Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix stored XSS as reported by Chirag Savla
It's a pretty old problem – a beginner's mistake in programming. Damn. As far I can see no huge problem because of CSRF and you need to be logged in to the backend. But it wasn't well done from my side.

If you have older installations check the html() function which were added. Older releases do not know html() – use html_specialchars() instead.
  • Loading branch information
slackero committed Oct 23, 2017
1 parent 4a83b45 commit 90ee94a
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 36 deletions.
2 changes: 1 addition & 1 deletion include/inc_lib/revision/revision.php
Expand Up @@ -10,5 +10,5 @@
**/

define('PHPWCMS_VERSION', '1.9.0-beta.8');
define('PHPWCMS_RELEASE_DATE', '2017/10/08');
define('PHPWCMS_RELEASE_DATE', '2017/10/23');
define('PHPWCMS_REVISION', '549');
32 changes: 15 additions & 17 deletions include/inc_tmpl/admin.edituser.tmpl.php
Expand Up @@ -136,43 +136,43 @@
if(!empty($user_err)) {
?>
<tr valign="top">
<td align="right"><strong style="color:#FF3300"><?php echo $BL['be_admin_usr_err'] ?>:</strong>&nbsp;</td>
<td><strong style="color:#FF3300"><?php echo nl2br(chop($user_err)) ?></strong></td>
<td align="right" class="error"><strong><?php echo $BL['be_admin_usr_err'] ?>:</strong>&nbsp;</td>
<td class="error"><strong><?php echo nl2br(chop($user_err)) ?></strong></td>
</tr>
<tr valign="top"><td colspan="2" align="right" class="chatlist"><img src="img/leer.gif" alt="" width="1" height="7"></td></tr>
<?php
} //Ende Fehler New User
?>
<tr>
<td align="right" class="chatlist"><?php echo $BL["login_username"] ?>:&nbsp;</td>
<td><input name="form_newloginname" type="text" id="form_newloginname" class="width250 f11b" value="<?php echo $new_login ?>" size="30" maxlength="30" autocomplete="off"></td>
<td><input name="form_newloginname" type="text" id="form_newloginname" class="width250" value="<?php echo html($new_login); ?>" size="30" maxlength="200" autocomplete="off" /></td>
</tr>
<tr><td colspan="2"><img src="img/leer.gif" alt="" width="1" height="1"></td></tr>
<tr>
<td align="right" class="chatlist"><?php echo $BL["login_userpass"] ?>:&nbsp;</td>
<td><input name="form_newpassword" type="text" id="form_newpassword" class="width250 f11b" value="<?php echo $new_password ?>" size="30" maxlength="50" autocomplete="off"></td>
<td><input name="form_newpassword" type="text" id="form_newpassword" class="width250" value="<?php echo html($new_password); ?>" size="30" maxlength="200" autocomplete="off" /></td>
</tr>
<tr><td colspan="2"><img src="img/leer.gif" alt="" width="1" height="1"></td></tr>
<tr>
<td align="right" class="chatlist"><?php echo $BL['be_profile_label_email'] ?>:&nbsp;</td>
<td><input name="form_newemail" type="text" id="form_newemail" class="width250 f11b" value="<?php echo $new_email ?>" size="30" maxlength="150"></td>
<td><input name="form_newemail" type="text" id="form_newemail" class="width250" value="<?php echo html($new_email); ?>" size="30" maxlength="250" autocomplete="off" /></td>
</tr>
<tr><td colspan="2"><img src="img/leer.gif" alt="" width="1" height="1"></td></tr>
<tr>
<td align="right" class="chatlist"><?php echo $BL['be_admin_usr_realname'] ?>:&nbsp;</td>
<td><input name="form_newrealname" type="text" id="form_newrealname" class="width250 f11b" value="<?php echo $new_name ?>" size="30" maxlength="80"></td>
<td><input name="form_newrealname" type="text" id="form_newrealname" class="width250" value="<?php echo html($new_name); ?>" size="30" maxlength="200" autocomplete="off" /></td>
</tr>

