Skip to content
This repository has been archived by the owner on Jan 5, 2023. It is now read-only.
Permalink
Browse files Browse the repository at this point in the history
Prevent XSS Vulnerability
Issue: Bug Report: XSS Vulnerability in acp.php on FlatCore v1.4.6 #34
  • Loading branch information
patkon committed Jun 7, 2017
1 parent 3e7680b commit f1b42b3
Show file tree
Hide file tree
Showing 7 changed files with 61 additions and 64 deletions.
59 changes: 33 additions & 26 deletions acp/core/dashboard.system.php
Expand Up @@ -3,85 +3,92 @@
//prohibit unauthorized access
require 'core/access.php';

echo '<h3>System</h3>';

echo '<hr class="shadow" style="margin-top:0;">';

echo '<div class="row">';

echo '<div class="col-md-4">';
echo '<h5>Config</h5>';
echo '<dl class="dl-horizontal">';
echo '<dt>Server:</dt><dd>' . $_SERVER['SERVER_NAME'] . ' (PHP '.phpversion().')</dd>';

echo '<div class="panel panel-default">';

echo '<div class="panel-heading">Config</div>';
echo '<table class="table table-condensed">';
echo '<tr><td>Server:</td><td>' . $_SERVER['SERVER_NAME'] . ' (PHP '.phpversion().')</td></tr>';
if($prefs_mailer_adr != '') {
echo '<dt>System E-Mails:</dt><dd>' . $prefs_mailer_adr . '</dd>';
echo '<tr><td>System E-Mails:</td><td>' . $prefs_mailer_adr . '</td></tr>';
} else {
echo '<dt>System E-Mails:</dt><dd><span class="text-danger">'.$lang['missing_value'].'</span></dd>';
echo '<tr><td>System E-Mails:</td><td><span class="text-danger">'.$lang['missing_value'].'</span></td></tr>';
}
if($prefs_mailer_name != '') {
echo '<dt>E-Mail Name:</dt><dd>' . $prefs_mailer_name . '</dd>';
echo '<tr><td>E-Mail Name:</td><td>' . $prefs_mailer_name . '</td></tr>';
} else {
echo '<dt>E-Mail Name:</dt><dd><span class="text-danger">'.$lang['missing_value'].'</span></dd>';
echo '<tr><td>E-Mail Name:</td><td><span class="text-danger">'.$lang['missing_value'].'</span></td></tr>';
}
echo '</dl>';

echo '</table>';

echo '<hr>';
echo '</div>';

echo '<h4>' . $lang['f_user_drm'] . '</h4>';

echo '<div class="panel panel-default">';
echo '<div class="panel-heading">' . $lang['f_user_drm'] . '</div>';
echo '<div class="panel-body">';

echo"<p><span class='glyphicon glyphicon-user'></span> $_SESSION[user_firstname] $_SESSION[user_lastname] ($_SESSION[user_nick])</p>";

$list_str = '<ul class="list-unstyled" style="padding-left:16px;">';

if($_SESSION['acp_pages'] == "allowed") {
$list_str .= "<li><span class='glyphicon glyphicon-ok-circle'></span> $lang[drm_pages]</li>";
$list_str .= '<li><span class="glyphicon glyphicon-ok-circle text-success"></span> '. $lang['drm_pages'].'</li>';
} else {
$list_str .= "<li><span class='glyphicon glyphicon-remove-circle'></span> $lang[drm_pages]</li>";
$list_str .= '<li><span class="glyphicon glyphicon-remove-circle text-danger"></span> '. $lang['drm_pages'].'</li>';
}

if($_SESSION['acp_editpages'] == "allowed") {
$list_str .= "<li><span class='glyphicon glyphicon-ok-circle'></span> $lang[drm_editpages]</li>";
$list_str .= '<li><span class="glyphicon glyphicon-ok-circle text-success"></span> '. $lang['drm_editpages'].'</li>';
} else {
$list_str .= "<li><span class='glyphicon glyphicon-remove-circle'></span> $lang[drm_editpages]</li>";
$list_str .= '<li><span class="glyphicon glyphicon-remove-circle text-danger"></span> '. $lang['drm_editpages'].'</li>';
}

