Skip to content
This repository has been archived by the owner on Feb 13, 2019. It is now read-only.

Commit

Permalink
Fixed the CSRF-protection, now every form needs to have a valid token…
Browse files Browse the repository at this point in the history 
… or you are logged out

git-svn-id: file:///var/svn/trunk/syscp@1353 45fdb5c4-e40b-0410-b369-9aab4fe9a275
  • Loading branch information
Florian Aders authored and Florian Aders committed Dec 30, 2007
1 parent 8966fc6 commit a76a7b0
Show file tree
Hide file tree
Showing 15 changed files with 93 additions and 21 deletions.
3 changes: 3 additions & 0 deletions admin_admins.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$db->query("DELETE FROM `" . TABLE_PANEL_ADMINS . "` WHERE `adminid`='" . (int)$id . "'");
$db->query("DELETE FROM `" . TABLE_PANEL_TRAFFIC_ADMINS . "` WHERE `adminid`='" . (int)$id . "'");
$db->query("UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET `adminid` = '" . (int)$userinfo['userid'] . "' WHERE `adminid` = '" . (int)$id . "'");
Expand All @@ -150,6 +151,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$name = validate($_POST['name'], 'name');
$email = $idna_convert->encode(validate($_POST['email'], 'email'));
$loginname = validate($_POST['loginname'], 'loginname');
Expand Down Expand Up @@ -276,6 +278,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$name = validate($_POST['name'], 'name');
$email = $idna_convert->encode(validate($_POST['email'], 'email'));

Expand Down
2 changes: 2 additions & 0 deletions admin_customers.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$databases = $db->query("SELECT * FROM " . TABLE_PANEL_DATABASES . " WHERE customerid='" . (int)$id . "'");
$db_root = new db($sql['host'], $sql['root_user'], $sql['root_password'], '');
unset($db_root->password);
Expand Down Expand Up @@ -215,6 +216,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$name = validate($_POST['name'], 'name');
$firstname = validate($_POST['firstname'], 'first name');
$company = validate($_POST['company'], 'company');
Expand Down
7 changes: 7 additions & 0 deletions admin_domains.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$query = 'SELECT `id` ' . 'FROM `' . TABLE_PANEL_DOMAINS . '` ' . 'WHERE (`id`="' . (int)$id . '" OR `parentdomainid`="' . (int)$id . '") ' . ' AND `isemaildomain`="1"';
$subResult = $db->query($query);
$idString = array();
Expand Down Expand Up @@ -157,6 +158,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$domain = $idna_convert->encode(preg_replace(Array(
'/\:(\d)+$/',
'/^https?\:\/\//'
Expand Down Expand Up @@ -304,6 +306,7 @@
if(($openbasedir == '0' || $safemode == '0')
&& (!isset($_POST['reallydoit']) || $_POST['reallydoit'] != 'reallydoit'))
{
wasFormCompromised();
ask_yesno('admin_domain_reallydisablesecuritysetting', $filename, array(
'page' => $page,
'action' => $action,
Expand Down Expand Up @@ -355,6 +358,7 @@
$params['reallydoit'] = 'reallydoit';
}

wasFormCompromised();
ask_yesno('admin_domain_reallydocrootoutofcustomerroot', $filename, $params);
exit;
}
Expand Down Expand Up @@ -451,6 +455,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$customer = $db->query_first("SELECT `documentroot` FROM " . TABLE_PANEL_CUSTOMERS . " WHERE `customerid`='" . (int)$result['customerid'] . "'");
$aliasdomain = intval($_POST['alias']);
$isemaildomain = intval($_POST['isemaildomain']);
Expand Down Expand Up @@ -546,6 +551,7 @@
&& (!isset($_POST['reallydoit']) || $_POST['reallydoit'] != 'reallydoit')
&& $userinfo['change_serversettings'] == '1')
{
wasFormCompromised();
ask_yesno('admin_domain_reallydisablesecuritysetting', $filename, array(
'id' => $id,
'page' => $page,
Expand Down Expand Up @@ -593,6 +599,7 @@
$params['reallydoit'] = 'reallydoit';
}

wasFormCompromised();
ask_yesno('admin_domain_reallydocrootoutofcustomerroot', $filename, $params);
exit;
}
Expand Down
2 changes: 2 additions & 0 deletions admin_index.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$old_password = validate($_POST['old_password'], 'old password');

if(md5($old_password) != $userinfo['password'])
Expand Down Expand Up @@ -169,6 +170,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$def_language = validate($_POST['def_language'], 'default language');

