Skip to content
Permalink
Browse files

Security: Fix suspected XSS/SQL injections vulnerabilities in tickets

  • Loading branch information...
ywarnier committed Dec 21, 2018
1 parent 5853a14 commit 54d05c11b97b20e5286b9cb5ce9e9670a96d3c64
@@ -113,7 +113,7 @@ public static function getCategories($from, $numberItems, $column, $direction)
public static function getCategory($id)
{
$table = Database::get_main_table(TABLE_TICKET_CATEGORY);
$id = intval($id);
$id = (int) $id;
$sql = "SELECT id, name, description, total_tickets
FROM $table WHERE id = $id";
@@ -146,7 +146,7 @@ public static function getCategoriesCount()
public static function updateCategory($id, $params)
{
$table = Database::get_main_table(TABLE_TICKET_CATEGORY);
$id = intval($id);
$id = (int) $id;
Database::update($table, $params, ['id = ?' => $id]);
}
@@ -314,10 +314,10 @@ public static function add(
$currentUserId = api_get_user_id();
$currentUserInfo = api_get_user_info();
$now = api_get_utc_datetime();
$course_id = intval($course_id);
$category_id = intval($category_id);
$project_id = intval($project_id);
$priority = empty($priority) ? self::PRIORITY_NORMAL : $priority;
$course_id = (int) $course_id;
$category_id = (int) $category_id;
$project_id = (int) $project_id;
$priority = empty($priority) ? self::PRIORITY_NORMAL : (int) $priority;
if ($status === '') {
$status = self::STATUS_NEW;
@@ -360,8 +360,8 @@ public static function add(
'sys_lastedit_datetime' => $now,
'source' => $source,
'assigned_last_user' => $assignedUserId,
'subject' => $subject,
'message' => $content,
'subject' => Database::escape_string($subject),
'message' => Database::escape_string($content),
];
if (!empty($course_id)) {
@@ -653,26 +653,26 @@ public static function insertMessage(
$params = [
'ticket_id' => $ticketId,
'subject' => $subject,
'message' => $content,
'ip_address' => $_SERVER['REMOTE_ADDR'],
'subject' => Database::escape_string($subject),
'message' => Database::escape_string($content),
'ip_address' => Database::escape_string(api_get_real_ip()),
'sys_insert_user_id' => $userId,
'sys_insert_datetime' => $now,
'sys_lastedit_user_id' => $userId,
'sys_lastedit_datetime' => $now,
'status' => $status,
'status' => Database::escape_string($status),
];
$messageId = Database::insert($table_support_messages, $params);
if ($messageId) {
// update_total_message
$sql = "UPDATE $table_support_tickets
SET
sys_lastedit_user_id ='$userId',
sys_lastedit_datetime ='$now',
sys_lastedit_user_id = $userId,
sys_lastedit_datetime = '$now',
total_messages = (
SELECT COUNT(*) as total_messages
FROM $table_support_messages
WHERE ticket_id ='$ticketId'
WHERE ticket_id = $ticketId
)
WHERE id = $ticketId ";
Database::query($sql);
@@ -1409,9 +1409,9 @@ public static function updateTicket(
$now = api_get_utc_datetime();
$table = Database::get_main_table(TABLE_TICKET_TICKET);
$newParams = [
'priority_id' => isset($params['priority_id']) ? $params['priority_id'] : '',
'status_id' => isset($params['status_id']) ? $params['status_id'] : '',
'sys_lastedit_user_id' => $userId,
'priority_id' => isset($params['priority_id']) ? (int) $params['priority_id'] : '',
'status_id' => isset($params['status_id']) ? (int) $params['status_id'] : '',
'sys_lastedit_user_id' => (int) $userId,
'sys_lastedit_datetime' => $now,
];
Database::update($table, $newParams, ['id = ? ' => $ticketId]);
@@ -1503,14 +1503,14 @@ public static function send_alert($ticketId, $userId)
$table_support_tickets = Database::get_main_table(TABLE_TICKET_TICKET);
$now = api_get_utc_datetime();
$ticketId = intval($ticketId);
$userId = intval($userId);
$ticketId = (int) $ticketId;
$userId = (int) $userId;
$sql = "UPDATE $table_support_tickets SET
priority_id = '".self::PRIORITY_HIGH."',
sys_lastedit_user_id ='$userId',
sys_lastedit_datetime ='$now'
WHERE id = '$ticketId'";
sys_lastedit_user_id = $userId,
sys_lastedit_datetime = '$now'
WHERE id = $ticketId";
Database::query($sql);
}
@@ -16,9 +16,9 @@
echo '<form action="tutor.php" name="assign" id ="assign">';
echo '<div id="confirmation"></div>';
$id = intval($_GET['id']);
$id = (int) $_GET['id'];
$tblWeeklyReport = Database::get_main_table('rp_reporte_semanas');
$sql = "SELECT * FROM $tblWeeklyReport WHERE id = '$id'";
$sql = "SELECT * FROM $tblWeeklyReport WHERE id = $id";
$sql_tasks = "SELECT id AS colid, title as coltitle
FROM ".Database::get_course_table(TABLE_STUDENT_PUBLICATION)."
