Skip to content
Permalink
Browse files Browse the repository at this point in the history
- fixed various security issues reported by Mario Korth:
  * potential XSS
  * Arbitrary file read
  * Path traversal in listing directory contents
  * Path traversal in archive feature
- added new turkish translations
  • Loading branch information
Sören committed May 15, 2019
1 parent 95c4cf7 commit b8fcb88
Show file tree
Hide file tree
Showing 11 changed files with 112 additions and 89 deletions.
9 changes: 9 additions & 0 deletions CHANGELOG.txt
Expand Up @@ -2,6 +2,15 @@
Changelog for eXtplorer
Version $Id: CHANGELOG.txt 249 2016-12-11 16:11:03Z soeren $
****************************

--- version 2.1.13 ---
- fixed various security issues reported by Mario Korth:
* potential XSS
* Arbitrary file read
* Path traversal in listing directory contents
* Path traversal in archive feature
- added new turkish translations

--- version 2.1.12 ---
- fixed wrong version display
- fixed empty language selector
Expand Down
4 changes: 4 additions & 0 deletions admin.extplorer.php
Expand Up @@ -162,6 +162,10 @@
$requestedDir = $dir;
}

if (!down_home(get_abs_dir($requestedDir))) {
ext_Result::sendResult('', false, $requestedDir.": ".$GLOBALS["error_msg"]["abovehome"]);
$requestedDir = '';
}
send_dircontents( $requestedDir, extGetParam($_REQUEST,'sendWhat','files') );
break;
case 'get_dir_selects':
Expand Down
4 changes: 2 additions & 2 deletions include/archive.php
Expand Up @@ -99,7 +99,7 @@ function execAction( $dir, $item="" ) {
if( $startfrom == 0 ) {
for($i=0;$i<$cnt;$i++) {

$selitem=stripslashes($GLOBALS['__POST']["selitems"][$i]);
$selitem=basename(stripslashes($GLOBALS['__POST']["selitems"][$i]));
if( $selitem == 'ext_root') {
$selitem = '';
}
Expand Down Expand Up @@ -193,7 +193,7 @@ function execAction( $dir, $item="" ) {
"xtype": "textfield",
"fieldLabel": "<?php echo ext_Lang::msg('archive_name', true ) ?>",
"name": "name",
"value": "<?php echo $GLOBALS['item'] . '.'. $default_archive_type ?>",
"value": "<?php echo htmlspecialchars($GLOBALS['item'], ENT_QUOTES) . '.'. $default_archive_type ?>",
"width": "200"
},
{
Expand Down
8 changes: 4 additions & 4 deletions include/chmod.php
Expand Up @@ -82,7 +82,7 @@ function execAction($dir, $item) { // change permissions
} else {
$mode = bindec($bin);
}
$item = $GLOBALS['__POST']["selitems"][$i];
$item = html_entity_decode($GLOBALS['__POST']["selitems"][$i], ENT_QUOTES);
if( ext_isFTPMode() ) {
$abs_item = get_item_info( $dir,$item);
} else {
Expand Down Expand Up @@ -151,7 +151,7 @@ function execAction($dir, $item) { // change permissions
"labelWidth": 125,
"url":"<?php echo basename( $GLOBALS['script_name']) ?>",
"dialogtitle": "<?php echo ext_Lang::msg('actperms') ?>",
"title" : "<?php echo $text ?>",
"title" : "<?php echo htmlspecialchars($text,ENT_QUOTES) ?>",
"frame": true,
"items": [{
"layout": "column",
Expand Down Expand Up @@ -212,8 +212,8 @@ function execAction($dir, $item) { // change permissions
params: {
"option": "com_extplorer",
"action": "chmod",
"dir": "<?php echo stripslashes($GLOBALS['__POST']["dir"]) ?>",
"selitems[]": ['<?php echo implode("','", $GLOBALS['__POST']["selitems"]) ?>'],
"dir": "<?php echo stripslashes(htmlentities($GLOBALS['__POST']["dir"],ENT_QUOTES)) ?>",
"selitems[]": ['<?php echo htmlentities(implode("','", $GLOBALS['__POST']["selitems"]),ENT_QUOTES) ?>'],
confirm: 'true',
token: "<?php echo ext_getToken() ?>"
}
Expand Down
9 changes: 6 additions & 3 deletions include/functions.php
Expand Up @@ -571,10 +571,13 @@ function down_home($abs_dir) { // dir deeper than home?
}
$real_home = @realpath($GLOBALS["home_dir"]);
$real_dir = @realpath($abs_dir);
if( $real_dir == '' ) $real_dir = dirname( $abs_dir );
if( $real_home == '' ) $real_home = $_SERVER['DOCUMENT_ROOT'];
//echo 'NOW: $real_home = '.$real_home;
//echo ', $real_dir = '.$real_dir;

