Mirror/Gazelle
1
0
Fork 0
mirror of https://github.com/WhatCD/Gazelle.git synced 2025-02-13 00:39:04 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1 from WhatCD/master

Browse Source 
Fix my own exploits now that they're publicly disclosed
This commit is contained in:
MrPMan 2016-01-03 23:48:37 -08:00
commit b9443ae50f
8 changed files with 19 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
classes/calendarview.class.php
View File

@ -6,6 +6,10 @@ class CalendarView {
private static $Events; private static $Events;
public static function render_title($Month, $Year) { public static function render_title($Month, $Year) {
if (!is_numeric($Month) || !is_numeric($Year)) {
error(404);
}
$NextMonth = $Month % 12 == 0 ? 1 : $Month + 1; $NextMonth = $Month % 12 == 0 ? 1 : $Month + 1;
$PreviousMonth = $Month == 1 ? 12 : $Month - 1; $PreviousMonth = $Month == 1 ? 12 : $Month - 1;
$NextYear = $Year; $NextYear = $Year;

2
classes/sitehistory.class.php
View File

@ -244,7 +244,7 @@ public static function update_event($ID, $Date, $Title, $Link, $Category, $SubCa
} }
public static function delete_event($ID) { public static function delete_event($ID) {
if (empty($ID)) { if (!is_numeric($ID)) {
error(404); error(404);
} }
$QueryID = G::$DB->get_query_id(); $QueryID = G::$DB->get_query_id();

3
docs/CHANGES.txt
View File

@ -1,5 +1,8 @@
CHANGE LOG CHANGE LOG
2015-12-24 by newman
Fix several XSS, SQLi, and misc vulnerabilities
2015-12-20 by newman 2015-12-20 by newman
Add password age to user profiles Add password age to user profiles

4
sections/tools/data/ocelot_info.php
View File

@ -30,7 +30,7 @@
<h2>Tracker info</h2> <h2>Tracker info</h2>
</div> </div>
<div class="linkbox"> <div class="linkbox">
<a href="?action=<?=$_GET['action']?>" class="brackets" />Main stats</a> <a href="?action=<?=$_REQUEST['action']?>" class="brackets" />Main stats</a>
</div> </div>
<div class="sidebar"> <div class="sidebar">
<div class="box box2"> <div class="box box2">
@ -76,7 +76,7 @@
<? <?
} elseif (isset($_GET['userid'])) { } elseif (isset($_GET['userid'])) {
?> ?>
User <?=$_GET['userid']?> doesn't exist User <?=display_str($_GET['userid'])?> doesn't exist
<? <?
} else { } else {
?> ?>

2
sections/tools/development/service_stats.php
View File

@ -1,5 +1,5 @@
<? <?
if (!check_perms('site_debug')) { if (!check_perms('site_debug') || !check_perms('admin_clear_cache')) {
error(403); error(403);
} }
if (isset($_POST['global_flush'])) { if (isset($_POST['global_flush'])) {

2
sections/tools/finances/bitcoin_balance.php
View File

@ -17,7 +17,7 @@
<? <?
if (empty($_GET['list'])) { if (empty($_GET['list'])) {
?> ?>
<a href="?action=<?=$_GET['action']?>&amp;list=1" class="brackets">Show donor list</a> <a href="?action=<?=$_REQUEST['action']?>&amp;list=1" class="brackets">Show donor list</a>
<? <?
} else { } else {
$BitcoinAddresses = DonationsBitcoin::get_received(); $BitcoinAddresses = DonationsBitcoin::get_received();

6
sections/tools/managers/dnu_alter.php
View File

@ -9,10 +9,10 @@
foreach ($_POST['item'] as $Position => $Item) { foreach ($_POST['item'] as $Position => $Item) {
$Position = db_string($Position); $Position = db_string($Position);
$Item = db_string($Item); $Item = db_string($Item);
$DB->query(' $DB->query("
UPDATE `do_not_upload` UPDATE `do_not_upload`
SET `Sequence` = ' . $Position . ' SET `Sequence` = '" . $Position . "'
WHERE `id` = '. $Item); WHERE `id` = '" . $Item . "'");
} }
} elseif ($_POST['submit'] == 'Delete') { //Delete } elseif ($_POST['submit'] == 'Delete') { //Delete

4
sections/torrents/download.php
View File

@ -6,6 +6,10 @@
$UserID = $LoggedUser['ID']; $UserID = $LoggedUser['ID'];
$AuthKey = $LoggedUser['AuthKey']; $AuthKey = $LoggedUser['AuthKey'];
} else { } else {
if (strpos($_REQUEST['torrent_pass'], '_') !== false) {
error(404);
}
$UserInfo = $Cache->get_value('user_'.$_REQUEST['torrent_pass']); $UserInfo = $Cache->get_value('user_'.$_REQUEST['torrent_pass']);
if (!is_array($UserInfo)) { if (!is_array($UserInfo)) {
$DB->query(" $DB->query("