Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed yet another issue with critical cross-site scripting. I've forc…
…ed SiteLock to check and check, and I think its finally fixed.

git-svn-id: https://plugins.svn.wordpress.org/a-forms/trunk@758898 b8457f37-d9ea-0310-8a92-e5e31aec5664
  • Loading branch information
MMDeveloper authored and MMDeveloper committed Aug 20, 2013
1 parent f2c1d66 commit 3e69319
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 55 deletions.
104 changes: 50 additions & 54 deletions a-forms.php
Expand Up @@ -20,7 +20,7 @@
4) Activate the plugin.
Version: 1.4.2
Version: 1.4.3
Author: TheOnlineHero - Tom Skroza
License: GPL2
*/
Expand Down Expand Up @@ -222,17 +222,17 @@ function register_a_forms_page() {
add_action('wp_ajax_aform_css_file_selector', 'aform_css_file_selector');
function aform_css_file_selector() {
if (are_a_forms_dependencies_installed()) {
update_option("aform_current_css_file", esc_html($_POST["css_file_selection"]));
echo(@file_get_contents(get_template_directory()."/aforms_css/".esc_html($_POST["css_file_selection"])));
update_option("aform_current_css_file", ($_POST["css_file_selection"]));
echo(@file_get_contents(get_template_directory()."/aforms_css/".($_POST["css_file_selection"])));
}
die();
}

add_action('wp_ajax_add_field_to_section', 'add_field_to_section');
function add_field_to_section() {
global $wpdb;
$section = tom_get_row_by_id("a_form_sections", "*", "ID", esc_html($_POST["section_id"]));
tom_insert_record("a_form_fields", array("field_order" => esc_html($_POST["field_order"]), "section_id" => esc_html($_POST["section_id"]), "form_id" => $section->form_id));
$section = tom_get_row_by_id("a_form_sections", "*", "ID", ($_POST["section_id"]));
tom_insert_record("a_form_fields", array("field_order" => ($_POST["field_order"]), "section_id" => ($_POST["section_id"]), "form_id" => $section->form_id));
echo $section->ID."::".$wpdb->insert_id;
die();
}
Expand Down Expand Up @@ -280,19 +280,19 @@ function a_form_initial_page() {
update_option("include_securimage", "1");
}

if (esc_html(tom_get_query_string_value("a_form_page")) == "fields") {
if (esc_html($_GET["action"]) == "delete") {
if ((tom_get_query_string_value("a_form_page")) == "fields") {
if (($_GET["action"]) == "delete") {
AFormFields::delete();
}
}

if (tom_get_query_string_value("a_form_page") == "section") {
a_form_section_page();
} else if (tom_get_query_string_value("a_form_page") == "section_section_sort") {
tom_update_record_by_id("a_form_sections", array("section_order" => esc_html($_POST["section_order"])), "ID", esc_html($_POST["ID"]));
tom_update_record_by_id("a_form_sections", array("section_order" => ($_POST["section_order"])), "ID", ($_POST["ID"]));
exit;
} else if (tom_get_query_string_value("a_form_page") == "section_field_sort") {
tom_update_record_by_id("a_form_fields", array("field_order" => esc_html($_POST["field_order"]), "section_id" => esc_html($_POST["section_id"])), "FID", esc_html($_POST["FID"]));
tom_update_record_by_id("a_form_fields", array("field_order" => ($_POST["field_order"]), "section_id" => ($_POST["section_id"])), "FID", ($_POST["FID"]));
exit;
} else if (tom_get_query_string_value("a_form_page") == "create_field") {

