Permalink
Browse files

JPCERT/CC 脆弱性情報ハンドリングチームより、Zen Cartにおけるクロスサイトスクリプティングの脆弱性があるとのことで、1.5…

….3、1.5.4からソースを持ってきて変更し、対応しました。

Signed-off-by: kimono <maeda@obitastar.co.jp>
  • Loading branch information...
kimono committed Feb 13, 2015
1 parent 315a3d8 commit 022949bd09444d7e58703cc537dbbd5744c381b8
@@ -92,6 +92,8 @@
*/
$autoLoadConfig[20][] = array('autoType'=>'init_script',
'loadFile'=> 'init_db_config_read.php');
+ $autoLoadConfig[20][] = array('autoType'=>'init_script',
+ 'loadFile'=> 'init_sanitize.php');
/**
* Breakpoint 30.
*
@@ -1,10 +1,25 @@
<?php
/**
+ * init_sanitize
*
* @package initSystem
- * @copyright Copyright 2003-2011 Zen Cart Development Team
+ * @copyright Copyright 2003-2014 Zen Cart Development Team
* @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
- * @version $Id: init_sanitize.php 18698 2011-05-04 14:50:06Z wilt $
+ * @version GIT: $Id: Author: Ian Wilson Fri Mar 7 21:54:17 2014 +0000 Modified in v1.5.3 $
*/
+$saniGroup1 = array('action', 'add_products_id', 'attribute_id', 'attribute_page', 'attributes_id', 'banner', 'bID', 'box_name', 'build_cat', 'came_from', 'categories_update_id', 'cID', 'cid', 'configuration_key_lookup', 'copy_attributes',
+'cpage', 'cPath', 'current_category_id', 'current', 'customer', 'debug', 'debug2', 'debug3', 'define_it', 'download_reset_off', 'download_reset_on', 'end_date', 'ezID', 'fID', 'filename', 'flag',
+'flagbanners_on_ssl', 'flagbanners_open_new_windows', 'gID', 'gid', 'global', 'go_back', 'id', 'info', 'ipnID', 'keepslashes', 'layout_box_name', 'lID', 'list_order', 'language', 'lng_id', 'lngdir', 'mail_sent_to', 'manual',
+'master_category', 'mID', 'mode', 'module', 'month', 'na', 'nID', 'nogrants', 'ns', 'number_of_uploads', 'oID', 'oldaction', 'option_id', 'option_order_by', 'option_page', 'options_id_from', 'options_id', 'order_by',
+'order', 'origin', 'p', 'padID', 'page', 'pages_id', 'payment_status', 'paypal_ipn_sort_order', 'pID', 'ppage', 'product_type', 'products_filter_name_model', 'products_filter', 'products_id',
+'products_options_id_all', 'products_update_id', 'profile', 'ptID', 'q', 'read', 'recip_count', 'referral_code', 'reports_page', 'reset_categories_products_sort_order', 'reset_editor', 'reset_ez_sort_order',
+'reset_option_names_values_copier', 'rID', 's', 'saction', 'selected_box', 'set', 'set_display_categories_dropdown', 'sID', 'spage', 'start_date', 'status', 't', 'tID', 'type', 'uid', 'update_action', 'update_to', 'user',
+'value_id', 'value_page', 'vcheck', 'year', 'za_lookup', 'zID', 'zone', 'zpage');
-// ** NOTE: THIS FILE CAN BE DELETED. It is no longer needed.
+foreach ($saniGroup1 as $key)
+{
+ if (isset($_GET[$key]))
+ {
+ $_GET[$key] = preg_replace('/[^\/ 0-9a-zA-Z_:@.-]/', '', $_GET[$key]);
+ }
+}
@@ -4,10 +4,10 @@
* see {@link http://www.zen-cart.com/wiki/index.php/Developers_API_Tutorials#InitSystem wikitutorials} for more details.
*
* @package initSystem
- * @copyright Copyright 2003-2012 Zen Cart Development Team
+ * @copyright Copyright 2003-2013 Zen Cart Development Team
* @copyright Portions Copyright 2003 osCommerce
* @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
- * @version GIT: $Id: Author: DrByte Thu Aug 2 11:55:32 2012 -0400 Modified in v1.5.1 $
+ * @version GIT: $Id: Author: Ian Wilson Thu Nov 7 15:58:09 2013 +0000 Modified in v1.5.2 $
* @todo move the array process to security class
*/
@@ -38,6 +38,15 @@
if (isset($_GET['cPath'])) $_GET['cPath'] = preg_replace('/[^0-9_]/', '', $_GET['cPath']);
if (isset($_GET['main_page'])) $_GET['main_page'] = preg_replace('/[^0-9a-zA-Z_]/', '', $_GET['main_page']);
if (isset($_GET['sort'])) $_GET['sort'] = preg_replace('/[^0-9a-zA-Z]/', '', $_GET['sort']);
+ $saniGroup1 = array('action', 'addr', 'alpha_filter_id', 'alpha_filter', 'authcapt', 'chapter', 'cID', 'currency', 'debug', 'delete', 'dfrom', 'disp_order', 'dto', 'edit', 'faq_item', 'filter_id', 'goback', 'goto', 'gv_no', 'id', 'inc_subcat', 'language', 'markflow', 'music_genre_id', 'nocache', 'notify', 'number_of_uploads', 'order_id', 'order', 'override', 'page', 'pfrom', 'pid', 'pID', 'pos', 'product_id', 'products_image_large_additional', 'products_tax_class_id', 'pto', 'record_company_id', 'referer', 'reviews_id', 'search_in_description', 'set_session_login', 'token', 'tx', 'type', 'zenid');
+ foreach ($saniGroup1 as $key)
+ {
+ if (isset($_GET[$key]))
+ {
+ $_GET[$key] = preg_replace('/[^\/0-9a-zA-Z_:@.-]/', '', $_GET[$key]);
+ }
+ }
+
/**
* process all $_GET terms
*/
@@ -110,7 +119,7 @@
/**
* sanitize $_SERVER vars
*/
- $_SERVER['REMOTE_ADDR'] = preg_replace('/[^0-9.%]/', '', $_SERVER['REMOTE_ADDR']);
+ $_SERVER['REMOTE_ADDR'] = preg_replace('~[^a-fA-F0-9.:%/]~', '', $_SERVER['REMOTE_ADDR']);
/**

0 comments on commit 022949b

Please sign in to comment.