Skip to content
Permalink
Browse files Browse the repository at this point in the history
bugfix for XSS and backdoor file upload found by s7acktrac3 issue #58
  • Loading branch information
BSteelooper committed May 21, 2018
1 parent 5d7967e commit 8f6541e
Show file tree
Hide file tree
Showing 10 changed files with 75 additions and 14 deletions.
4 changes: 2 additions & 2 deletions data/inc/editpage.php
Expand Up @@ -39,10 +39,10 @@
$title = $_POST['title'];
//If we are editing an existing page, pass current seo-name.
if (isset($_GET['page'])) {
$seoname = save_page($title, $_POST['content'], $_POST['hidden'], $_POST['sub_page'], $_POST['description'], $_POST['keywords'], $module_additional_data, $_GET['page']);
$seoname = latinOnlyInput(save_page($title, $_POST['content'], $_POST['hidden'], $_POST['sub_page'], $_POST['description'], $_POST['keywords'], $module_additional_data, $_GET['page']));
} else {
//If we are creating a new page, don't pass seo-name.
$seoname = save_page($title, $_POST['content'], $_POST['hidden'], $_POST['sub_page'], $_POST['description'], $_POST['keywords'], $module_additional_data);
$seoname = latinOnlyInput(save_page($title, $_POST['content'], $_POST['hidden'], $_POST['sub_page'], $_POST['description'], $_POST['keywords'], $module_additional_data));
}
//If seoname is false, a file already exists with the same name
if (empty($seoname)) {
Expand Down
21 changes: 13 additions & 8 deletions data/inc/files.php
Expand Up @@ -32,24 +32,27 @@
</div>
<?php
if (isset($_POST['submit'])) {
if (!copy($_FILES['filefile']['tmp_name'], 'files/'.$_FILES['filefile']['name']))
if (!copy($_FILES['filefile']['tmp_name'], 'files/'.latinOnlyInput(latinOnlyInput($_FILES['filefile']['name']))))
show_error($lang['general']['upload_failed'], 1);
else {
if (strcasecmp(substr($_FILES['filefile']['name'], -3),'php') == 0){
if (!rename('files/'.$_FILES['filefile']['name'], 'files/'.$_FILES['filefile']['name'].'.txt')){
$lastfour = strtolower(substr(latinOnlyInput($_FILES['filefile']['name']), -4));
$lastfive = strtolower(substr(latinOnlyInput($_FILES['filefile']['name']), -5));
$blockedExtentions = array('.php','php3','php4','php5','php6','php7','phtml');
if (in_array($lastfour, $blockedExtentions) or in_array($lastfive, $blockedExtentions) ){
if (!rename('files/'.latinOnlyInput($_FILES['filefile']['name']), 'files/'.latinOnlyInput($_FILES['filefile']['name']).'.txt')){
show_error($lang['general']['upload_failed'], 1);
}
chmod('files/'.$_FILES['filefile']['name'].'.txt', 0775);
chmod('files/'.latinOnlyInput($_FILES['filefile']['name']).'.txt', 0775);
}else{
chmod('files/'.$_FILES['filefile']['name'], 0775);
chmod('files/'.latinOnlyInput($_FILES['filefile']['name']), 0775);
}
?>
<div class="menudiv">
<strong><?php echo $lang['files']['name']; ?></strong> <?php echo $_FILES['filefile']['name']; ?>
<strong><?php echo $lang['files']['name']; ?></strong> <?php echo latinOnlyInput($_FILES['filefile']['name']); ?>
<br />
<strong><?php echo $lang['files']['size']; ?></strong> <?php echo $_FILES['filefile']['size'].' '.$lang['images']['bytes']; ?>
<strong><?php echo $lang['files']['size']; ?></strong> <?php echo latinOnlyInput($_FILES['filefile']['size']).' '.$lang['images']['bytes']; ?>
<br />
<strong><?php echo $lang['files']['type']; ?></strong> <?php echo $_FILES['filefile']['type']; ?>
<strong><?php echo $lang['files']['type']; ?></strong> <?php echo latinOnlyInput($_FILES['filefile']['type']); ?>
<br />
<strong><?php echo $lang['files']['success']; //TODO: Need to show this message another place, and with show_error(). ?></strong>
</div>
Expand All @@ -66,6 +69,7 @@
if ($files) {
natcasesort($files);
foreach ($files as $file) {
if (!($file == '.htaccess')){
?>
<div class="menudiv">
<span>
Expand All @@ -84,6 +88,7 @@
</span>
</div>
<?php
}
}
unset($files);
}
Expand Down
18 changes: 18 additions & 0 deletions data/inc/functions.all.php
Expand Up @@ -215,10 +215,28 @@ function sanitize($var, $html = true) {
*/
function preventXSS($var) {
$var = str_replace('\'', '', $var);
$var = htmlspecialchars($var, ENT_COMPAT, 'UTF-8', false);