if($_SESSION['acp_editownpages'] == "allowed") {
$list_str .= "<li><span class='glyphicon glyphicon-ok-circle'></span> $lang[drm_editownpages]</li>";
$list_str .= '<li><span class="glyphicon glyphicon-ok-circle text-success"></span> '. $lang['drm_editownpages'].'</li>';
} else {
$list_str .= "<li><span class='glyphicon glyphicon-remove-circle'></span> $lang[drm_editownpages]</li>";
$list_str .= '<li><span class="glyphicon glyphicon-remove-circle text-danger"></span> '. $lang['drm_editownpages'].'</li>';
}

if($_SESSION['acp_files'] == "allowed") {
$list_str .= "<li><span class='glyphicon glyphicon-ok-circle'></span> $lang[drm_files]</li>";
$list_str .= '<li><span class="glyphicon glyphicon-ok-circle text-success"></span> '. $lang['drm_files'].'</li>';
} else {
$list_str .= "<li><span class='glyphicon glyphicon-remove-circle'></span> $lang[drm_files]</li>";
$list_str .= '<li><span class="glyphicon glyphicon-remove-circle text-danger"></span> '. $lang['drm_files'].'</li>';
}

if($_SESSION['acp_user'] == "allowed") {
$list_str .= "<li><span class='glyphicon glyphicon-ok-circle'></span> $lang[drm_user]</li>";
$list_str .= '<li><span class="glyphicon glyphicon-ok-circle text-success"></span> '. $lang['drm_user'].'</li>';
} else {
$list_str .= "<li><span class='glyphicon glyphicon-remove-circle'></span> $lang[drm_files]</li>";
$list_str .= '<li><span class="glyphicon glyphicon-remove-circle text-danger"></span> '. $lang['drm_user'].'</li>';
}

if($_SESSION['acp_system'] == "allowed") {
$list_str .= "<li><span class='glyphicon glyphicon-ok-circle'></span> $lang[drm_system]</li>";
$list_str .= '<li><span class="glyphicon glyphicon-ok-circle text-success"></span> '. $lang['drm_system'].'</li>';
} else {
$list_str .= "<li><span class='glyphicon glyphicon-remove-circle'></span> $lang[drm_files]</li>";
$list_str .= '<li><span class="glyphicon glyphicon-remove-circle text-danger"></span> '. $lang['drm_files'].'</li>';
}

if($_SESSION['drm_can_publish'] == "true") {
$list_str .= "<li><span class='glyphicon glyphicon-ok-circle'></span> $lang[drm_user_can_publish]</li>";
$list_str .= '<li><span class="glyphicon glyphicon-ok-circle text-success"></span> '. $lang['drm_user_can_publish'].'</li>';
} else {
$list_str .= "<li><span class='glyphicon glyphicon-remove-circle'></span> $lang[drm_user_can_publish]</li>";
$list_str .= '<li><span class="glyphicon glyphicon-remove-circle text-danger"></span> '. $lang['drm_user_can_publish'].'</li>';
}


$list_str .= "</ul>";

echo $list_str;

echo '</div>';

echo '</div>';
echo '</div>';


echo '<div class="col-md-8">';
Expand Down
2 changes: 1 addition & 1 deletion acp/core/list.themes.php
Expand Up @@ -47,7 +47,7 @@
print_sysmsg("$sys_message");
}

echo '<form action="'.$_SERVER['PHP_SELF'].'?tn=moduls&sub=t" method="POST" class="form-horizontal">';
echo '<form action="acp.php?tn=moduls&sub=t" method="POST" class="form-horizontal">';
echo '<fieldset>';
echo '<legend>'.$lang['f_prefs_layout'].'</legend>';

Expand Down
54 changes: 22 additions & 32 deletions acp/core/pages.edit_form.php
Expand Up @@ -3,7 +3,7 @@
require 'core/access.php';


echo"\n <form id='editpage' action='$_SERVER[PHP_SELF]?tn=pages&sub=edit&editpage=$editpage' class='form-horizontal' method='POST'>\n";
echo '<form id="editpage" action="acp.php?tn=pages&sub=edit&editpage='.$editpage.'" class="form-horizontal" method="POST">';

