Skip to content
Permalink
Browse files Browse the repository at this point in the history
More security fixes:
css.php
  Unfiltered $_POSTs everywhere!
  Prevent XSS in Create CSS form entry [http://forums.rivetcode.com/viewtopic.php?f=9&t=342&p=1144#p1144]
  Typo in create css file error message.
  Needed to connect to database for cleaning function.

edit_database.php
  One line changed: a simple htmlentities() will take care of this for now.

sanity.php, sanity_no_output.php
  Changed obsolete code, no escape on queries.

statistics.php
  Filtered yet another global array
  • Loading branch information
Clarissa Walker committed Mar 13, 2012
1 parent 54e8160 commit 45a0f33
Show file tree
Hide file tree
Showing 5 changed files with 40 additions and 32 deletions.
44 changes: 26 additions & 18 deletions css.php
Expand Up @@ -11,6 +11,14 @@
header("Location: authenticate.php?status=session");
exit();
}

// Prep database, needed for cleaning function
if ($GLOBALS["persist"])
$db = @mysql_pconnect($dbhost, $dbuser, $dbpass) or showError("Can't connect to database. Contact the webmaster.");
else
$db = @mysql_connect($dbhost, $dbuser, $dbpass) or showError("Can't connect to database. Contact the webmaster.");
@mysql_select_db($database) or showError("Can't open database. Contact the webmaster");

?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
Expand Down Expand Up @@ -44,8 +52,8 @@ function changeColor(color)
if (isset($_POST["set_css"]))
{
//delete style.css file
if (copy("./css/" . $_POST["set_css"], "./css/style.css"))
echo "<p class=\"success\">style.css file has been replaced with " . $_POST["set_css"] . "</p>";
if (copy("./css/" . filterData($_POST["set_css"]), "./css/style.css"))
echo "<p class=\"success\">style.css file has been replaced with " . filterData($_POST["set_css"]) . "</p>";
else
{
echo errorMessage() . "Error: Unable to copy over style.css, are the permissions correct?</p>";
Expand All @@ -55,11 +63,11 @@ function changeColor(color)
elseif (isset($_POST["delete_css"]))
{
//delete css file
if (unlink("./css/" . $_POST["delete_css"]))
echo "<p class=\"success\">" . $_POST["delete_css"] . " has been deleted</p>";
if (unlink("./css/" . filterData($_POST["delete_css"])))
echo "<p class=\"success\">" . filterData($_POST["delete_css"]) . " has been deleted</p>";
else
{
echo errorMessage() . "Error: Unable to delete " . $_POST["delete_css"] . ", are you sure the permissions are correct?</p>";
echo errorMessage() . "Error: Unable to delete " . filterData($_POST["delete_css"]) . ", are you sure the permissions are correct?</p>";
exit();
}
}
Expand All @@ -68,19 +76,19 @@ function changeColor(color)
//create new css file by copying over style.css into new file
if (substr($_POST["create_css"], -4) == ".css")
{
if (!file_exists("./css/" . $_POST["create_css"]))
if (!file_exists("./css/" . filterData($_POST["create_css"])))
{
if (copy("./css/style.css", "./css/" . $_POST["create_css"]))
echo "<p class=\"success\">" . $_POST["create_css"] . ", was created successfuly</p>";
if (copy("./css/style.css", "./css/" . filterData($_POST["create_css"])))
echo "<p class=\"success\">" . filterData($_POST["create_css"]) . ", was created successfuly</p>";
else
{
echo errorMessage() . "Error: Unabled to create " . $_POST["create_css"] . ", are you sure the permissions are correct?</p>";
echo errorMessage() . "Error: Unable to create " . filterData($_POST["create_css"]) . ", are you sure the permissions are correct?</p>";
exit();
}
}
else
{
echo errorMessage() . "Error: " . $_POST["create_css"] . " already exists, please choose a different name</p>";
echo errorMessage() . "Error: " . filterData($_POST["create_css"]) . " already exists, please choose a different name</p>";
exit();
}
}
Expand Down Expand Up @@ -130,9 +138,9 @@ function rgbhex($red, $green, $blue)
<?php

if (isset($_POST["create_css"]))
$filename = $_POST["create_css"];
$filename = filterData($_POST["create_css"]);
if (isset($_POST["edit_css"]))
$filename = $_POST["edit_css"];
$filename = filterData($_POST["edit_css"]);
//display text box with css in it
?>
<h2>Editing File: <?php echo $filename;?></h2>
Expand All @@ -153,13 +161,13 @@ function rgbhex($red, $green, $blue)
if (isset($_POST["file_contents"]))
{
//save previously edited text into file
if (is_writable("./css/" . $_POST["hidden_filename"]))
if (is_writable("./css/" . filterData($_POST["hidden_filename"])))
{
//open file
$stream = fopen("./css/" . $_POST["hidden_filename"], "w");
fwrite($stream, $_POST["file_contents"]);
$stream = fopen("./css/" . filterData($_POST["hidden_filename"]), "w");
fwrite($stream, filterData($_POST["file_contents"]));
fclose($stream);
echo "<p class=\"success\">" . $_POST["hidden_filename"] . ", was saved successfuly</p>";
echo "<p class=\"success\">" . filterData($_POST["hidden_filename"]) . ", was saved successfuly</p>";
}
else
{
Expand All @@ -169,8 +177,8 @@ function rgbhex($red, $green, $blue)
//if editing the current css file, replace that too
if ($_POST["current_css_file"] == $_POST["hidden_filename"])
{
if (copy("./css/" . $_POST["hidden_filename"], "./css/style.css"))
echo "<p class=\"success\">style.css file has been replaced with " . $_POST["hidden_filename"] . "</p>";
if (copy("./css/" . filterData($_POST["hidden_filename"]), "./css/style.css"))
echo "<p class=\"success\">style.css file has been replaced with " . filterData($_POST["hidden_filename"]) . "</p>";
else
{
echo errorMessage() . "Error: Unable to copy over style.css, are the permissions correct?</p>";
Expand Down
2 changes: 1 addition & 1 deletion edit_database.php
Expand Up @@ -36,7 +36,7 @@

