Menu
▾
▴
[mxbb-commits] mx_kb/includes kb_add.php,1.12,1.13 kb_cat.php,1.9,1.10 kb_edit.php,1.12,1.13 kb_moderator.php,1.3,1.4 kb_rate.php,1.7,1.8
|
From: <mxb...@li...> - 2005-03-17 12:37:36
|
Update of /cvsroot/mxbb/mx_kb/includes In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv8415/modules/mx_kb/includes Modified Files: kb_add.php kb_cat.php kb_edit.php kb_moderator.php kb_rate.php Log Message: Bug #47 - SQL Injection vulnerability in Knowledge Base MOD Index: kb_rate.php =================================================================== RCS file: /cvsroot/mxbb/mx_kb/includes/kb_rate.php,v retrieving revision 1.7 retrieving revision 1.8 diff -C2 -d -r1.7 -r1.8 *** kb_rate.php 1 Feb 2005 20:45:44 -0000 1.7 --- kb_rate.php 17 Mar 2005 12:37:24 -0000 1.8 *************** *** 33,37 **** if ( isset( $HTTP_GET_VARS['k'] ) || isset( $HTTP_POST_VARS['k'] ) ) { ! $article_id = ( isset( $HTTP_GET_VARS['k'] ) ) ? $HTTP_GET_VARS['k'] : $HTTP_POST_VARS['k']; } else --- 33,37 ---- if ( isset( $HTTP_GET_VARS['k'] ) || isset( $HTTP_POST_VARS['k'] ) ) { ! $article_id = ( isset( $HTTP_GET_VARS['k'] ) ) ? intval( $HTTP_GET_VARS['k'] ): intval( $HTTP_POST_VARS['k'] ); } else Index: kb_cat.php =================================================================== RCS file: /cvsroot/mxbb/mx_kb/includes/kb_cat.php,v retrieving revision 1.9 retrieving revision 1.10 diff -C2 -d -r1.9 -r1.10 *** kb_cat.php 1 Feb 2005 20:45:37 -0000 1.9 --- kb_cat.php 17 Mar 2005 12:37:24 -0000 1.10 *************** *** 29,33 **** $start = ( isset( $HTTP_GET_VARS['start'] ) ) ? intval( $HTTP_GET_VARS['start'] ) : 0; ! $category_id = $HTTP_GET_VARS['cat']; $category = get_kb_cat( $category_id ); $category_name = $category['category_name']; --- 29,34 ---- $start = ( isset( $HTTP_GET_VARS['start'] ) ) ? intval( $HTTP_GET_VARS['start'] ) : 0; ! $category_id = ( isset( $HTTP_GET_VARS['cat'] ) ) ? intval ( $HTTP_GET_VARS['cat']) : intval ( $HTTP_POST_VARS['cat'] ); ! $category = get_kb_cat( $category_id ); $category_name = $category['category_name']; Index: kb_edit.php =================================================================== RCS file: /cvsroot/mxbb/mx_kb/includes/kb_edit.php,v retrieving revision 1.12 retrieving revision 1.13 diff -C2 -d -r1.12 -r1.13 *** kb_edit.php 1 Feb 2005 20:45:38 -0000 1.12 --- kb_edit.php 17 Mar 2005 12:37:24 -0000 1.13 *************** *** 25,29 **** } ! $article_id = ( isset( $HTTP_GET_VARS['k'] ) ) ? $HTTP_GET_VARS['k'] : $HTTP_POST_VARS['k']; // main / preview ------------------------------------------------------------------------- // show article form --- 25,30 ---- } ! $article_id = ( isset( $HTTP_GET_VARS['k'] ) ) ? intval ( $HTTP_GET_VARS['k'] ) : intval ( $HTTP_POST_VARS['k'] ); ! // main / preview ------------------------------------------------------------------------- // show article form *************** *** 280,289 **** $article_text = ( !empty( $HTTP_POST_VARS['message'] ) ) ? addslashes( $HTTP_POST_VARS['message'] ) : ''; ! $category = $HTTP_POST_VARS['category_id']; $title = ( !empty( $HTTP_POST_VARS['article_name'] ) ) ? htmlspecialchars( $HTTP_POST_VARS['article_name'] ) : ''; $description = ( !empty( $HTTP_POST_VARS['article_desc'] ) ) ? htmlspecialchars( $HTTP_POST_VARS['article_desc'] ) : ''; $date = time(); ! $author_id = $HTTP_POST_VARS['author_id']; ! $type_id = $HTTP_POST_VARS['type_id']; $bbcode_uid = $HTTP_POST_VARS['bbcode_uid']; --- 281,290 ---- $article_text = ( !empty( $HTTP_POST_VARS['message'] ) ) ? addslashes( $HTTP_POST_VARS['message'] ) : ''; ! $category = intval ( $HTTP_POST_VARS['category_id'] ); $title = ( !empty( $HTTP_POST_VARS['article_name'] ) ) ? htmlspecialchars( $HTTP_POST_VARS['article_name'] ) : ''; $description = ( !empty( $HTTP_POST_VARS['article_desc'] ) ) ? htmlspecialchars( $HTTP_POST_VARS['article_desc'] ) : ''; $date = time(); ! $author_id = intval ( $HTTP_POST_VARS['author_id'] ); ! $type_id = intval ( $HTTP_POST_VARS['type_id'] ); $bbcode_uid = $HTTP_POST_VARS['bbcode_uid']; Index: kb_moderator.php =================================================================== RCS file: /cvsroot/mxbb/mx_kb/includes/kb_moderator.php,v retrieving revision 1.3 retrieving revision 1.4 diff -C2 -d -r1.3 -r1.4 *** kb_moderator.php 1 Feb 2005 20:45:44 -0000 1.3 --- kb_moderator.php 17 Mar 2005 12:37:24 -0000 1.4 *************** *** 27,32 **** include( $phpbb_root_path . 'includes/functions_admin.' . $phpEx ); ! $category_id = $HTTP_GET_VARS['cat']; ! $page_id = $HTTP_GET_VARS['page']; $ref_stats = ( isset( $HTTP_GET_VARS['ref'] ) ) ? true : 0; --- 27,34 ---- include( $phpbb_root_path . 'includes/functions_admin.' . $phpEx ); ! $category_id = ( isset( $HTTP_GET_VARS['cat'] ) ) ? intval ( $HTTP_GET_VARS['cat']) : intval ( $HTTP_POST_VARS['cat'] ); ! ! $page_id = ( isset( $HTTP_GET_VARS['page'] ) ) ? intval ( $HTTP_GET_VARS['page']) : intval ( $HTTP_POST_VARS['page'] ); ! $ref_stats = ( isset( $HTTP_GET_VARS['ref'] ) ) ? true : 0; *************** *** 73,77 **** case 'approve': ! $article_id = $HTTP_GET_VARS['a']; $topic_sql = ''; --- 75,79 ---- case 'approve': ! $article_id = intval ( $HTTP_GET_VARS['a'] ); $topic_sql = ''; *************** *** 175,179 **** case 'unapprove': ! $article_id = $HTTP_GET_VARS['a']; $sql = "UPDATE " . KB_ARTICLES_TABLE . " SET approved = 0 --- 177,181 ---- case 'unapprove': ! $article_id = intval ( $HTTP_GET_VARS['a'] ); $sql = "UPDATE " . KB_ARTICLES_TABLE . " SET approved = 0 *************** *** 208,215 **** case 'delete': if ( $HTTP_GET_VARS['c'] == "yes" ) { - $article_id = $HTTP_GET_VARS['a']; - $sql = "SELECT article_category_id, approved, topic_id FROM " . KB_ARTICLES_TABLE . " --- 210,217 ---- case 'delete': + $article_id = intval ( $HTTP_GET_VARS['a'] ); + if ( $HTTP_GET_VARS['c'] == "yes" ) { $sql = "SELECT article_category_id, approved, topic_id FROM " . KB_ARTICLES_TABLE . " *************** *** 369,373 **** $category_id = ( $ref_stats ? 1 : $category_id ); ! $message = $lang['Confirm_art_delete'] . '<br /><br />' . sprintf( $lang['Confirm_art_delete_yes'], '<a href="' . append_sid( this_kb_mxurl( "mode=moderate&action=delete&page=$page_id&cat=$category_id&c=yes&a=" . $HTTP_GET_VARS['a'] ) ) . '">', '</a>' ) . '<br /><br />' . sprintf( $lang['Confirm_art_delete_no'], '<a href="' . append_sid( $mx_root_path . "index.$phpEx?page=$page_id&mode=cat&cat=$category_id" ) . '">', '</a>' ); mx_message_die( GENERAL_MESSAGE, $message ); } --- 371,375 ---- $category_id = ( $ref_stats ? 1 : $category_id ); ! $message = $lang['Confirm_art_delete'] . '<br /><br />' . sprintf( $lang['Confirm_art_delete_yes'], '<a href="' . append_sid( this_kb_mxurl( "mode=moderate&action=delete&page=$page_id&cat=$category_id&c=yes&a=" . $article_id ) ) . '">', '</a>' ) . '<br /><br />' . sprintf( $lang['Confirm_art_delete_no'], '<a href="' . append_sid( $mx_root_path . "index.$phpEx?page=$page_id&mode=cat&cat=$category_id" ) . '">', '</a>' ); mx_message_die( GENERAL_MESSAGE, $message ); } Index: kb_add.php =================================================================== RCS file: /cvsroot/mxbb/mx_kb/includes/kb_add.php,v retrieving revision 1.12 retrieving revision 1.13 diff -C2 -d -r1.12 -r1.13 *** kb_add.php 1 Feb 2005 20:45:36 -0000 1.12 --- kb_add.php 17 Mar 2005 12:37:24 -0000 1.13 *************** *** 25,29 **** } ! $category_id = ( isset( $HTTP_GET_VARS['cat'] ) ) ? $HTTP_GET_VARS['cat'] : $HTTP_POST_VARS['cat']; // Start auth check --- 25,29 ---- } ! $category_id = ( isset( $HTTP_GET_VARS['cat'] ) ) ? intval ( $HTTP_GET_VARS['cat'] ) : intval ( $HTTP_POST_VARS['cat'] ); // Start auth check |
