Home Explore Help
Register Sign In
Omnimaga
/
SMF2.1
mirror of [email protected]:Omnimaga/SMF2.1.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

2.0.3 security fixes
! XSS in moderation log page (thanks kingW3 for the report)
! Fixed lacking of check on referer URL when adminLogin comes into play

Signed-off-by: emanuele <[email protected]>

emanuele 11 years ago
parent
a9db3736e2
commit
d958e8868a
2 changed files with 15 additions and 2 deletions
Split View Show Diff Stats
  1. 1 1
      Sources/Modlog.php
  2. 14 1
      Sources/Security.php

+ 1 - 1
Sources/Modlog.php
View File 

@@ -284,7 +284,7 @@ function ViewModlog()
 
 				'position' => 'below_table_data',
 
 				'value' => '
 
 					' . $txt['modlog_search'] . ' (' . $txt['modlog_by'] . ': ' . $context['search']['label'] . '):
 
-					<input type="text" name="search" size="18" value="' . $context['search']['string'] . '" class="input_text" />
 
+					<input type="text" name="search" size="18" value="' . $smcFunc['htmlspecialchars']($context['search']['string']) . '" class="input_text" />
 
 					<input type="submit" name="is_search" value="' . $txt['modlog_go'] . '" class="button_submit" style="float:none" />
 
 					' . ($context['can_delete'] ? '&nbsp;|
 
 					<input type="submit" name="remove" value="' . $txt['modlog_remove'] . '" onclick="return confirm(\'' . $txt['modlog_remove_selected_confirm'] . '\');" class="button_submit" />

+ 14 - 1
Sources/Security.php
View File 

@@ -60,6 +60,7 @@ function validateSession($type = 'admin')
 
 		if ($good_password || $_POST[$type . '_hash_pass'] == sha1($user_info['passwd'] . $sc))
 
 		{
 
 			$_SESSION[$type . '_time'] = time();
 
+			unset($_SESSION['request_referer']);
 
 			return;
 
 		}
 
 	}
 
@@ -74,6 +75,7 @@ function validateSession($type = 'admin')
 
 		if ($good_password || sha1(strtolower($user_info['username']) . $_POST[$type . '_pass']) == $user_info['passwd'])
 
 		{
 
 			$_SESSION[$type . '_time'] = time();
 
+			unset($_SESSION['request_referer']);
 
 			return;
 
 		}
 
 	}
 
@@ -84,9 +86,17 @@ function validateSession($type = 'admin')
 
 		smf_openID_revalidate();
 
 
 		$_SESSION[$type . '_time'] = time();
 
+		unset($_SESSION['request_referer']);
 
 		return;
 
 	}
 
 
+
 
+	// Better be sure to remember the real referer
 
+	if (empty($_SESSION['request_referer']))
 
+		$_SESSION['request_referer'] = isset($_SERVER['HTTP_REFERER']) ? @parse_url($_SERVER['HTTP_REFERER']) : array();
 
+	elseif (empty($_POST))
 
+		unset($_SESSION['request_referer']);
 
+
 
 	// Need to type in a password for that, man.
 
 	if (!isset($_GET['xml']))
 
 		adminLogin($type);
 
@@ -647,7 +657,10 @@ function checkSession($type = 'post', $from_action = '', $is_fatal = true)
 
 	}
 
 
 	// Check the referring site - it should be the same server at least!
 
-	$referrer = isset($_SERVER['HTTP_REFERER']) ? @parse_url($_SERVER['HTTP_REFERER']) : array();
 
+	if (isset($_SESSION['request_referer']))
 
+		$referrer = $_SESSION['request_referer'];
 
+	else
 
+		$referrer = isset($_SERVER['HTTP_REFERER']) ? @parse_url($_SERVER['HTTP_REFERER']) : array();
 
 	if (!empty($referrer['host']))
 
 	{
 
 		if (strpos($_SERVER['HTTP_HOST'], ':') !== false)