<tr><td colspan="2"><img src="img/leer.gif" alt="" width="1" height="6"></td></tr>
<tr>
<td align="right" class="chatlist"><?php echo $BL['be_admin_usr_issection'] ?>:&nbsp;</td>
<td><table border="0" cellpadding="0" cellspacing="0" bgcolor="#E7E8EB" summary="">
<tr>
<td><input name="form_feuser" type="radio" id="form_feuser0" value="0"<?php is_checked($set_user_fe, 0); ?>></td>
<td><input name="form_feuser" type="radio" id="form_feuser0" value="0"<?php is_checked($set_user_fe, 0); ?> /></td>
<td><label for="form_feuser0"><?php echo $BL['be_admin_usr_ifsection0'] ?></label>&nbsp;&nbsp;</td>
<td><input name="form_feuser" type="radio" id="form_feuser1" value="1"<?php is_checked($set_user_fe, 1); ?>></td>
<td><input name="form_feuser" type="radio" id="form_feuser1" value="1"<?php is_checked($set_user_fe, 1); ?> /></td>
<td><label for="form_feuser1"><?php echo $BL['be_admin_usr_ifsection1'] ?></label>&nbsp;&nbsp;</td>
<td><input name="form_feuser" type="radio" id="form_feuser2" value="2"<?php is_checked($set_user_fe, 2); ?>></td>
<td><input name="form_feuser" type="radio" id="form_feuser2" value="2"<?php is_checked($set_user_fe, 2); ?> /></td>
<td><label for="form_feuser2"><?php echo $BL['be_admin_usr_ifsection2'] ?></label></td>
<td><img src="img/leer.gif" alt="" width="4" height="21"></td>
</tr>
Expand All @@ -184,7 +184,7 @@
<td align="right" class="chatlist"><?php echo $BL['be_admin_usr_setactive'] ?>:&nbsp;</td>
<td><table border="0" cellpadding="0" cellspacing="0" summary="">
<tr>
<td><input name="form_active" type="checkbox" id="form_active" value="1"<?php is_checked($set_user_aktiv, 1); ?>></td>
<td><input name="form_active" type="checkbox" id="form_active" value="1"<?php is_checked($set_user_aktiv, 1); ?> /></td>
<td><label for="form_active"><?php echo $BL['be_admin_usr_iflogin'] ?></label></td>
</tr>
</table></td>
Expand All @@ -195,8 +195,8 @@
<td align="right" class="chatlist" style="color:#FF0000"><?php echo $BL['be_admin_usr_isadmin'] ?>:&nbsp;</td>
<td><table border="0" cellpadding="0" cellspacing="0" summary="">
<tr>
<td><input name="form_admin" type="checkbox" id="form_admin" value="1"<?php is_checked(1, $set_user_admin); ?>></td>
<td><label for="form_admin"><?php echo $BL['be_admin_usr_ifadmin'] ?> <strong style="color:#FF0000">!!!</strong></label></td>
<td><input name="form_admin" type="checkbox" id="form_admin" value="1"<?php is_checked(1, $set_user_admin); ?> /></td>
<td><label for="form_admin"><?php echo $BL['be_admin_usr_ifadmin'] ?> <strong class="error">!!!</strong></label></td>
</tr>
</table></td>
</tr>
Expand All @@ -205,7 +205,7 @@
<td><table border="0" cellpadding="0" cellspacing="0" summary="">
<tr><td colspan="3"><img src="img/leer.gif" alt="" width="1" height="6"></td></tr>
<tr bgcolor="#E7E8EB">
<td><input name="verification_email" type="checkbox" id="verification_email" value="1"<?php is_checked(1, $send_verification); ?>></td>
<td><input name="verification_email" type="checkbox" id="verification_email" value="1"<?php is_checked(1, $send_verification); ?> /></td>
<td><label for="verification_email"><?php echo $BL['be_admin_usr_sendemail'] ?></label></td>
<td><img src="img/leer.gif" alt="" width="4" height="21"></td>
</tr>
Expand Down Expand Up @@ -239,9 +239,9 @@
<tr>
<td>&nbsp;</td>
<td class="tdbottom10 tdtop6">
<input name="Submit" type="submit" class="button" value="<?php echo $BL['be_admin_usr_ebutton'] ?>">
<input name="Submit" type="submit" class="button" value="<?php echo $BL['be_admin_usr_ebutton'] ?>" />
<input name="form_aktion" type="hidden" value="edit_account" />
<input name="form_uid" type="hidden" value="<?php echo $new_user_id ?>" />
<input name="form_uid" type="hidden" value="<?php echo html($new_user_id) ?>" />
</td>
</tr>
</table>
Expand All @@ -261,5 +261,3 @@

}
}

?>
2 changes: 1 addition & 1 deletion include/inc_tmpl/admin.groups.tmpl.php
Expand Up @@ -187,7 +187,7 @@
<?php } ?>
<tr>
<td align="right" class="chatlist"><?php echo $BL['be_fpriv_name'] ?>:&nbsp;</td>
<td><input name="group_name" type="text" id="group_name" class="width400" value="<?php echo empty($group["name"]) ? '' : html($group["name"]) ?>" size="40" maxlength="250" /></td>
<td><input name="group_name" type="text" id="group_name" class="width400" value="<?php echo empty($group["name"]) ? '' : html($group["name"]) ?>" size="40" maxlength="250" /></td>
</tr>