if($real_home===false || $real_dir===false) {
if(@stristr($abs_dir,"\\.\\.")) return false;
} else if(strcmp($real_home,@substr($real_dir,0,strlen($real_home)))) {
if(@stristr($abs_dir,"\\.\\.")) return false;
if(strcmp($real_home,@substr($real_dir,0,strlen($real_home)))) {
return false;
}
return true;
Expand Down
3 changes: 2 additions & 1 deletion include/init.php
Expand Up @@ -236,6 +236,7 @@
$GLOBALS['FTPCONNECTION']->cd( $dir );
}

//echo "Down home: ".down_home( "/etc/passwd" );exit;
$abs_dir=get_abs_dir($GLOBALS["dir"]);

if (!file_exists($GLOBALS["home_dir"])) {
Expand All @@ -257,7 +258,7 @@
}

if (!get_is_dir(utf8_decode($abs_dir)) && !get_is_dir($abs_dir.$GLOBALS["separator"])) {
ext_Result::sendResult('', false, '"'.$abs_dir.'" - '.$GLOBALS["error_msg"]["direxist"]);
ext_Result::sendResult('', false, '"'.htmlspecialchars($abs_dir,ENT_QUOTES).'" - '.$GLOBALS["error_msg"]["direxist"]);
$dir = '';
}

Expand Down
3 changes: 3 additions & 0 deletions include/mkitem.php
Expand Up @@ -68,6 +68,9 @@ function execAction($dir, $item="") { // make new directory or file
if( empty( $symlink_target )) {
ext_Result::sendResult( 'mkitem', false, 'Please provide a valid <strong>target</strong> for the symbolic link.');
}
if (!down_home(dirname($symlink_target))) {
ext_Result::sendResult('', false, $symlink_target.": ".$GLOBALS["error_msg"]["abovehome"]);
}
if( !file_exists($symlink_target) || !is_readable($symlink_target)) {
ext_Result::sendResult( 'mkitem', false, 'The file you wanted to make a symbolic link to does not exist or is not accessible by PHP.');
}
Expand Down
4 changes: 2 additions & 2 deletions include/result.class.php
Expand Up @@ -126,7 +126,7 @@ static function sendResult( $action, $success, $msg,$extra=array() ) { // show

foreach ( $_SESSION['ext_message'] as $msgtype ) {
foreach ( $msgtype as $message ) {
$messagetxt .= $message .'<br/>';
$messagetxt .= htmlspecialchars($message, ENT_QUOTES ) .'<br/>';
}
$messagetxt .= '<br /><hr /><br />';
}
Expand All @@ -143,7 +143,7 @@ static function sendResult( $action, $success, $msg,$extra=array() ) { // show

foreach ( $_SESSION['ext_error'] as $errortype ) {
foreach ( $errortype as $error ) {
$messagetxt .= $error .'<br/>';
$messagetxt .= htmlspecialchars($error, ENT_QUOTES ) .'<br/>';
}
$messagetxt .= '<br /><hr /><br />';
}
Expand Down
2 changes: 1 addition & 1 deletion include/search.php
Expand Up @@ -248,7 +248,7 @@ function get_result_array($list) { // print table of found items
$array[$i]['file_id'] = md5($s_dir.$s_item);
$array[$i]['dir'] = str_ireplace($GLOBALS['home_dir'], '', $dir );
$array[$i]['s_dir'] = empty($s_dir) ? '' : $s_dir;
$array[$i]['file'] = $s_item;
$array[$i]['file'] = htmlentities($s_item, ENT_QUOTES );
$array[$i]['link'] = $link;
$array[$i]['icon'] = _EXT_URL."/images/$img";
}
Expand Down

0 comments on commit b8fcb88

Please sign in to comment.