Empty commit

2024-12-12 18:36:29 +00:00 · 2015-11-20 08:00:28 +00:00 · 2015-11-20 08:00:28 +00:00 · ba0b51ef98
commit ba0b51ef98
parent 5194e7be67
7 changed files with 11 additions and 27 deletions
--- a/docs/CHANGES.txt
+++ b/docs/CHANGES.txt
@ -1,5 +1,8 @@
 CHANGE LOG

+2015-11-19 by lawnmower
+Fix several XSS and SQLi vulerabilities
+
 2015-11-14 by techietrash
 Fix ctrl+click group collapsing/expanding on OSX

--- a/sections/reports/ajax_resolve_report.php
+++ b/sections/reports/ajax_resolve_report.php
@ -1,11 +1,11 @@
 <?
 authorize();

-if ((!check_perms('admin_reports') && !check_perms('project_team') && !check_perms('site_moderate_forums')) || (empty($_POST['reportid']) && !is_number($_POST['reportid']))) {
+if (!check_perms('admin_reports') && !check_perms('project_team') && !check_perms('site_moderate_forums')) {
 	ajax_error();
 }

-$ReportID = $_POST['reportid'];
+$ReportID = (int) $_POST['reportid'];

 $DB->query("
 	SELECT Type
--- a/sections/reports/takeresolve.php
+++ b/sections/reports/takeresolve.php
@ -5,11 +5,7 @@
 	error(403);
 }

-if (empty($_POST['reportid']) && !is_number($_POST['reportid'])) {
-	error(403);
-}
-
-$ReportID = $_POST['reportid'];
+$ReportID = (int) $_POST['reportid'];

 $DB->query("
 	SELECT Type
--- a/sections/reportsv2/ajax_create_report.php
+++ b/sections/reportsv2/ajax_create_report.php
@ -50,7 +50,7 @@
 }


-$ExtraID = $_POST['otherid'];
+$ExtraID = db_string($_POST['otherid']);

 if (!empty($_POST['extra'])) {
 	$Extra = db_string($_POST['extra']);
--- a/sections/reportsv2/ajax_update_comment.php
+++ b/sections/reportsv2/ajax_update_comment.php
@ -7,12 +7,7 @@
 	error(403);
 }

-if (empty($_POST['reportid']) || !is_number($_POST['reportid'])) {
-	echo 'HAX ATTEMPT!'.$_GET['reportid'];
-	die();
-}
-
-$ReportID = $_POST['reportid'];
+$ReportID = (int) $_POST['reportid'];

 $Message = db_string($_POST['comment']);
 //Message can be blank!
--- a/sections/reportsv2/ajax_update_resolve.php
+++ b/sections/reportsv2/ajax_update_resolve.php
@ -5,23 +5,13 @@
 	error(403);
 }

-if (empty($_GET['reportid']) || !is_number($_GET['reportid'])) {
-	echo 'HAX ATTEMPT!'.$_GET['reportid'];
-	die();
-}
-
-if (empty($_GET['categoryid']) || !is_number($_GET['categoryid'])) {
-	echo 'HAX ATTEMPT!!'.$_GET['categoryid'];
-	die();
-}
-
 if (empty($_GET['newresolve'])) {
 	echo "No new resolve";
 	die();
 }

-$ReportID = $_GET['reportid'];
-$CategoryID = $_GET['categoryid'];
+$ReportID = (int) $_GET['reportid'];
+$CategoryID = (int) $_GET['categoryid'];
 $NewType = $_GET['newresolve'];

 if (!empty($Types[$CategoryID])) {
--- a/sections/user/manage_linked.php
+++ b/sections/user/manage_linked.php
@ -6,7 +6,7 @@
 	error(403);
 }

-$UserID = $_REQUEST['userid'];
+$UserID = (int) $_REQUEST['userid'];

 switch ($_REQUEST['dupeaction']) {
 	case 'remove':