if(isset($languages[$def_language]))
Expand Down
3 changes: 3 additions & 0 deletions admin_ipsandports.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$db->query("DELETE FROM `" . TABLE_PANEL_IPSANDPORTS . "` WHERE `id`='" . (int)$id . "'");
inserttask('1');
inserttask('4');
Expand Down Expand Up @@ -133,6 +134,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$ip = validate($_POST['ip'], 'ip', '/^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$/Di', 'ipiswrong');
$port = validate($_POST['port'], 'port', '/^(([1-9])|([1-9][0-9])|([1-9][0-9][0-9])|([1-9][0-9][0-9][0-9])|([1-5][0-9][0-9][0-9][0-9])|(6[0-4][0-9][0-9][0-9])|(65[0-4][0-9][0-9])|(655[0-2][0-9])|(6553[0-5]))$/Di', array(
'stringisempty',
Expand Down Expand Up @@ -179,6 +181,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$ip = validate($_POST['ip'], 'ip', '/^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$/Di', 'ipiswrong');
$port = validate($_POST['port'], 'port', '/^(([1-9])|([1-9][0-9])|([1-9][0-9][0-9])|([1-9][0-9][0-9][0-9])|([1-5][0-9][0-9][0-9][0-9])|(6[0-4][0-9][0-9][0-9])|(65[0-4][0-9][0-9])|(655[0-2][0-9])|(6553[0-5]))$/Di', array(
'stringisempty',
Expand Down
5 changes: 5 additions & 0 deletions admin_settings.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();

if($_POST['session_sessiontimeout'] != $settings['session']['sessiontimeout'])
{
$value = validate($_POST['session_sessiontimeout'], 'session timeout', '/^[0-9]+$/', 'sessiontimeoutiswrong');
Expand Down Expand Up @@ -587,6 +589,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
inserttask('1');
inserttask('3');
inserttask('4');
Expand All @@ -608,6 +611,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$updatecounters = updateCounters(true);
$customers = '';
foreach($updatecounters['customers'] as $customerid => $customer)
Expand Down Expand Up @@ -636,6 +640,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$db->query("UPDATE `" . TABLE_MAIL_USERS . "` SET `password`='' ");
$db->query("UPDATE `" . TABLE_PANEL_SETTINGS . "` SET `value`='0' WHERE `settinggroup`='system' AND `varname`='mailpwcleartext'");
redirectTo('admin_settings.php', array(
Expand Down
10 changes: 6 additions & 4 deletions admin_templates.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$db->query("DELETE FROM `" . TABLE_PANEL_TEMPLATES . "` WHERE `adminid`='" . (int)$userinfo['adminid'] . "' AND (`id`='" . (int)$subjectid . "' OR `id`='" . (int)$mailbodyid . "')");
redirectTo($filename, Array(
'page' => $page,
Expand Down Expand Up @@ -136,6 +137,7 @@
if(isset($_POST['prepare'])
&& $_POST['prepare'] == 'prepare')
{
wasFormCompromised();
$language = validate($_POST['language'], 'language');
$templates = array();
$result = $db->query('SELECT `varname` FROM `' . TABLE_PANEL_TEMPLATES . '` WHERE `adminid`=\'' . (int)$userinfo['adminid'] . '\' AND `language`=\'' . $db->escape($language) . '\' AND `templategroup`=\'mails\' AND `varname` LIKE \'%_subject\'');
Expand All @@ -154,11 +156,10 @@

eval("echo \"" . getTemplate("templates/templates_add_2") . "\";");
}
else

if(isset($_POST['send'])
&& $_POST['send'] == 'send')
elseif(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$language = validate($_POST['language'], 'language', '/^[^\r\n\0"\']+$/', 'nolanguageselect');
$template = validate($_POST['template'], 'template');
$subject = validate($_POST['subject'], 'subject', '/^[^\r\n\0]+$/', 'nosubjectcreate');
Expand Down Expand Up @@ -231,6 +232,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$subject = validate($_POST['subject'], 'subject', '/^[^\r\n\0]+$/', 'nosubjectcreate');
$mailbody = validate($_POST['mailbody'], 'mailbody', '/^[^\0]+$/', 'nomailbodycreate');
$db->query("UPDATE `" . TABLE_PANEL_TEMPLATES . "` SET `value`='" . $db->escape($subject) . "' WHERE `adminid`='" . (int)$userinfo['adminid'] . "' AND `id`='" . (int)$subjectid . "'");
Expand Down
6 changes: 6 additions & 0 deletions customer_domains.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,8 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();

if($result['isemaildomain'] == '1')
{
$emails = $db->query_first('SELECT COUNT(`id`) AS `count` FROM `' . TABLE_MAIL_VIRTUAL . '` WHERE `customerid`=\'' . (int)$userinfo['customerid'] . '\' AND `domainid`=\'' . (int)$id . '\'');
Expand Down Expand Up @@ -205,6 +207,8 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();