//get filename from URL string
if (isset($_GET['filename'])) {
$filename = $_GET['filename'];
$filename = htmlentities($_GET['filename']);
}

//if not edit database or filename set, display all torrents as links
Expand Down
8 changes: 4 additions & 4 deletions sanity.php
Expand Up @@ -139,10 +139,10 @@

while ($row = mysql_fetch_assoc($query))
{
$compact = mysql_escape_string(pack('Nn', ip2long($row["ip"]), $row["port"]));
$peerid = mysql_escape_string('2:ip' . strlen($row["ip"]) . ':' . $row["ip"] . '7:peer id20:' . hex2bin($row["peer_id"]) . "4:porti{$row["port"]}e");
$no_peerid = mysql_escape_string('2:ip' . strlen($row["ip"]) . ':' . $row["ip"] . "4:porti{$row["port"]}e");
mysql_query("INSERT INTO ".$prefix."y$hash SET sequence=\"{$row["sequence"]}\", compact=\"$compact\", with_peerid=\"$peerid\", without_peerid=\"$no_peerid\"");
$compact = mysql_real_escape_string(pack('Nn', ip2long($row["ip"]), $row["port"]));
$peerid = mysql_real_escape_string('2:ip' . strlen($row["ip"]) . ':' . $row["ip"] . '7:peer id20:' . hex2bin($row["peer_id"]) . "4:porti{$row["port"]}e");
$no_peerid = mysql_real_escape_string('2:ip' . strlen($row["ip"]) . ':' . $row["ip"] . "4:porti{$row["port"]}e");
mysql_query("INSERT INTO ".$prefix."y$hash SET sequence='{$row["sequence"]}', compact='$compact', with_peerid='$peerid', without_peerid='$no_peerid'");
}
}
else
Expand Down
16 changes: 8 additions & 8 deletions sanity_no_output.php
Expand Up @@ -49,12 +49,12 @@
if ($counts["leecher"] == 0)
{
//If there are no leechers, set the speed to zero
quickQuery("UPDATE ".$prefix."summary set speed=0 WHERE info_hash=\"$hash\"");
quickQuery("UPDATE ".$prefix."summary set speed=0 WHERE info_hash='$hash'");
}


if ($bytes < 0)
quickQuery("UPDATE ".$prefix."summary SET dlbytes=0 WHERE info_hash=\"$hash\"");
quickQuery("UPDATE ".$prefix."summary SET dlbytes=0 WHERE info_hash='$hash'");

myTrashCollector($hash, $report_interval, time(), $writeout);

Expand All @@ -70,10 +70,10 @@

while ($row = mysql_fetch_assoc($query))
{
$compact = mysql_escape_string(pack('Nn', ip2long($row["ip"]), $row["port"]));
$peerid = mysql_escape_string('2:ip' . strlen($row["ip"]) . ':' . $row["ip"] . '7:peer id20:' . hex2bin($row["peer_id"]) . "4:porti{$row["port"]}e");
$no_peerid = mysql_escape_string('2:ip' . strlen($row["ip"]) . ':' . $row["ip"] . "4:porti{$row["port"]}e");
mysql_query("INSERT INTO ".$prefix."y$hash SET sequence=\"{$row["sequence"]}\", compact=\"$compact\", with_peerid=\"$peerid\", without_peerid=\"$no_peerid\"");
$compact = mysql_real_escape_string(pack('Nn', ip2long($row["ip"]), $row["port"]));
$peerid = mysql_real_escape_string('2:ip' . strlen($row["ip"]) . ':' . $row["ip"] . '7:peer id20:' . hex2bin($row["peer_id"]) . "4:porti{$row["port"]}e");
$no_peerid = mysql_real_escape_string('2:ip' . strlen($row["ip"]) . ':' . $row["ip"] . "4:porti{$row["port"]}e");
mysql_query("INSERT INTO ".$prefix."y$hash SET sequence='{$row["sequence"]}', compact='$compact', with_peerid='$peerid', without_peerid='$no_peerid'");
}
}

Expand Down Expand Up @@ -116,11 +116,11 @@
function myTrashCollector($hash, $timeout, $now, $writeout)
{
require("config.php");
$peers = loadLostPeers($hash, $timeout);
$peers = loadLostPeers($hash, $timeout);
for ($i=0; $i < $peers["size"]; $i++) {
killPeer($peers[$i]["peer_id"], $hash, $peers[$i]["bytes"], $peers[$i]);
}
quickQuery("UPDATE ".$prefix."summary SET lastcycle='$now' WHERE info_hash='$hash'");
}

?>
?>
2 changes: 1 addition & 1 deletion statistics.php
Expand Up @@ -24,7 +24,7 @@
<h1>Tracker User Statistics</h1>

<form action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>" method="POST">
Filename Search:<input type="text" name="filename_search" size="40"<?php if (isset($_POST["filename_search"]))echo " value=\"" . $_POST["filename_search"] . "\"";?>>
Filename Search:<input type="text" name="filename_search" size="40"<?php if (isset($_POST["filename_search"]))echo " value=\"" . filterData($_POST["filename_search"]) . "\"";?>>
<input type="submit" value="Search">
</form>
<br>
Expand Down

0 comments on commit 45a0f33

Please sign in to comment.