From 3c70b55ae36de4c33de9c78fda7417d7c53245ee Mon Sep 17 00:00:00 2001 From: Mark Samman Date: Wed, 29 Oct 2014 19:32:48 +0100 Subject: [PATCH 1/7] Fix SQL injection in admin_reports.php --- admin_reports.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/admin_reports.php b/admin_reports.php index 1f735e7..2185b95 100644 --- a/admin_reports.php +++ b/admin_reports.php @@ -41,9 +41,9 @@ if (!empty($_POST)) { $customPoints = getValue($_POST['customPoints']); $reportId = getValue($_POST['id']); - $changelogReportId = &$_POST['changelogReportId']; + $changelogReportId = (int)$_POST['changelogReportId']; $changelogValue = &$_POST['changelogValue']; - $changelogText = &$_POST['changelogText']; + $changelogText = getValue($_POST['changelogText']); $changelogStatus = ($changelogReportId !== false && $changelogValue === '2' && $changelogText !== false) ? true : false; if ($customPoints !== false) $price = (int)($price + $customPoints); From 7a265593b8002780e7941703a412d9c2e2ff29d2 Mon Sep 17 00:00:00 2001 From: Mark Samman Date: Wed, 29 Oct 2014 19:35:19 +0100 Subject: [PATCH 2/7] Fix SQL injection in ipn.php --- ipn.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipn.php b/ipn.php index 2ffb09f..208b521 100644 --- a/ipn.php +++ b/ipn.php @@ -65,9 +65,9 @@ $payment_status = $_POST['payment_status']; $payment_amount = $_POST['mc_gross']; $payment_currency = $_POST['mc_currency']; - $txn_id = $_POST['txn_id']; - $receiver_email = $_POST['receiver_email']; - $payer_email = $_POST['payer_email']; + $txn_id = getValue($_POST['txn_id']); + $receiver_email = getValue($_POST['receiver_email']); + $payer_email = getValue($_POST['payer_email']); $custom = (int)$_POST['custom']; $connectedIp = $_SERVER['REMOTE_ADDR']; From 48363b655ae8ba83232b16dcffd7672be70ea3c8 Mon Sep 17 00:00:00 2001 From: Mark Samman Date: Wed, 29 Oct 2014 19:36:39 +0100 Subject: [PATCH 3/7] Increase security of ipn.php --- ipn.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipn.php b/ipn.php index 208b521..b53f473 100644 --- a/ipn.php +++ b/ipn.php @@ -1,4 +1,7 @@ Date: Wed, 29 Oct 2014 19:42:16 +0100 Subject: [PATCH 4/7] Fix SQL injections in paygol_ipn.php --- paygol_ipn.php | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/paygol_ipn.php b/paygol_ipn.php index 3fd715c..56af350 100644 --- a/paygol_ipn.php +++ b/paygol_ipn.php @@ -10,18 +10,18 @@ if(!in_array($_SERVER['REMOTE_ADDR'], } // get the variables from PayGol system -$message_id = $_GET['message_id']; -$service_id = $_GET['service_id']; -$shortcode = $_GET['shortcode']; -$keyword = $_GET['keyword']; -$message = $_GET['message']; -$sender = $_GET['sender']; -$operator = $_GET['operator']; -$country = $_GET['country']; -$custom = $_GET['custom']; -$points = $_GET['points']; -$price = $_GET['price']; -$currency = $_GET['currency']; +$message_id = getValue($_GET['message_id']); +$service_id = getValue($_GET['service_id']); +$shortcode = getValue($_GET['shortcode']); +$keyword = getValue($_GET['keyword']); +$message = getValue($_GET['message']); +$sender = getValue($_GET['sender']); +$operator = getValue($_GET['operator']); +$country = getValue($_GET['country']); +$custom = getValue($_GET['custom']); +$points = getValue($_GET['points']); +$price = getValue($_GET['price']); +$currency = getValue($_GET['currency']); $paygol = $config['paygol']; $new_points = $paygol['points']; From c5c94974a1f6546d3594340daaf2d824ba9b0b6e Mon Sep 17 00:00:00 2001 From: Mark Samman Date: Wed, 29 Oct 2014 19:43:13 +0100 Subject: [PATCH 5/7] Fix SQL injection in adminreport.lua --- LUA/TFS_10/talkaction report system/adminreport.