Expand All @@ -309,7 +309,7 @@ function a_form_initial_page() {
function a_form_page() {
if (tom_get_query_string_value("a_form_page") != "section") {
if (isset($_POST["action"])) {
$action = esc_html($_POST["action"]);
$action = ($_POST["action"]);
if ($action == "Update") {
AForm::update();
}
Expand All @@ -328,13 +328,13 @@ function a_form_page() {
<?php

if (isset($_GET["message"]) && $_GET["message"] != "") {
echo("<div class='updated below-h2'><p>".esc_html($_GET["message"])."</p></div>");
echo("<div class='updated below-h2'><p>".($_GET["message"])."</p></div>");
}

if (isset($_GET["action"]) && $_GET["action"] != "delete") {
if ($_GET["action"] == "edit") {
// Display Edit Page
$a_form = tom_get_row_by_id("a_form_forms", "*", "ID", esc_html($_GET["id"])); ?>
$a_form = tom_get_row_by_id("a_form_forms", "*", "ID", ($_GET["id"])); ?>

<div class="postbox " style="display: block; ">
<div class="inside">
Expand All @@ -347,7 +347,7 @@ function a_form_page() {

<?php }

if (esc_html($_GET["action"]) == "new") {
if (($_GET["action"]) == "new") {
// Display New Page
?>

Expand Down Expand Up @@ -417,13 +417,13 @@ function a_form_section_page() {
<?php

if (isset($_GET["message"]) && $_GET["message"] != "") {
echo("<div class='updated below-h2'><p>".esc_html($_GET["message"])."</p></div>");
echo("<div class='updated below-h2'><p>".($_GET["message"])."</p></div>");
}

if (isset($_GET["action"]) && $_GET["action"] != "delete") {
if ($_GET["action"] == "edit") {
// Display Edit Page
$a_form = tom_get_row_by_id("a_form_sections", "*", "ID", esc_html($_GET["id"])); ?>
$a_form = tom_get_row_by_id("a_form_sections", "*", "ID", ($_GET["id"])); ?>
<div class="postbox " style="display: block; ">
<div class="inside">
<form action="" method="post">
Expand All @@ -434,7 +434,7 @@ function a_form_section_page() {
</div>
<?php }

if (esc_html($_GET["action"]) == "new") {
if (($_GET["action"]) == "new") {
// Display New Page
?>
<div class="postbox " style="display: block; ">
Expand Down Expand Up @@ -584,8 +584,8 @@ function a_form_tracking_page() {

<div class="wrap">
<h2>Tracking</h2>
<?php if (esc_html(tom_get_query_string_value("id")) != "") {
if (esc_html(tom_get_query_string_value("action")) != "view") { ?>
<?php if ((tom_get_query_string_value("id")) != "") {
if ((tom_get_query_string_value("action")) != "view") { ?>
<form action="" method="post">
<?php tom_add_form_field(null, "text", "Search Text", "search_text", "search_text", array(), "p", array()); ?>
<?php tom_add_form_field(null, "text", "Date From", "search_date_from", "search_date_from", array("class" => "datepicker"), "p", array()); ?>
Expand All @@ -602,29 +602,29 @@ function a_form_tracking_page() {

$page_no = 0;
if (isset($_GET["a_form_tracks_page"])) {
$page_no = esc_html($_GET["a_form_tracks_page"]);
$page_no = ($_GET["a_form_tracks_page"]);
}
$offset = $page_no * $limit_clause;
$where_sql = "form_id=".esc_html($_GET["id"]);
if (esc_html(tom_get_query_string_value("search_text")) != "") {
$where_sql .= " AND content LIKE '%".esc_html($_POST["search_text"])."%'";
$where_sql = "form_id=".($_GET["id"]);
if ((tom_get_query_string_value("search_text")) != "") {
$where_sql .= " AND content LIKE '%".($_POST["search_text"])."%'";
}

