[phpMyChat CVS] CVS: phpMyChat - 0.14/chat/lib index.lib.php3,1.10,1.11

[Lo?c C. <lo...@us...>]

Update of /cvsroot/phpmychat/phpMyChat - 0.14/chat/lib
In directory usw-pr-cvs1:/tmp/cvs-serv8129/chat/lib

Modified Files:
	index.lib.php3 
Log Message:
Close a security hole

***** Bogus filespec: -
***** Bogus filespec: 0.14/chat/lib
Index: index.lib.php3
===================================================================
RCS file: /cvsroot/phpmychat/phpMyChat - 0.14/chat/lib/index.lib.php3,v
retrieving revision 1.10
retrieving revision 1.11
diff -C2 -r1.10 -r1.11
*** index.lib.php3	2001/05/06 16:45:43	1.10
--- index.lib.php3	2001/05/11 18:42:25	1.11
***************
*** 132,135 ****
--- 132,174 ----
  $DbLink = new DB;
  
+ // Fix some security issues
+ if (isset($Reload))
+ {
+ 	$isHacking = false;
+ 	if (($Reload == 'JoinCmd')
+ 	 	&& (empty($E) || empty($Ver) || empty($L) || empty($U) || (empty($R0) && empty($R1) && empty($R2)) || empty($D)))
+ 	{
+ 		$isHacking = true;
+ 	}
+ 	else if (($Reload == 'NNResize')
+ 	 	&& (empty($Ver) || empty($L) || empty($U) || empty($R) || empty($T) || empty($D) || empty($N)))
+ 	{
+ 		$isHacking = true;
+ 	}
+ 	else
+ 	{
+ 		$DbLink->query("SELECT password FROM ".C_REG_TBL." WHERE username='$U' LIMIT 1");
+ 		list($user_password) = $DbLink->next_record();
+ 		$DbLink->clean_results();
+ 		if (!empty($user_password) && (empty($PWD_Hash) || $PWD_Hash != $user_password))
+ 			$isHacking = true;
+ 		unset($user_password);
+ 	}
+ 
+ 	if ($isHacking)
+ 	{
+ 		unset($Reload);
+ 		if (isset($U)) unset($U);
+ 		if (isset($PWD_Hash)) unset($PWD_Hash);
+ 		if (isset($T)) unset($T);
+ 		if (isset($R)) unset($R);
+ 		if (isset($R0)) unset($R0);
+ 		if (isset($R1)) unset($R1);
+ 		if (isset($R2)) unset($R2);
+ 		if (isset($E)) unset($E);
+ 		$Error = L_ERR_USR_10;
+ 	}
+ }
+ 
  // Removes user from users table and if necessary add a notication message for him
  if(isset($E) && $E != "")
***************
*** 139,143 ****
  	{
  		// HACKERS Atack !!!
! 		unset($E); 
  		$Error = L_ERR_USR_10;
  	}
--- 178,183 ----
  	{
  		// HACKERS Atack !!!
! 		unset($E);
! 		if (isset($U)) unset($U);
  		$Error = L_ERR_USR_10;
  	}
***************
*** 173,177 ****
  	}
  	// Check for invalid characters or empty nick
! 	elseif (trim($U) == "" || ereg("[\,]", stripslashes($U)))
  	{
  		$Error = L_ERR_USR_16;
--- 213,217 ----
  	}
  	// Check for invalid characters or empty nick
! 	elseif (trim($U) == "" || ereg("[\, ]", stripslashes($U)))
  	{
  		$Error = L_ERR_USR_16;