Skip to content
Permalink
Browse files

FIX security vulnerability reported by ADLab of Venustech

  • Loading branch information...
eldy committed Dec 21, 2017
1 parent 3f6b3b5 commit 4a5988accbb770b74105baacd5a034689272128c
@@ -36,18 +36,18 @@
if (!$user->rights->adherent->lire)
accessforbidden();
$rowid=isset($_GET["rowid"])?$_GET["rowid"]:$_POST["rowid"];
$rowid=GETPOST("rowid",'int');
/*
* View
*/
llxHeader();
$form = new Form($db);
llxHeader();
$object = new Subscription($db);
$result = $object->fetch($rowid);
@@ -19,6 +19,14 @@
*
*/
// Protection to avoid direct call of template
if (empty($langs) || ! is_object($langs))
{
print "Error, template page can't be called as URL";
exit;
}
$langs->load("main");
$langs->load("bills");
$langs->load("cashdesk");
@@ -17,6 +17,14 @@
*
*/
// Protection to avoid direct call of template
if (empty($langs) || ! is_object($langs))
{
print "Error, template page can't be called as URL";
exit;
}
require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';
require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php';
@@ -19,6 +19,14 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
// Protection to avoid direct call of template
if (empty($langs) || ! is_object($langs))
{
print "Error, template page can't be called as URL";
exit;
}
include_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';
include_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php';
include_once DOL_DOCUMENT_ROOT.'/product/stock/class/entrepot.class.php';
@@ -16,6 +16,15 @@
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
// Protection to avoid direct call of template
if (empty($langs) || ! is_object($langs))
{
print "Error, template page can't be called as URL";
exit;
}
include_once DOL_DOCUMENT_ROOT.'/compta/facture/class/facture.class.php';
$langs->load("main");
@@ -16,6 +16,14 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
// Protection to avoid direct call of template
if (empty($langs) || ! is_object($langs))
{
print "Error, template page can't be called as URL";
exit;
}
$langs->load("main");
$langs->load("bills");
$langs->load("banks");
@@ -17,6 +17,14 @@
*
*/
// Protection to avoid direct call of template
if (empty($langs) || ! is_object($langs))
{
print "Error, template page can't be called as URL";
exit;
}
$langs->load("main");
$langs->load("bills");
@@ -30,7 +30,8 @@
$langs->load("orders");
$langs->load("companies");
$_socid = $_GET["id"];
$id = GETPOST('id','int');
$_socid = GETPOST("id",'int');
// Security check
if ($user->societe_id > 0)
{
@@ -45,10 +46,10 @@
if ($_POST["action"] == 'setpricelevel')
{
$soc = New Societe($db);
$soc->fetch($_GET["id"]);
$soc->fetch($id);
$soc->set_price_level($_POST["price_level"],$user);
header("Location: multiprix.php?id=".$_GET["id"]);
header("Location: multiprix.php?id=".$id);
exit;
}
@@ -87,7 +88,7 @@
print '<form method="POST" action="multiprix.php?id='.$objsoc->id.'">';
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
print '<input type="hidden" name="action" value="setpricelevel">';
dol_fiche_head($head, $tabchoice, $langs->trans("ThirdParty"), 0, 'company');
print '<table width="100%" border="0">';
@@ -122,12 +123,12 @@
print "</table>";
dol_fiche_end();
print '<div align="center"><input type="submit" class="button" value="'.$langs->trans("Save").'"></div>';
print "</form>";
print '<br><br>';
@@ -33,7 +33,7 @@
$langs->load("companies");
// Security check
$socid = isset($_GET["socid"])?$_GET["socid"]:'';
$socid = GETPOST("socid", 'int');
if ($user->societe_id) $socid=$user->societe_id;
$result = restrictedArea($user, 'societe',$socid,'');
@@ -81,7 +81,7 @@
while ($i < $num)
{
$row = $db->fetch_row($resql);
print '<tr class="oddeven">';
print '<td>'.$langs->trans($commande->statuts[$row[1]]).'</td>';
@@ -132,7 +132,7 @@
$var = true;
while ($i < $num)
{
$obj = $db->fetch_object($resql);
print '<tr class="oddeven"><td class="nowrap">';
$commandestatic->id=$obj->rowid;
@@ -151,7 +151,7 @@
}
if ($total>0)
{
print '<tr class="liste_total"><td>'.$langs->trans("Total").'</td><td colspan="2" align="right">'.price($total)."</td></tr>";
}
print "</table>";
@@ -190,7 +190,7 @@
while ($i < $num && $i < 20)
{
$obj = $db->fetch_object($resql);
print '<tr class="oddeven"><td class="nowrap">';
$facturestatic->ref=$obj->ref;
$facturestatic->id=$obj->rowid;
@@ -263,7 +263,7 @@
while ($obj = $db->fetch_object($resql) )
{
print '<tr class="oddeven">';
print '<td><a href="card.php?socid='.$obj->socid.'">'.img_object($langs->trans("ShowSupplier"),"company").'</a>';
@@ -300,7 +300,7 @@
foreach ($companystatic->SupplierCategories as $rowid => $label)
{
print "<tr ".$bc[$var].">\n";
print '<td>';
$categstatic->id=$rowid;
@@ -81,7 +81,8 @@ function test_sql_and_script_inject($val, $type)
// For SQL Injection (only GET and POST are used to be included into bad escaped SQL requests)
if ($type != 2)
{
$inj += preg_match('/delete\s+from/i', $val);
$inj += preg_match('/updatexml^(/i', $val);
$inj += preg_match('/delete\s+from/i', $val);
$inj += preg_match('/create\s+table/i', $val);
$inj += preg_match('/update.+set.+=/i', $val);
$inj += preg_match('/insert\s+into/i', $val);

0 comments on commit 4a5988a

Please sign in to comment.
You can’t perform that action at this time.