if ((esc_html(tom_get_query_string_value("search_date_from")) != null) && (esc_html(tom_get_query_string_value("search_date_to")) != null)) {
$where_sql .= " AND (created_at BETWEEN '".esc_html(tom_get_query_string_value("search_date_from"))." 00:00:00' AND '".esc_html(tom_get_query_string_value("search_date_to"))." 23:59:59')";
} else if (esc_html(tom_get_query_string_value("search_date_from")) != null) {
$where_sql .= " AND created_at > '".esc_html(tom_get_query_string_value("search_date_from"))." 00:00:00'";
} else if (esc_html(tom_get_query_string_value("search_date_to")) != null) {
$where_sql .= " AND created_at < '".esc_html(tom_get_query_string_value("search_date_to"))." 23:59:59'";
if (((tom_get_query_string_value("search_date_from")) != null) && ((tom_get_query_string_value("search_date_to")) != null)) {
$where_sql .= " AND (created_at BETWEEN '".(tom_get_query_string_value("search_date_from"))." 00:00:00' AND '".(tom_get_query_string_value("search_date_to"))." 23:59:59')";
} else if ((tom_get_query_string_value("search_date_from")) != null) {
$where_sql .= " AND created_at > '".(tom_get_query_string_value("search_date_from"))." 00:00:00'";
} else if ((tom_get_query_string_value("search_date_to")) != null) {
$where_sql .= " AND created_at < '".(tom_get_query_string_value("search_date_to"))." 23:59:59'";
}

$tracks = tom_get_results("a_form_tracks", "*", $where_sql, array("created_at DESC"), "$limit_clause OFFSET $offset");
$fields = tom_get_results("a_form_fields", "*", "form_id=".esc_html($_GET["id"]), array());
$fields = tom_get_results("a_form_fields", "*", "form_id=".($_GET["id"]), array());

$total_tracks = count(tom_get_results("a_form_tracks", "*", $where_sql, array("created_at DESC")));

if ($total_tracks > 0) {
tom_generate_datatable_pagination("a_form_tracks", $total_tracks, $limit_clause, esc_html($_GET["a_form_tracks_page"]), "?page=a-forms/a-forms-tracking.php&action=show&id=".esc_html($_GET["id"])."&search_text=".esc_html(tom_get_query_string_value("search_text"))."&search_date_from=".esc_html(tom_get_query_string_value("search_date_from"))."&search_date_to=".esc_html(tom_get_query_string_value("search_date_to")), "ASC", "top");
tom_generate_datatable_pagination("a_form_tracks", $total_tracks, $limit_clause, ($_GET["a_form_tracks_page"]), "?page=a-forms/a-forms-tracking.php&action=show&id=".($_GET["id"])."&search_text=".(tom_get_query_string_value("search_text"))."&search_date_from=".(tom_get_query_string_value("search_date_from"))."&search_date_to=".(tom_get_query_string_value("search_date_to")), "ASC", "top");
?>
<table id="tracking">
<thead>
Expand All @@ -650,7 +650,7 @@ function a_form_tracking_page() {
if ($content != "" && $field->field_type == "file") {
echo("<a href='".get_option("siteurl")."/wp-content/plugins/tom-m8te/tom-download-file.php?file=".$content."'>download</a>");
} else {
echo(preg_replace("/, $/", "", $content));
echo(preg_replace("/, $/", "", esc_html($content)));
}
echo("</td>");
}
Expand All @@ -670,7 +670,7 @@ function a_form_tracking_page() {
}
} else if ($_GET["action"] == "view") {
$view = tom_get_row_by_id("a_form_tracks", "*", "ID", $_GET["id"]);
echo "<p><textarea rows='40' cols='160'>".$view->content."</textarea></p>";
echo "<p><textarea rows='40' cols='160'>".esc_html(stripcslashes($view->content))."</textarea></p>";
echo("<p><a href='".get_option("siteurl")."/wp-admin/admin.php?page=a-forms/a-forms-tracking.php&action=show&id=".$view->form_id."'>Back</a></p>");
}

Expand Down Expand Up @@ -701,7 +701,7 @@ function a_form_shortcode($atts) {
$section_index = 0;

if (isset($_POST["send_a_form_section"])) {
$section_index = esc_html($_POST["send_a_form_section"]);
$section_index = ($_POST["send_a_form_section"]);
} else {
$section_index = 0;
}
Expand All @@ -719,10 +719,6 @@ function a_form_shortcode($atts) {
// Check to see if User submits a form action.
if (isset($_POST["send_a_form"]) && ($atts["id"] == $_POST["send_a_form"])) {

foreach ($_POST as $key => $value) {
$_POST[$key] = esc_attr(esc_html($value));
}