<tr><td colspan="2"><img src="img/leer.gif" alt="" width="1" height="6" /></td></tr>
Expand Down
32 changes: 15 additions & 17 deletions include/inc_tmpl/admin.newuser.tmpl.php
Expand Up @@ -87,7 +87,7 @@

if(empty($user_ok)) {

?><form action="phpwcms.php?do=admin&amp;s=1" method="post" name="edituser"><table border="0" cellpadding="0" cellspacing="0" summary="">
?><form action="phpwcms.php?do=admin&amp;s=1" method="post" name="edituser" autocomplete="off"><table border="0" cellpadding="0" cellspacing="0" summary="">
<tr>
<td colspan="2"><table border="0" cellpadding="0" cellspacing="0" summary="">
<tr>
Expand All @@ -104,43 +104,43 @@
if(!empty($user_err)) {
?>
<tr valign="top">
<td align="right"><strong style="color:#FF3300"><?php echo $BL['be_admin_usr_err'] ?>:</strong>&nbsp;</td>
<td><strong style="color:#FF3300"><?php echo nl2br(chop($user_err)) ?></strong></td>
<td align="right" class="error"><strong><?php echo $BL['be_admin_usr_err'] ?>:</strong>&nbsp;</td>
<td class="error"><strong><?php echo nl2br(chop($user_err)) ?></strong></td>
</tr>
<tr valign="top"><td colspan="2" align="right" class="chatlist"><img src="img/leer.gif" alt="" width="1" height="7"></td></tr>
<?php
} //Ende Fehler New User
?>
<tr>
<td align="right" class="chatlist"><?php echo $BL["login_username"] ?>:&nbsp;</td>
<td><input name="form_newloginname" type="text" id="form_newloginname" style="font-family: Verdana, Arial, Helvetica, sans-serif; width:250px; font-size: 11px; font-weight: bold;" value="<?php echo $new_login ?>" size="30" maxlength="30" autocomplete="off"></td>
<td><input name="form_newloginname" type="text" id="form_newloginname" value="<?php echo html($new_login); ?>" size="30" maxlength="200" autocomplete="off" class="width250" /></td>
</tr>
<tr><td colspan="2"><img src="img/leer.gif" alt="" width="1" height="1"></td></tr>
<tr>
<td align="right" class="chatlist"><?php echo $BL["login_userpass"] ?>:&nbsp;</td>
<td><input name="form_newpassword" type="text" id="form_newpassword" style="font-family: Verdana, Arial, Helvetica, sans-serif; width:250px; font-size: 11px; font-weight: bold;" value="<?php echo $new_password ?>" size="30" maxlength="50" autocomplete="off"></td>
<td><input name="form_newpassword" type="text" id="form_newpassword" value="<?php echo html($new_password); ?>" size="30" maxlength="200" autocomplete="off" class="width250" /></td>
</tr>
<tr><td colspan="2"><img src="img/leer.gif" alt="" width="1" height="1"></td></tr>
<tr>
<td align="right" class="chatlist"><?php echo $BL['be_profile_label_email'] ?>:&nbsp;</td>
<td><input name="form_newemail" type="text" id="form_newemail" style="font-family: Verdana, Arial, Helvetica, sans-serif; width:250px; font-size: 11px; font-weight: bold;" value="<?php echo $new_email ?>" size="30" maxlength="150"></td>
<td><input name="form_newemail" type="text" id="form_newemail" value="<?php echo html($new_email); ?>" size="30" maxlength="250" autocomplete="off" class="width250" /></td>
</tr>
<tr><td colspan="2"><img src="img/leer.gif" alt="" width="1" height="1"></td></tr>
<tr>
<td align="right" class="chatlist"><?php echo $BL['be_admin_usr_realname'] ?>:&nbsp;</td>
<td><input name="form_newrealname" type="text" id="form_newrealname" style="font-family: Verdana, Arial, Helvetica, sans-serif; width:250px; font-size: 11px; font-weight: bold;" value="<?php echo $new_name ?>" size="30" maxlength="80"></td>
<td><input name="form_newrealname" type="text" id="form_newrealname" value="<?php echo html($new_name); ?>" size="30" maxlength="200" autocomplete="off" class="width250" /></td>
</tr>