WHERE parent_id = 0
@@ -27,7 +27,7 @@
FROM $tblWeeklyReport
WHERE
course_code = '$course_code' AND
id != '$id'
id != $id
)";
$sql_forum = "SELECT thread_id AS colid, thread_title AS coltitle
FROM ".Database::get_course_table(TABLE_FORUM_THREAD)."
@@ -36,7 +36,7 @@
FROM $tblWeeklyReport
WHERE
course_code = '$course_code' AND
id != '$id'
id != $id
)";
$rs = Database::fetch_object(Database::query($sql));
$result_tareas = Database::query($sql_tasks);
@@ -65,7 +65,7 @@
echo '</select></div><div>';
echo '<div class="row">
<div class="formw">
<button class="save" name="edit" type="button" value="'.get_lang('Edit').'" onClick="save('."$id".');">'.
<button class="save" name="edit" type="button" value="'.get_lang('Edit').'" onClick="save('.$id.');">'.
get_lang('Edit').'</button>
</div>
</div>';
@@ -37,7 +37,7 @@
}
$formToString = '';
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
$id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
$projectId = isset($_GET['project_id']) ? (int) $_GET['project_id'] : 0;
$project = TicketManager::getProject($projectId);
@@ -129,8 +129,8 @@
$values = $form->getSubmitValues();
$params = [
'name' => $values['name'],
'description' => $values['description'],
'name' => Database::escape_string($values['name']),
'description' => Database::escape_string($values['description']),
'sys_lastedit_datetime' => api_get_utc_datetime(),
'sys_lastedit_user_id' => api_get_user_id(),
];
@@ -8,7 +8,7 @@
api_protect_admin_script(true);
$categoryId = isset($_REQUEST['id']) ? intval($_REQUEST['id']) : 0;
$categoryId = isset($_REQUEST['id']) ? (int) $_REQUEST['id'] : 0;
$projectId = isset($_GET['project_id']) ? (int) $_GET['project_id'] : '';
$categoryInfo = TicketManager::getCategory($categoryId);
@@ -6,7 +6,7 @@
*/
require_once __DIR__.'/../inc/global.inc.php';
$userId = intval($_GET['user_id']);
$userId = (int) $_GET['user_id'];
$userInfo = api_get_user_info($userId);
$coursesList = CourseManager::get_courses_list_by_user_id($userId, false, true);
@@ -13,7 +13,7 @@
api_not_allowed(true);
}
$ticket_id = intval($_GET['ticket_id']);
$ticket_id = (int) $_GET['ticket_id'];
$ticketInfo = TicketManager::get_ticket_detail_by_id($ticket_id);
if (empty($ticketInfo)) {
api_not_allowed(true);
@@ -149,18 +149,18 @@ function save_ticket()
if ($_POST['phone'] != '') {
$content .= '<p style="color:red">&nbsp;'.get_lang('Phone').': '.$_POST['phone'].'</p>';
}
$course_id = isset($_POST['course_id']) ? $_POST['course_id'] : '';
$sessionId = isset($_POST['session_id']) ? $_POST['session_id'] : '';
$category_id = isset($_POST['category_id']) ? $_POST['category_id'] : '';
$course_id = isset($_POST['course_id']) ? (int) $_POST['course_id'] : '';
$sessionId = isset($_POST['session_id']) ? (int) $_POST['session_id'] : '';
$category_id = isset($_POST['category_id']) ? (int) $_POST['category_id'] : '';
$project_id = $_POST['project_id'];
$project_id = (int) $_POST['project_id'];
$subject = $_POST['subject'];
$other_area = (int) $_POST['other_area'];