/* Rules for subdomains:
* - At least two characters
* - Valid characters: a-z, 0-9, ".", "-" and "_"
Expand Down Expand Up @@ -338,6 +342,8 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();

if(isset($_POST['url'])
&& $_POST['url'] != ''
&& validateUrl($idna_convert->encode($_POST['url'])))
Expand Down
7 changes: 7 additions & 0 deletions customer_email.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$update_users_query_addon = '';

if($result['destination'] != '')
Expand Down Expand Up @@ -193,6 +194,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$email_part = $_POST['email_part'];
$domain = $idna_convert->encode(validate($_POST['domain'], 'domain'));
$domain_check = $db->query_first("SELECT `id`, `domain`, `customerid` FROM `" . TABLE_PANEL_DOMAINS . "` WHERE `domain`='" . $db->escape($domain) . "' AND `customerid`='" . (int)$userinfo['customerid'] . "' AND `isemaildomain`='1' ");
Expand Down Expand Up @@ -366,6 +368,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$email_full = $result['email_full'];
$username = $idna_convert->decode($email_full);
$password = validate($_POST['email_password'], 'password');
Expand Down Expand Up @@ -452,6 +455,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$password = validate($_POST['email_password'], 'password');

if($password == '')
Expand Down Expand Up @@ -492,6 +496,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$db->query("DELETE FROM `" . TABLE_MAIL_USERS . "` WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='" . (int)$result['popaccountid'] . "'");
$result['destination'] = str_replace($result['email_full'], '', $result['destination']);
$db->query("UPDATE `" . TABLE_MAIL_VIRTUAL . "` SET `destination` = '" . $db->escape(makeCorrectDestination($result['destination'])) . "', `popaccountid` = '0' WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='" . (int)$id . "'");
Expand Down Expand Up @@ -530,6 +535,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$destination = $idna_convert->encode($_POST['destination']);
$result['destination_array'] = explode(' ', $result['destination']);

Expand Down Expand Up @@ -610,6 +616,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$result['destination'] = str_replace($forwarder, '', $result['destination']);
$db->query("UPDATE `" . TABLE_MAIL_VIRTUAL . "` SET `destination` = '" . $db->escape(makeCorrectDestination($result['destination'])) . "' WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='" . (int)$id . "'");
$db->query("UPDATE `" . TABLE_PANEL_CUSTOMERS . "` SET `email_forwarders_used` = `email_forwarders_used` - 1 WHERE `customerid`='" . (int)$userinfo['customerid'] . "'");
Expand Down
12 changes: 9 additions & 3 deletions customer_extras.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$db->query("DELETE FROM `" . TABLE_PANEL_HTPASSWDS . "` WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='$id'");
inserttask('3');
redirectTo($filename, Array(
Expand Down Expand Up @@ -112,6 +113,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$path = makeCorrectDir(validate($_POST['path'], 'path'));
$userpath = $path;
$path = $userinfo['documentroot'] . $path;
Expand Down Expand Up @@ -184,6 +186,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
validate($_POST['directory_password'], 'password');

if(CRYPT_STD_DES == 1)
Expand Down Expand Up @@ -281,6 +284,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$db->query("DELETE FROM `" . TABLE_PANEL_HTACCESS . "` WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='" . (int)$id . "'");
inserttask('3');
redirectTo($filename, Array(
Expand All @@ -300,9 +304,10 @@
}
elseif($action == 'add')
{
if((isset($_POST['send']))
&& ($_POST['send'] == 'send'))
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$path = makeCorrectDir(validate($_POST['path'], 'path'));
$userpath = $path;
$path = $userinfo['documentroot'] . $path;
Expand Down Expand Up @@ -401,6 +406,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$option_indexes = intval($_POST['options_indexes']);

if($option_indexes != '1')
Expand Down Expand Up @@ -457,7 +463,7 @@

// || ($error401path != $result['error401path'])


|| ($error500path != $result['error500path']))
{
inserttask('3');
Expand Down
4 changes: 4 additions & 0 deletions customer_ftp.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$db->query("UPDATE `" . TABLE_FTP_USERS . "` SET `up_count`=`up_count`+'" . (int)$result['up_count'] . "', `up_bytes`=`up_bytes`+'" . (int)$result['up_bytes'] . "', `down_count`=`down_count`+'" . (int)$result['down_count'] . "', `down_bytes`=`down_bytes`+'" . (int)$result['down_bytes'] . "' WHERE `username`='" . $db->escape($userinfo['loginname']) . "'");
$db->query("DELETE FROM `" . TABLE_FTP_USERS . "` WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='" . (int)$id . "'");
$db->query("UPDATE `" . TABLE_FTP_GROUPS . "` SET `members`=REPLACE(`members`,'," . $db->escape($result['username']) . "','') WHERE `customerid`='" . (int)$userinfo['customerid'] . "'");
Expand Down Expand Up @@ -133,6 +134,8 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();

if($settings['customer']['ftpatdomain'] == '1')
{
$ftpusername = validate($_POST['ftp_username'], 'username', '/^[a-zA-Z0-9][a-zA-Z0-9\-_]+\$?$/');
Expand Down Expand Up @@ -231,6 +234,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$password = validate($_POST['ftp_password'], 'password');

if($password == '')
Expand Down
2 changes: 2 additions & 0 deletions customer_index.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$old_password = validate($_POST['old_password'], 'old password');

if(md5($old_password) != $userinfo['password'])
Expand Down Expand Up @@ -138,6 +139,7 @@
if(isset($_POST['send'])
&& $_POST['send'] == 'send')
{
wasFormCompromised();
$def_language = validate($_POST['def_language'], 'default language');

if(isset($languages[$def_language]))
Expand Down
Loading

0 comments on commit a76a7b0

Please sign in to comment.