// User has submitted an aform.
$captcha_valid = true;
$form_valid = tom_validate_form($validation_array);
Expand All @@ -731,7 +727,7 @@ function a_form_shortcode($atts) {
$attachment_urls = array();

if (isset($_POST["a_form_attachment_urls"]) && $_POST["a_form_attachment_urls"] != "") {
$attachment_urls = explode("::", esc_html($_POST["a_form_attachment_urls"]));
$attachment_urls = explode("::", ($_POST["a_form_attachment_urls"]));
}

// Construct email content.
Expand All @@ -744,8 +740,8 @@ function a_form_shortcode($atts) {
$email_content .= $field->field_label.": ";
$answers = "";
foreach (explode(",", $field->value_options) as $key) {
if (esc_html($_POST[$form_name.$field_name."_".$i]) != "") {
$content = str_replace('\"', "\"", esc_html($_POST[$form_name.$field_name."_".$i]));
if (($_POST[$form_name.$field_name."_".$i]) != "") {
$content = str_replace('\"', "\"", ($_POST[$form_name.$field_name."_".$i]));
$content = str_replace("\'", '\'', $content);
$answers .= $content.", ";
}
Expand All @@ -768,8 +764,8 @@ function a_form_shortcode($atts) {
if ($filedst != "") {
$field_values[$field_name] = $filedst;
} else {
if (esc_html($_POST["a_form_attachment_urls"]) != "") {
$records = explode("::", esc_html($_POST["a_form_attachment_urls"]));
if (($_POST["a_form_attachment_urls"]) != "") {
$records = explode("::", ($_POST["a_form_attachment_urls"]));
foreach ($records as $record) {
$key_value = explode("=>", $record);
if ($key_value[0] == $form_name.$field_name && $key_value[1] != "") {
Expand All @@ -780,7 +776,7 @@ function a_form_shortcode($atts) {
}

} else {
$content = str_replace('\"', "\"", esc_html($_POST[$form_name.$field_name]));
$content = str_replace('\"', "\"", ($_POST[$form_name.$field_name]));
$content = str_replace("\'", '\'', $content);
$email_content .= $field->field_label.": ".$content."\n\n";
$field_values[$field_name] = $content;
Expand All @@ -803,11 +799,11 @@ function a_form_shortcode($atts) {
$captcha_valid =
(
(
esc_html($_POST[aform_field_name($form, "captcha_first_number")])
($_POST[aform_field_name($form, "captcha_first_number")])
+
esc_html($_POST[aform_field_name($form, "captcha_second_number")])
($_POST[aform_field_name($form, "captcha_second_number")])
)
== esc_html($_POST[aform_field_name($form, "captcha")])
== ($_POST[aform_field_name($form, "captcha")])
);

// Check to see if captcha is valid.
Expand All @@ -822,24 +818,24 @@ function a_form_shortcode($atts) {
$nonce_passed = wp_verify_nonce($_REQUEST["_wpnonce"], "a-forms-contact-a-form");
if ($nonce_passed && $form_valid && $captcha_valid) {
// Form is valid.
if (esc_html($_POST["action"]) == "Send") {
if (($_POST["action"]) == "Send") {
// User clicked Send, so since form is valid and they click Send, send the email.