$personal_email = $_POST['personal_email'];
$source = $_POST['source_id'];
$user_id = isset($_POST['user_id']) ? $_POST['user_id'] : 0;
$priority = isset($_POST['priority_id']) ? $_POST['priority_id'] : '';
$status = isset($_POST['status_id']) ? $_POST['status_id'] : '';
$source = (int) $_POST['source_id'];
$user_id = isset($_POST['user_id']) ? (int) $_POST['user_id'] : 0;
$priority = isset($_POST['priority_id']) ? (int) $_POST['priority_id'] : '';
$status = isset($_POST['status_id']) ? (int) $_POST['status_id'] : '';
$file_attachments = $_FILES;
if (TicketManager::add(
@@ -30,7 +30,7 @@
}
$formToString = '';
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
$id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
$action = isset($_GET['action']) ? $_GET['action'] : '';
$interbreadcrumb[] = [
@@ -82,7 +82,7 @@
}
break;
case 'edit':
$item = TicketManager::getProject($_GET['id']);
$item = TicketManager::getProject($id);
if (empty($item)) {
api_not_allowed(true);
}
@@ -105,7 +105,7 @@
'sys_lastedit_datetime' => api_get_utc_datetime(),
'sys_lastedit_user_id' => api_get_user_id(),
];
TicketManager::updateProject($_GET['id'], $params);
TicketManager::updateProject($id, $params);
Display::addFlash(Display::return_message(get_lang('Updated')));
header("Location: ".api_get_self());
exit;
@@ -32,7 +32,7 @@
}
$formToString = '';
$id = isset($_GET['id']) ? intval($_GET['id']) : 0;
$id = isset($_GET['id']) ? (int) $_GET['id'] : 0;
$action = isset($_GET['action']) ? $_GET['action'] : '';
$interbreadcrumb[] = [
@@ -89,7 +89,7 @@
$url = api_get_self().'?action=edit&id='.$id;
$form = TicketManager::getStatusForm($url);
$item = TicketManager::getStatus($_GET['id']);
$item = TicketManager::getStatus($id);
$form->setDefaults([
'name' => $item->getName(),
'description' => $item->getDescription(),
@@ -102,7 +102,7 @@
'name' => $values['name'],
'description' => $values['description'],
];
$cat = TicketManager::updateStatus($_GET['id'], $params);
$cat = TicketManager::updateStatus($id, $params);
Display::addFlash(Display::return_message(get_lang('Updated')));
header("Location: ".api_get_self());
exit;
@@ -12,7 +12,7 @@
exit;
}
$ticket_id = intval($_POST['ticket_id']);
$ticket_id = (int) $_POST['ticket_id'];
$history = TicketManager::get_assign_log($ticket_id);
?>
<table width="200px" border="0" cellspacing="2" cellpadding="2">
@@ -119,12 +119,12 @@ class: "controls"
}
</style>';
$ticket_id = $_GET['ticket_id'];
$ticket_id = (int) $_REQUEST['ticket_id'];
$ticket = TicketManager::get_ticket_detail_by_id($ticket_id);
if (!isset($ticket['ticket'])) {
api_not_allowed(true);
}
if (!isset($_GET['ticket_id'])) {
if (!isset($_REQUEST['ticket_id'])) {
header('Location: '.api_get_path(WEB_CODE_PATH).'ticket/tickets.php');
exit;
}
@@ -150,7 +150,7 @@ class: "controls"
$title = 'Ticket #'.$ticket['ticket']['code'];
if (isset($_REQUEST['close'])) {
TicketManager::close_ticket($_REQUEST['ticket_id'], $user_id);
TicketManager::close_ticket($ticket_id, $user_id);