$custom_fields = get_custom_fields();
sort($custom_fields);
Expand Down Expand Up @@ -135,11 +135,11 @@

echo tpl_form_control_group('',$lang['f_page_redirect'],'<div class="row"><div class="col-md-3">'.$select_page_redirect_code.'</div><div class="col-md-9"><input class="form-control" type="text" name="page_redirect" value="'.$page_redirect.'"></div></div>');

echo'</div>'; /* EOL tab_info */
echo '</div>'; /* EOL tab_info */


/* tab_content */
echo'<div class="tab-pane fade" id="content">';
echo '<div class="tab-pane fade" id="content">';

echo '<textarea name="page_content" class="form-control mceEditor textEditor switchEditor" id="textEditor">'.$page_content.'</textarea>';

Expand All @@ -149,16 +149,16 @@

/* tab_extracontent */

echo'<div class="tab-pane fade" id="extracontent">';
echo '<div class="tab-pane fade" id="extracontent">';

echo '<textarea name="page_extracontent" class="form-control mceEditor textEditor switchEditor" id="textEditor2">'.$page_extracontent.'</textarea>';

echo"</div>"; /* EOL tab_extracontent */
echo '</div>'; /* EOL tab_extracontent */



/* tab_meta */
echo'<div class="tab-pane fade" id="meta">';
echo '<div class="tab-pane fade" id="meta">';

echo tpl_form_control_group('',$lang['f_page_title'],'<input class="form-control" type="text" name="page_title" value="'.$page_title.'">');

Expand All @@ -171,13 +171,13 @@
echo tpl_form_control_group('',$lang['f_meta_description'],"<textarea name='page_meta_description' class='form-control cntValues' rows='5'>$page_meta_description</textarea>");


echo"<div class='form-group'>
<label class='control-label control-label-normal col-sm-2'>$lang[page_thumbnail]</label>
<div class='col-sm-10'>";
echo '<div class="form-group">';
echo '<label class="control-label control-label-normal col-sm-2">'.$lang['page_thumbnail'].'</label>';
echo '<div class="col-sm-10">';

echo '<div class="scroll-container">';
echo '<select name="page_thumbnail" class="form-control image-picker">';
echo "<option value=''>$lang[page_thumbnail]</option>";
echo '<option value="">'.$lang['page_thumbnail'].'</option>';
$arr_Images = get_all_images();
foreach($arr_Images as $page_thumbnails) {
$selected = "";
Expand All @@ -186,24 +186,14 @@
}
echo '<option '.$selected.' data-img-src="/content/images/'.$page_thumbnails.'" class="masonry-item" value="'.$page_thumbnails.'">'.$page_thumbnails.'</option>';
}
echo"</select>";
echo '</select>';
echo '</div>';
echo '</div>';
echo '</div>';
echo"</div>
</div>";

echo"</fieldset>";


foreach($arr_Images as $page_thumbnails) {
$selected = "";
if($page_thumbnail == "$page_thumbnails") {
$selected = "selected";
}
echo "<option $selected data-img-src='/content/iamages/$page_thumbnails' value='$page_thumbnails'>$page_thumbnails</option>";
}
echo '</fieldset>';



$select_page_meta_robots = '<select name="page_meta_robots" class="form-control">';
$select_page_meta_robots .= '<option value="all" '.($page_meta_robots == "all" ? 'selected="selected"' :'').'>all</option>';
$select_page_meta_robots .= '<option value="noindex" '.($page_meta_robots == "noindex" ? 'selected="selected"' :'').'>noindex</option>';
Expand All @@ -215,33 +205,33 @@



echo'</div>'; /* EOL tab_meta */
echo '</div>'; /* EOL tab_meta */



/* tab_head */
echo'<div class="tab-pane fade" id="head">';
echo '<div class="tab-pane fade" id="head">';