return $var;
}

/**
* latinOnlyInput from a URL, to make it ready for saving in a file.
*
* @since 4.7.5
* @package all
* @param string $var Variable
* @return string The sanitized variable.
*
* Added as bugfix for XSS and backdoor file upload found by s7acktrac3
*/
function latinOnlyInput($var) {
$var = str_replace(chr(0), '', $var);
$var = preg_replace("/[^a-zA-Z0-9.\ -_]+/", "", $var);;
return $var;
}


/**
* Displays or returns an error, notice or success message.
*
Expand Down
10 changes: 6 additions & 4 deletions data/inc/images.php
Expand Up @@ -39,17 +39,17 @@
if (!in_array(strtolower(substr($_FILES['imagefile']['name'], -4)), $imagewhitelist))
show_error($lang['general']['upload_failed'], 1);
/* end of fix issue 44. Thanks to Klaus. */
if (!copy($_FILES['imagefile']['tmp_name'], 'images/'.$_FILES['imagefile']['name']))
if (!copy($_FILES['imagefile']['tmp_name'], 'images/'.latinOnlyInput($_FILES['imagefile']['name'])))
show_error($lang['general']['upload_failed'], 1);
else {
chmod('images/'.$_FILES['imagefile']['name'], 0666);
?>
<div class="menudiv">
<strong><?php echo $lang['images']['name']; ?></strong> <?php echo $_FILES['imagefile']['name']; ?>
<strong><?php echo $lang['images']['name']; ?></strong> <?php echo latinOnlyInput($_FILES['imagefile']['name']); ?>
<br />
<strong><?php echo $lang['images']['size']; ?></strong> <?php echo $_FILES['imagefile']['size'].' '.$lang['images']['bytes']; ?>
<strong><?php echo $lang['images']['size']; ?></strong> <?php echo latinOnlyInput($_FILES['imagefile']['size']).' '.$lang['images']['bytes']; ?>
<br />
<strong><?php echo $lang['images']['type']; ?></strong> <?php echo $_FILES['imagefile']['type']; ?>
<strong><?php echo $lang['images']['type']; ?></strong> <?php echo latinOnlyInput($_FILES['imagefile']['type']); ?>
<br />
<strong><?php echo $lang['images']['success']; //TODO: Need to show this message another place, and with show_error(). ?></strong>
</div>
Expand All @@ -67,6 +67,7 @@
if ($images) {
natcasesort($images);
foreach ($images as $image) {
if (!($image == '.htaccess')){
?>
<div class="menudiv">
<span>
Expand All @@ -85,6 +86,7 @@
</span>
</div>
<?php
}
}
unset($images);
}
Expand Down
9 changes: 9 additions & 0 deletions data/modules/.htaccess
@@ -0,0 +1,9 @@
<FilesMatch \.php$>
SetHandler None
</FilesMatch>

<FilesMatch \.phtml>
SetHandler None
</FilesMatch>

Options -ExecCGI
9 changes: 9 additions & 0 deletions data/themes/.htaccess
@@ -0,0 +1,9 @@
<FilesMatch \.php$>
SetHandler None
</FilesMatch>

<FilesMatch \.phtml>
SetHandler None
</FilesMatch>

Options -ExecCGI
Empty file removed files/.files
Empty file.
9 changes: 9 additions & 0 deletions files/.htaccess
@@ -0,0 +1,9 @@
<FilesMatch \.php$>
SetHandler None
</FilesMatch>

<FilesMatch \.phtml>
SetHandler None
</FilesMatch>

Options -ExecCGI
9 changes: 9 additions & 0 deletions images/.htaccess
@@ -0,0 +1,9 @@
<FilesMatch \.php$>
SetHandler None
</FilesMatch>

<FilesMatch \.phtml>
SetHandler None
</FilesMatch>

Options -ExecCGI
Empty file removed images/.images
Empty file.

0 comments on commit 8f6541e

Please sign in to comment.