Merge pull request #164 from devryan/xss-patch

Fix ajax XSS
devryan · Mar 16, 2017 · 2f78f27 · 2f78f27
2 parents a3b0ea3 + b88c92d
commit 2f78f27
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/ajax/ajax.php b/ajax/ajax.php
@@ -26,7 +26,7 @@
 if(isset($_GET['a'])) $this_request = $_GET['a'];
 elseif(isset($_POST['a'])) $this_request = $_POST['a'];
 
-if(!in_array($this_request, $allowed_reqs)) die('ERROR: Invalid ajax action "' . $this_request . '"!');
+if(!in_array($this_request, $allowed_reqs)) die('ERROR: Invalid ajax action "' . strip_tags($this_request) . '"!');
 
 // Check logged-in
 if($this_request != 'login_actions' && !isset($_SESSION['gpx_userid'])) die('You must be logged-in to do that!');
@@ -75,9 +75,9 @@
 {
     $login_type = $_SESSION['gpx_type'];
     $this_request = str_replace('main_','',$this_request);
-    
-    if($login_type == 'admin') require(DOCROOT.'/admin/'.$this_request.'.php');
-    else require(DOCROOT.'/'.$this_request.'.php');
+
+    if($login_type == 'admin' && file_exists(DOCROOT.'/admin/'.$this_request.'.php')) require(DOCROOT.'/admin/'.$this_request.'.php');
+    elseif(file_exists(DOCROOT.'/'.$this_request.'.php')) require(DOCROOT.'/'.$this_request.'.php');
 }
 // All other pages in /ajax/
 else