$subject = $form->subject;
$from_name = "";
$user_email = "";
if ($form->field_name_id != "") {
$row = tom_get_row_by_id("a_form_fields", "*", "FID", $form->field_name_id);
$from_name = esc_html($_POST[$form_name.str_replace(" ", "_", strtolower($row->field_label))]);
$from_name = ($_POST[$form_name.str_replace(" ", "_", strtolower($row->field_label))]);
}
if ($form->field_email_id != "") {
$row = tom_get_row_by_id("a_form_fields", "*", "FID", $form->field_email_id);
$user_email = esc_html($_POST[$form_name.str_replace(" ", "_", strtolower($row->field_label))]);
$user_email = ($_POST[$form_name.str_replace(" ", "_", strtolower($row->field_label))]);
}
if ($form->field_subject_id != "") {
$row = tom_get_row_by_id("a_form_fields", "*", "FID", $form->field_subject_id);
if (isset($_POST[$form_name.str_replace(" ", "_", strtolower($row->field_label))])) {
$subject .= " - ".esc_html($_POST[$form_name.str_replace(" ", "_", strtolower($row->field_label))]);
$subject .= " - ".($_POST[$form_name.str_replace(" ", "_", strtolower($row->field_label))]);
}
}

Expand Down Expand Up @@ -886,7 +882,7 @@ function a_form_shortcode($atts) {
}

if ($form->tracking_enabled) {
tom_insert_record("a_form_tracks", array("created_at" => $current_datetime, "form_id" => esc_html($_POST["send_a_form"]), "content" => $email_content, "track_type" => "Successful Email", "referrer_url" => $_SERVER["HTTP_REFERER"], "fields_array" => serialize($field_values)));
tom_insert_record("a_form_tracks", array("created_at" => $current_datetime, "form_id" => ($_POST["send_a_form"]), "content" => $email_content, "track_type" => "Successful Email", "referrer_url" => $_SERVER["HTTP_REFERER"], "fields_array" => serialize($field_values)));
}

if ($form->success_redirect_url != "") {
Expand All @@ -895,7 +891,7 @@ function a_form_shortcode($atts) {

} else {
if ($form->tracking_enabled) {
tom_insert_record("a_form_tracks", array("created_at" => $current_datetime, "form_id" => esc_html($_POST["send_a_form"]), "content" => "Error Message: ".$mail_message.".\n\nContent: ".$email_content, "track_type" => "Failed Email", "referrer_url" => $_SERVER["HTTP_REFERER"], "fields_array" => serialize($field_values)));
tom_insert_record("a_form_tracks", array("created_at" => $current_datetime, "form_id" => ($_POST["send_a_form"]), "content" => "Error Message: ".$mail_message.".\n\nContent: ".$email_content, "track_type" => "Failed Email", "referrer_url" => $_SERVER["HTTP_REFERER"], "fields_array" => serialize($field_values)));
}
}

Expand All @@ -920,14 +916,14 @@ function a_form_shortcode($atts) {
$return_content .= "<input type='hidden' name='_wpnonce' value='".$aform_form_nonce."'/>";
$return_content .= "<fieldset>";
// Get next section
if (esc_html($_POST["action"]) == "Next") {
if (($_POST["action"]) == "Next") {
if ($form_valid) {
$section_index++;
}
}

// Get previous section.
if (esc_html($_POST["action"]) == "Back") {
if (($_POST["action"]) == "Back") {
$section_index--;
}

Expand Down
10 changes: 9 additions & 1 deletion readme.txt
Expand Up @@ -4,7 +4,7 @@ Donate link:
Tags: form, contact, plugin
Requires at least: 3.3
Tested up to: 3.6
Stable tag: 1.4.2
Stable tag: 1.4.3
License: GPLv2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html

Expand Down Expand Up @@ -33,6 +33,10 @@ http://wordpress.org/extend/plugins/a-forms

== Changelog ==

= 1.4.3 =

* Fixed yet another issue with critical cross-site scripting. I've forced SiteLock to check and check, and I think its finally fixed.

= 1.4.2 =

* Fixed another issue with critical cross-site scripting.
Expand Down Expand Up @@ -91,6 +95,10 @@ http://wordpress.org/extend/plugins/a-forms

== Upgrade notice ==

= 1.4.3 =

* Fixed yet another issue with critical cross-site scripting. I've forced SiteLock to check and check, and I think its finally fixed.

= 1.4.2 =

* Fixed another issue with critical cross-site scripting.
Expand Down

0 comments on commit 3e69319

Please sign in to comment.