<tr><td colspan="2"><img src="img/leer.gif" alt="" width="1" height="6"></td></tr>
<tr>
<td align="right" class="chatlist"><?php echo $BL['be_admin_usr_issection'] ?>:&nbsp;</td>
<td><table border="0" cellpadding="0" cellspacing="0" bgcolor="#E7E8EB" summary="">
<tr>
<td><input name="form_feuser" type="radio" id="form_feuser0" value="0"<?php is_checked($set_user_fe, 0); ?>></td>
<td><input name="form_feuser" type="radio" id="form_feuser0" value="0"<?php is_checked($set_user_fe, 0); ?> /></td>
<td><label for="form_feuser0"><?php echo $BL['be_admin_usr_ifsection0'] ?></label>&nbsp;&nbsp;</td>
<td><input name="form_feuser" type="radio" id="form_feuser1" value="1"<?php is_checked($set_user_fe, 1); ?>></td>
<td><input name="form_feuser" type="radio" id="form_feuser1" value="1"<?php is_checked($set_user_fe, 1); ?> /></td>
<td><label for="form_feuser1"><?php echo $BL['be_admin_usr_ifsection1'] ?></label>&nbsp;&nbsp;</td>
<td><input name="form_feuser" type="radio" id="form_feuser2" value="2"<?php is_checked($set_user_fe, 2); ?>></td>
<td><input name="form_feuser" type="radio" id="form_feuser2" value="2"<?php is_checked($set_user_fe, 2); ?> /></td>
<td><label for="form_feuser2"><?php echo $BL['be_admin_usr_ifsection2'] ?></label></td>
<td><img src="img/leer.gif" alt="" width="4" height="21"></td>
</tr>
Expand All @@ -152,7 +152,7 @@
<td align="right" class="chatlist"><?php echo $BL['be_admin_usr_setactive'] ?>:&nbsp;</td>
<td><table border="0" cellpadding="0" cellspacing="0" summary="">
<tr>
<td><input name="form_active" type="checkbox" id="form_active" value="1"<?php is_checked($set_user_aktiv, 1); ?>></td>
<td><input name="form_active" type="checkbox" id="form_active" value="1"<?php is_checked($set_user_aktiv, 1); ?> /></td>
<td><label for="form_active"><?php echo $BL['be_admin_usr_iflogin'] ?></label></td>
</tr>
</table></td>
Expand All @@ -163,8 +163,8 @@
<td align="right" class="chatlist" style="color:#FF0000"><?php echo $BL['be_admin_usr_isadmin'] ?>:&nbsp;</td>
<td><table border="0" cellpadding="0" cellspacing="0" summary="">
<tr>
<td><input name="form_admin" type="checkbox" id="form_admin" value="1"<?php is_checked($set_user_admin, 1); ?>></td>
<td><label for="form_admin"><?php echo $BL['be_admin_usr_ifadmin'] ?> <strong style="color:#FF0000">!!!</strong></label></td>
<td><input name="form_admin" type="checkbox" id="form_admin" value="1"<?php is_checked($set_user_admin, 1); ?> /></td>
<td><label for="form_admin"><?php echo $BL['be_admin_usr_ifadmin'] ?> <strong class="error">!!!</strong></label></td>
</tr>
</table></td>
</tr>
Expand All @@ -180,10 +180,10 @@
<tr><td colspan="3"><img src="img/leer.gif" alt="" width="1" height="6"></td></tr>
</table></td>
</tr>
<tr><td colspan="2"><img src="img/leer.gif" alt="" width="1" height="6"><input name="form_aktion" type="hidden" value="create_account"></td></tr>
<tr><td colspan="2"><img src="img/leer.gif" alt="" width="1" height="6"><input name="form_aktion" type="hidden" value="create_account" /></td></tr>
<tr>
<td>&nbsp;</td>
<td><input name="Submit" type="submit" class="button" value="<?php echo $BL['be_admin_usr_button'] ?>"></td>
<td><input name="Submit" type="submit" class="button" value="<?php echo $BL['be_admin_usr_button'] ?>" /></td>
</tr>
<tr><td colspan="2"><img src="img/leer.gif" alt="" width="1" height="15"></td></tr>
</table></form><img src="img/lines/l538_70.gif" alt="" width="538" height="1"><br /><img src="img/leer.gif" alt="" width="1" height="5"><?php
Expand All @@ -192,5 +192,3 @@
} else {
echo "<script type=\"text/javascript\"> timer=setTimeout(\"self.location.href='phpwcms.php'+'?".CSRF_GET_TOKEN."&do=admin'\", 0); </script>";
}

?>

0 comments on commit 90ee94a

Please sign in to comment.