Additional Security Fixes

Trevor Spink · Trevor Spink · commit 92b4f231afca · 2020-09-10T12:23:56.000+01:00
diff --git a/.vs/ProteanCMS/v16/.suo b/.vs/ProteanCMS/v16/.suo
diff --git a/Assemblies/ProteanCMS/AssemblyInfo.vb b/Assemblies/ProteanCMS/AssemblyInfo.vb
@@ -33,11 +33,11 @@ Imports System.Runtime.InteropServices
 ' You can specify all the values or you can default the Build and Revision Numbers 
 ' by using the '*' as shown below:
 
-<Assembly: AssemblyVersion("6.0.38.66")>
+<Assembly: AssemblyVersion("6.0.38.69")>
 <Assembly: AssemblyDelaySign(False)>
 <Assembly: AssemblyKeyFile("../../../eonic.snk")>
 <Assembly: AssemblyKeyName("")>
 
-<Assembly: AssemblyFileVersion("6.0.38.66")>
+<Assembly: AssemblyFileVersion("6.0.38.69")>
 <Assembly: NeutralResourcesLanguageAttribute("en")> 
 
diff --git a/Assemblies/ProteanCMS/CMS/Cart/Cart.vb b/Assemblies/ProteanCMS/CMS/Cart/Cart.vb
@@ -2584,11 +2584,10 @@ processFlow:
                                 CheckQuantities(oCartElmt, oRow("productDetail") & "", CLng("0" & oRow("quantity")))
                             End If
 
-                            weight = weight + (oRow("weight") * oRow("quantity"))
-                            quant = quant + oRow("quantity")
+                            weight += (oRow("weight") * oRow("quantity"))
+                            quant += oRow("quantity")
 
-                            'total = total + (oRow("quantity") * Round(oRow("price") + nOpPrices, , , mbRoundup))
-                            total += Round((oRow("price") * oRow("quantity")) + nOpPrices, , , mbRoundup)
+                            total += (oRow("quantity") * Round(oRow("price") + nOpPrices, , , mbRoundup))
                             'we do this later after we have applied discounts
 
                             'Round( Price * Vat ) * Quantity
diff --git a/Assemblies/ProteanCMS/CMS/Membership/Membership.vb b/Assemblies/ProteanCMS/CMS/Membership/Membership.vb
@@ -766,6 +766,15 @@ Partial Public Class Cms
                             Case "md5salt", "md5", "sha1", "sha256"
                                 If myWeb.moRequest("ewCmd") = "AR-MOD" Then
                                     Dim cAccountHash As String = myWeb.moRequest("AI")
+                                    'Validate to prevent SQL injection
+                                    'strip out any spaces to prevent SQL injection
+                                    If cAccountHash.Contains(" ") Then
+                                        cAccountHash = Left(cAccountHash, InStr(cAccountHash, " "))
+                                    End If
+                                    If cAccountHash.Contains("%20") Then
+                                        cAccountHash = Left(cAccountHash, InStr(cAccountHash, "%20"))
+                                    End If
+
                                     If Not cAccountHash = "" Then
                                         oXfmElmt = adXfm.xFrmConfirmPassword(cAccountHash)
                                     Else
diff --git a/Assemblies/ProteanCMS/ProteanCMS.vbproj b/Assemblies/ProteanCMS/ProteanCMS.vbproj
@@ -74,7 +74,7 @@
     </NuGetPackageImportStamp>
     <ShouldCreateLogs>False</ShouldCreateLogs>
     <AdvancedSettingsExpanded>True</AdvancedSettingsExpanded>
-    <AssemblyVersion>6.0.38.66</AssemblyVersion>
+    <AssemblyVersion>6.0.38.69</AssemblyVersion>
     <UpdatePackageVersion>False</UpdatePackageVersion>
     <AssemblyInfoVersionType>SettingsVersion</AssemblyInfoVersionType>
     <InheritWinAppVersionFrom>None</InheritWinAppVersionFrom>
diff --git a/Assemblies/ProteanCMS/Providers/Membership.BaseProvider.vb b/Assemblies/ProteanCMS/Providers/Membership.BaseProvider.vb
@@ -632,7 +632,9 @@ Check:
                 Public Function xFrmConfirmPassword(ByVal AccountHash As String) As XmlElement
                     Try
                         Dim oMembership As New Protean.Cms.Membership(myWeb)
-                        Dim nUserId As Integer = oMembership.DecryptResetLink(goRequest("id"), AccountHash)
+                        Dim SubmittedUserId As Integer = CInt("0" + goRequest("id"))
+
+                        Dim nUserId As Integer = oMembership.DecryptResetLink(SubmittedUserId, AccountHash)
 
                         Return xFrmConfirmPassword(nUserId)
 
diff --git a/Assemblies/ProteanCMS/Services.vb b/Assemblies/ProteanCMS/Services.vb
@@ -60,7 +60,12 @@ Public Class Services
     Function CheckUserIP() As Boolean
         Try
             Dim moConfig As System.Collections.Specialized.NameValueCollection = WebConfigurationManager.GetWebApplicationSection("protean/web")
-            Dim SoapIps As String = moConfig("SoapIps") & ",127.0.0.1,::1,"
+            Dim SoapIps As String = moConfig("SoapIps")
+
+            If LCase(moConfig("Debug")) = "on" Then
+                SoapIps = +",127.0.0.1,::1,"
+            End If
+
             Dim cIP As String = GetIpAddress(moRequest)
             If SoapIps.Contains(cIP & ",") Then
                 Return True
diff --git a/wwwroot/ewcommon/xForms/Directory/ResetAccount.xml b/wwwroot/ewcommon/xForms/Directory/ResetAccount.xml
@@ -0,0 +1,9 @@
+﻿<?xml version="1.0" encoding="utf-8"?>
+<Content type="xform" name="ResetAccount"><model><instance><user><email></email></user></instance>
+<submission id="ResetAccount" action="" method="post" event="form_check(this)" />
+<bind id="cEmail" nodeset="user/email" required="true()" type="format:^[a-zA-Z0-9._%+-@ ]*$" />
+</model><group ref="ResetAccount"><label>
+  <span class="msg-028">Please enter your email address and we will email you with your password.</span></label>
+<input bind="cEmail"><label>Email address / Username</label><value></value></input>
+<submit submission="" ref="ewAccountReset" class="principle"><label>Send Password</label></submit></group>
+</Content>
