v2.325
Pre-release
Full Changelog: https://github.com/flusity/flusity-CMS/commits/v2.325
Bug fixed changed to
if (isset($_GET['edit_customblock_id'])) {
$edit_customblock_id = filter_input(INPUT_GET, 'edit_customblock_id', FILTER_SANITIZE_NUMBER_INT);
$safe_edit_customblock_id = htmlspecialchars($edit_customblock_id, ENT_QUOTES, 'UTF-8');
echo "<script>loadCustomBlockEditForm($safe_edit_customblock_id);</script>";
}
if (isset($_GET['customblock_place'])) {
$customblock_place = filter_input(INPUT_GET, 'customblock_place', FILTER_SANITIZE_STRING);
$safe_customblock_place = htmlspecialchars($customblock_place, ENT_QUOTES, 'UTF-8');
echo "<script>loadCustomBlocCreateForm('$safe_customblock_place');</script>";
}
The vulnerable code location is line 274 in core/tools/posts.php
if (isset($_GET['menu_id'])) {
$menu_id = $_GET['menu_id'];
echo "<script>loadPostAddForm($menu_id);</script>";
}
Bug fixed changed to
if (isset($_GET['menu_id'])) {
$menu_id = filter_input(INPUT_GET, 'menu_id', FILTER_SANITIZE_NUMBER_INT);
$safe_menu_id = htmlspecialchars($menu_id, ENT_QUOTES, 'UTF-8');
echo "<script>loadPostAddForm($safe_menu_id);</script>";
}
on line 15 of upload.php:
$allowed_file_types = ['image/png', 'image/jpeg', 'image/gif', 'application/pdf', 'application/msword', 'application/vnd.ms-excel', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'];
$max_file_size = 5 * 1024 * 1024;
$file_id = handleFileUpload($db, $prefix['table_prefix'], $target_dir, $allowed_file_types, $max_file_size);
Bug fixed changed to
$allowed_file_types = ['image/png', 'image/jpeg', 'image/gif', 'application/pdf', 'application/msword', 'application/vnd.ms-excel', 'application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'];
$max_file_size = 5 * 1024 * 1024;
if (isset($_FILES['uploaded_file'])) {
$filename = $_FILES['uploaded_file']['name'];
$filename_clean = preg_replace("/[^a-zA-Z0-9\._]+/", "", $filename);
if ($filename !== $filename_clean) {
$_SESSION['error_message'] = t("Invalid characters in file name.");
header("Location: files.php");
exit();
}
$file_id = handleFileUpload($db, $prefix['table_prefix'], $target_dir, $allowed_file_types, $max_file_size, $filename_clean);
function handleFileUpload($db, $table_prefix, $target_dir, $allowed_file_types, $max_file_size) {
$filename = $uploaded_file['name'];
$filename_clean = strtolower(preg_replace("/[^a-zA-Z0-9\._]+/", "", $filename));
// if ($filename !== $filename_clean) {
// $_SESSION['error_message'] = t("Invalid characters in file name.");
// return false;
// }
if (!in_array($uploaded_file['type'], $allowed_file_types)) {
$_SESSION['error_message'] = t("Invalid file type.");
return false;
}
if ($uploaded_file['size'] > $max_file_size) {
$_SESSION['error_message'] = t("File size exceeded limit.");
return false;
}
$unique_code = bin2hex(random_bytes(8));
$filename_parts = pathinfo($filename_clean);
$new_filename = $filename_parts['filename'] . '_' . $unique_code . '.' . $filename_parts['extension'];
$target_file = $target_dir . basename($new_filename);
if (move_uploaded_file($uploaded_file["tmp_name"], $target_file)) {
$file_url = $_SERVER['REQUEST_SCHEME'] . "://" . $_SERVER['HTTP_HOST'] . "/uploads/" . $new_filename;
$_SESSION['success_message'] = "File" ." ". basename($filename_clean) . " " .t("file uploaded successfully.");
$stmt = $db->prepare("INSERT INTO " . $table_prefix . "_flussi_files (name, url) VALUES (:name, :url)");
$stmt->bindParam(':name', $new_filename, PDO::PARAM_STR);
$stmt->bindParam(':url', $file_url, PDO::PARAM_STR);
$stmt->execute();
return $db->lastInsertId();
} else {
$_SESSION['error_message'] = t("Error loading file.");
return false;
}
}