echo $lang['f_head_styles'];
echo '<span class="silent"> &lt;style type=&quot;text/css&quot;&gt;</span> ... <span class="silent">&lt;/styles&gt;</span>';
echo "<textarea name='page_head_styles' class='form-control aceEditor_css' rows='12'>$page_head_styles</textarea>";
echo '<textarea name="page_head_styles" class="form-control aceEditor_css" rows="12">'.$page_head_styles.'</textarea>';
echo '<div id="CSSeditor"></div>';

echo '<hr>';

echo $lang['f_head_enhanced'];
echo '<span class="silent"> &lt;head&gt;</span> ... <span class="silent">&lt;/head&gt;</span>';
echo "<textarea name='page_head_enhanced' class='form-control aceEditor_html' rows='12'>$page_head_enhanced</textarea>";
echo '<textarea name="page_head_enhanced" class="form-control aceEditor_html" rows="12">'.$page_head_enhanced.'</textarea>';
echo '<div id="HTMLeditor"></div>';

echo'</div>'; /* EOL tab_head */
echo '</div>'; /* EOL tab_head */



if($cnt_custom_fields > 0) {

/* tab custom fields */
echo'<div class="tab-pane fade" id="custom">';
echo '<div class="tab-pane fade" id="custom">';

for($i=0;$i<$cnt_custom_fields;$i++) {

Expand All @@ -259,11 +249,11 @@
}
}

echo'</div>'; /* EOL tab custom fields */
echo '</div>'; /* EOL tab custom fields */

}

echo"</div>"; // EOL fancytabs
echo '</div>'; // EOL fancytabs

echo '</div>';
echo '<div class="col-lg-3 col-md-4 col-sm-12">';
Expand Down
2 changes: 1 addition & 1 deletion acp/core/pages.snippets.php
Expand Up @@ -182,7 +182,7 @@
echo '</div>';
echo '<div class="col-md-9">';

echo "<form action='$_SERVER[PHP_SELF]?tn=pages&sub=snippets' method='POST'>";
echo "<form action='acp.php?tn=pages&sub=snippets' method='POST'>";



Expand Down
2 changes: 1 addition & 1 deletion acp/core/system.stats.php
Expand Up @@ -45,7 +45,7 @@

echo"<fieldset>";
echo"<legend>$lang[select_logfile]</legend>";
echo"<form action='$_SERVER[PHP_SELF]?tn=system&sub=stats' method='POST' class='form-inline'>";
echo"<form action='acp.php?tn=system&sub=stats' method='POST' class='form-inline'>";
echo '<div class="form-group">';
echo"<select name='select_logfile' class='form-control'>";

Expand Down
4 changes: 2 additions & 2 deletions acp/core/user.groups.php
Expand Up @@ -161,7 +161,7 @@

echo '<fieldset>';
echo '<legend>'.$lang['legend_choose_group'].'</legend>';
echo '<form action="'.$_SERVER['PHP_SELF'].'?tn=user&sub=groups" method="POST">';
echo '<form action="acp.php?tn=user&sub=groups" method="POST">';

echo '<div class="row">';
echo '<div class="col-md-5">';
Expand Down Expand Up @@ -231,7 +231,7 @@
echo '<fieldset>';
echo '<legend>'.$lang['legend_groups_data'].'</legend>';

echo '<form action="'.$_SERVER[PHP_SELF].'?tn=user&sub=groups" method="POST">';
echo '<form action="acp.php?tn=user&sub=groups" method="POST">';

echo '<div class="row">';
echo '<div class="col-md-8">';
Expand Down
2 changes: 1 addition & 1 deletion acp/core/user.list.php
Expand Up @@ -196,7 +196,7 @@

echo '<div class="row">';
echo '<div class="col-md-5">';
echo "<form action='$_SERVER[PHP_SELF]?tn=user' class='form-inline' method='POST'>";
echo "<form action='acp.php?tn=user' class='form-inline' method='POST'>";

echo '<div class="input-group">';
echo '<span class="input-group-addon"><span class="glyphicon glyphicon-filter"></span></span>';
Expand Down

0 comments on commit f1b42b3

Please sign in to comment.