Fix: A local file inclusion vulnerability can be exploited to include…

… arbitrary files.

htdocs/main.inc.php

@@ -75,6 +75,7 @@ function test_sql_and_script_inject($val,$get)
 	$sql_inj += preg_match('/insert[\s]+into/i', $val);
 	$sql_inj += preg_match('/select.+from/i', $val);
 	$sql_inj += preg_match('/union.+select/i', $val);
+	$sql_inj += preg_match('/(\.\.%2f)+/i', $val);
 	// For XSS Injection done by adding javascript with script
 	$sql_inj += preg_match('/<script/i', $val);
 	// For XSS Injection done by adding javascript with onmousemove, etc... (closing a src or href tag with not cleaned param)
@@ -664,9 +665,9 @@ function analyse_sql_and_script(&$var,$get)
 }
 
 // Case forcing style from url
-if (! empty($_GET["theme"]))
+if (GETPOST('theme'))
 {
-	$conf->theme=$_GET["theme"];
+	$conf->theme=GETPOST('theme');
 	$conf->css  = "/theme/".$conf->theme."/style.css.php";
 }
 

htdocs/user/passwordforgotten.php

@@ -42,30 +42,31 @@
 	exit;
 }
 
-$action=isset($_GET["action"])?$_GET["action"]:$_POST["action"];
+$action=GETPOST('action');
 $mode=$dolibarr_main_authentication;
 if (! $mode) $mode='http';
 
-$login = isset($_POST["username"])?$_POST["username"]:'';
-$conf->entity = isset($_POST["entity"])?$_POST["entity"]:1;
+$username 		= GETPOST('username');
+$passwordmd5	= GETPOST('passwordmd5');
+$conf->entity 	= ( GETPOST('entity') ? GETPOST('entity') : 1 );
 
 
 /**
  * Actions
  */
 
 // Action modif mot de passe
-if ($_GET["action"] == 'validatenewpassword' && $_GET["username"] && $_GET["passwordmd5"])
+if ($action == 'validatenewpassword' && $username && $passwordmd5)
 {
     $edituser = new User($db);
     $result=$edituser->fetch('',$_GET["username"]);
 	if ($result < 0)
 	{
-        $message = '<div class="error">'.$langs->trans("ErrorLoginDoesNotExists",$_GET["username"]).'</div>';
+        $message = '<div class="error">'.$langs->trans("ErrorLoginDoesNotExists",$username).'</div>';
 	}
 	else
 	{
-		if (md5($edituser->pass_temp) == $_GET["passwordmd5"])
+		if (md5($edituser->pass_temp) == $passwordmd5)
 		{
 			$newpassword=$edituser->setPassword($user,$edituser->pass_temp,0);
 			dol_syslog("passwordforgotten.php new password for user->id=".$edituser->id." validated in database");
@@ -81,7 +82,7 @@
 	}
 }
 // Action modif mot de passe
-if ($_POST["action"] == 'buildnewpassword' && $_POST["username"])
+if ($action == 'buildnewpassword' && $username)
 {
 	require_once DOL_DOCUMENT_ROOT.'/includes/artichow/Artichow.cfg.php';
 	require_once ARTICHOW."/AntiSpam.class.php";
@@ -97,11 +98,11 @@
 	else
 	{
 	    $edituser = new User($db);
-	    $result=$edituser->fetch('',$_POST["username"],'',1);
+	    $result=$edituser->fetch('',$username,'',1);
 		if ($result <= 0 && $edituser->error == 'USERNOTFOUND')
 		{
-	        $message = '<div class="error">'.$langs->trans("ErrorLoginDoesNotExists",$_POST["username"]).'</div>';
-			$_POST["username"]='';
+	        $message = '<div class="error">'.$langs->trans("ErrorLoginDoesNotExists",$username).'</div>';
+			$username='';
 		}
 		else
 		{
@@ -124,7 +125,7 @@
 			        {
 			        	$message = '<div class="ok">'.$langs->trans("PasswordChangeRequestSent",$edituser->login,$edituser->email).'</div>';
 						//$message.=$newpassword;
-						$_POST["username"]='';
+						$username='';
 					}
 					else
 					{
@@ -182,12 +183,12 @@
 	$login_background = DOL_URL_ROOT.'/theme/login_background.png';
 }
 
-if (! $_REQUEST["username"]) $focus_element = 'username';
+if (! $username) $focus_element = 'username';
 else $focus_element = 'password';
 
 // Send password button enabled ?
 $disabled='disabled';
-if ($mode == 'dolibarr') $disabled='';
+if (preg_match('/dolibarr/i',$mode)) $disabled='';
 if ($conf->global->MAIN_SECURITY_ENABLE_SENDPASSWORD) $disabled='';	 // To force button enabled
 
 // Show logo (search in order: small company logo, large company logo, theme logo, common logo)