$ticket['ticket']['status_id'] = TicketManager::STATUS_CLOSE;
$ticket['ticket']['status'] = get_lang('Closed');
}
@@ -169,11 +169,11 @@ class: "controls"
$receivedMessage = '';
if (!empty($message['subject'])) {
$receivedMessage = '<b>'.get_lang('Subject').': </b> '.$message['subject'].'<br/>';
$receivedMessage = '<b>'.get_lang('Subject').': </b> '.Security::remove_XSS($message['subject']).'<br />';
}
if (!empty($message['message'])) {
$receivedMessage = '<b>'.get_lang('Message').':</b><br/>'.$message['message'].'<br/>';
$receivedMessage = '<b>'.get_lang('Message').':</b><br />'.Security::remove_XSS($message['message']).'<br />';
}
$attachmentLinks = '';
@@ -206,7 +206,7 @@ class: "controls"
$counter++;
}
$subject = get_lang('ReplyShort').': '.$ticket['ticket']['subject'];
$subject = get_lang('ReplyShort').': '.Security::remove_XSS($ticket['ticket']['subject']);
if ($ticket['ticket']['status_id'] != TicketManager::STATUS_FORWARDED &&
$ticket['ticket']['status_id'] != TicketManager::STATUS_CLOSE
@@ -219,10 +219,8 @@ class: "controls"
$formToShow = $form->returnForm();
if ($form->validate()) {
$ticket_id = $_POST['ticket_id'];
$content = $_POST['content'];
$ticket_id = (int) $_POST['ticket_id'];
$messageToSend = '';
$subject = $_POST['subject'];
$message = isset($_POST['confirmation']) ? true : false;
$file_attachments = $_FILES;
@@ -258,8 +256,8 @@ class: "controls"
TicketManager::updateTicket(
[
'priority_id' => $_POST['priority_id'],
'status_id' => $_POST['status_id'],
'priority_id' => (int) $_POST['priority_id'],
'status_id' => (int) $_POST['status_id'],
],
$ticket_id,
api_get_user_id()
@@ -311,16 +309,16 @@ class: "controls"
}
}
$messageToSend .= $content;
$messageToSend .= $_POST['content'];
TicketManager::insertMessage(
$ticket_id,
$subject,
$_POST['subject'],
$messageToSend,
$file_attachments,
$user_id,
'NOL',
$message
Database::escape_string($message)
);
TicketManager::sendNotification(
@@ -28,7 +28,7 @@ function initializeReport($course_code)
$resWeeks = Database::query($sqlWeeks);
$weeks = Database::fetch_object($resWeeks);
$obj = Database::fetch_object($res);
$weeksCount = (!isset($_POST['weeksNumber'])) ? (($weeks->semanas == 0) ? 7 : $weeks->semanas) : $_POST['weeksNumber'];
$weeksCount = (!isset($_POST['weeksNumber'])) ? (($weeks->semanas == 0) ? 7 : $weeks->semanas) : (int) $_POST['weeksNumber'];
$weeksCount = Database::escape_string($weeksCount);
Database::query("REPLACE INTO $table_semanas_curso (course_code , semanas) VALUES ('$course_code','$weeksCount')");
if (intval($obj->cant) != $weeksCount) {
@@ -57,7 +57,7 @@ function initializeReport($course_code)
if (!Database::query($sql)) {
return false;
} else {
$page = (!isset($_GET['page'])) ? 1 : $_GET['page'];
$page = (!isset($_GET['page'])) ? 1 : (int) $_GET['page'];
Database::query("UPDATE $table_students_report sr SET sr.work_ok = 1
WHERE CONCAT (sr.user_id,',',sr.week_report_id)

0 comments on commit 54d05c1

Please sign in to comment.
You can’t perform that action at this time.