand Up @@ -16,6 +16,15 @@
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

// Protection to avoid direct call of template
if (empty($langs) || ! is_object($langs))
{
print "Error, template page can't be called as URL";
exit;
}


include_once DOL_DOCUMENT_ROOT.'/compta/facture/class/facture.class.php';

$langs->load("main");
Expand Down
8 changes: 8 additions & 0 deletions htdocs/cashdesk/tpl/validation1.tpl.php
Expand Up @@ -16,6 +16,14 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

// Protection to avoid direct call of template
if (empty($langs) || ! is_object($langs))
{
print "Error, template page can't be called as URL";
exit;
}


$langs->load("main");
$langs->load("bills");
$langs->load("banks");
Expand Down
8 changes: 8 additions & 0 deletions htdocs/cashdesk/tpl/validation2.tpl.php
Expand Up @@ -17,6 +17,14 @@
*
*/

// Protection to avoid direct call of template
if (empty($langs) || ! is_object($langs))
{
print "Error, template page can't be called as URL";
exit;
}


$langs->load("main");
$langs->load("bills");

Expand Down
13 changes: 7 additions & 6 deletions htdocs/comm/multiprix.php
Expand Up @@ -30,7 +30,8 @@
$langs->load("orders");
$langs->load("companies");

$_socid = $_GET["id"];
$id = GETPOST('id','int');
$_socid = GETPOST("id",'int');
// Security check
if ($user->societe_id > 0)
{
Expand All @@ -45,10 +46,10 @@
if ($_POST["action"] == 'setpricelevel')
{
$soc = New Societe($db);
$soc->fetch($_GET["id"]);
$soc->fetch($id);
$soc->set_price_level($_POST["price_level"],$user);

header("Location: multiprix.php?id=".$_GET["id"]);
header("Location: multiprix.php?id=".$id);
exit;
}

Expand Down Expand Up @@ -87,7 +88,7 @@
print '<form method="POST" action="multiprix.php?id='.$objsoc->id.'">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="setpricelevel">';

dol_fiche_head($head, $tabchoice, $langs->trans("ThirdParty"), 0, 'company');

print '<table width="100%" border="0">';
Expand Down Expand Up @@ -122,12 +123,12 @@
print "</table>";

dol_fiche_end();

print '<div align="center"><input type="submit" class="button" value="'.$langs->trans("Save").'"></div>';

print "</form>";


print '<br><br>';


Expand Down
14 changes: 7 additions & 7 deletions htdocs/fourn/index.php
Expand Up @@ -33,7 +33,7 @@
$langs->load("companies");

// Security check
$socid = isset($_GET["socid"])?$_GET["socid"]:'';
$socid = GETPOST("socid", 'int');
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'societe',$socid,'');

Expand Down Expand Up @@ -81,7 +81,7 @@
while ($i < $num)
{
$row = $db->fetch_row($resql);


print '<tr class="oddeven">';
print '<td>'.$langs->trans($commande->statuts[$row[1]]).'</td>';
Expand Down Expand Up @@ -132,7 +132,7 @@
$var = true;
while ($i < $num)
{

$obj = $db->fetch_object($resql);
print '<tr class="oddeven"><td class="nowrap">';
$commandestatic->id=$obj->rowid;
Expand All @@ -151,7 +151,7 @@
}
if ($total>0)
{

print '<tr class="liste_total"><td>'.$langs->trans("Total").'</td><td colspan="2" align="right">'.price($total)."</td></tr>";
}
print "</table>";
Expand Down Expand Up @@ -190,7 +190,7 @@
while ($i < $num && $i < 20)
{
$obj = $db->fetch_object($resql);

print '<tr class="oddeven"><td class="nowrap">';
$facturestatic->ref=$obj->ref;
$facturestatic->id=$obj->rowid;
Expand Down Expand Up @@ -263,7 +263,7 @@

while ($obj = $db->fetch_object($resql) )
{


print '<tr class="oddeven">';
print '<td><a href="card.php?socid='.$obj->socid.'">'.img_object($langs->trans("ShowSupplier"),"company").'</a>';
Expand Down Expand Up @@ -300,7 +300,7 @@

foreach ($companystatic->SupplierCategories as $rowid => $label)
{

print "<tr ".$bc[$var].">\n";
print '<td>';
$categstatic->id=$rowid;
Expand Down
3 changes: 2 additions & 1 deletion htdocs/main.inc.php
Expand Up @@ -81,7 +81,8 @@ function test_sql_and_script_inject($val, $type)
// For SQL Injection (only GET and POST are used to be included into bad escaped SQL requests)
if ($type != 2)
{
$inj += preg_match('/delete\s+from/i', $val);
$inj += preg_match('/updatexml^(/i', $val);
$inj += preg_match('/delete\s+from/i', $val);
$inj += preg_match('/create\s+table/i', $val);
$inj += preg_match('/update.+set.+=/i', $val);
$inj += preg_match('/insert\s+into/i', $val);
Expand Down

0 comments on commit 4a5988a

Please sign in to comment.