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LUA/TFS_10/talkaction report system/adminreport.lua b/LUA/TFS_10/talkaction report system/adminreport.lua index 43c9b16..b4777ac 100644 --- a/LUA/TFS_10/talkaction report system/adminreport.lua +++ b/LUA/TFS_10/talkaction report system/adminreport.lua @@ -10,7 +10,7 @@ function onSay(cid, words, param, channel) end if player:getStorageValue(storage) <= os.time() then player:sendTextMessage(MESSAGE_INFO_DESCR, "Your report has been received successfully!") - db.query("INSERT INTO `znote_player_reports` (`id` ,`name` ,`posx` ,`posy` ,`posz` ,`report_description` ,`date`)VALUES (NULL , '" .. player:getName() .. "', '" .. player:getPosition().x .. "', '" .. player:getPosition().y .. "', '" .. player:getPosition().z .. "', " .. db.escapeString(param) .. ", '" .. os.time() .. "')") + db.query("INSERT INTO `znote_player_reports` (`id` ,`name` ,`posx` ,`posy` ,`posz` ,`report_description` ,`date`)VALUES (NULL , " .. db.escapeString(player:getName()) .. ", '" .. player:getPosition().x .. "', '" .. player:getPosition().y .. "', '" .. player:getPosition().z .. "', " .. db.escapeString(param) .. ", '" .. os.time() .. "')") player:setStorageValue(storage, os.time() + delaytime) else player:sendTextMessage(MESSAGE_STATUS_WARNING, "You have to wait " .. player:getStorageValue(storage) - os.time() .. " seconds to report again.") From 496f71a4be0bccd1ea884dc0e308162af5c9bdf4 Mon Sep 17 00:00:00 2001 From: Mark Samman Date: Wed, 29 Oct 2014 19:48:09 +0100 Subject: [PATCH 6/7] Fix SQL injection in user_character_data --- engine/function/users.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engine/function/users.php b/engine/function/users.php index ac1571c..cb84607 100644 --- a/engine/function/users.php +++ b/engine/function/users.php @@ -1233,7 +1233,7 @@ function user_count_accounts() { */ function user_character_data($user_id) { $data = array(); - $user_id = sanitize($user_id); + $user_id = (int)$user_id; $func_num_args = func_num_args(); $func_get_args = func_get_args(); if ($func_num_args > 1) { From 601c2fcc71f13caef78563d676c78e3118d509a7 Mon Sep 17 00:00:00 2001 From: Mark Samman Date: Wed, 29 Oct 2014 19:50:36 +0100 Subject: [PATCH 7/7] Increase max password length from 32 to 100 --- changepassword.php | 4 ++-- register.php | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/changepassword.php b/changepassword.php index 0027d5c..8c698ec 100644 --- a/changepassword.php +++ b/changepassword.php @@ -29,8 +29,8 @@ if (empty($_POST) === false) { $errors[] = 'Your new passwords do not match.'; } else if (strlen($_POST['new_password']) < 6) { $errors[] = 'Your new passwords must be at least 6 characters.'; - } else if (strlen($_POST['new_password']) > 32) { - $errors[] = 'Your new passwords must be less than 33 characters.'; + } else if (strlen($_POST['new_password']) > 100) { + $errors[] = 'Your new passwords must be less than 100 characters.'; } } else { $errors[] = 'Your current password is incorrect.'; diff --git a/register.php b/register.php index 6286972..93b2bc3 100644 --- a/register.php +++ b/register.php @@ -57,8 +57,8 @@ if (empty($_POST) === false) { if (strlen($_POST['password']) < 6) { $errors[] = 'Your password must be at least 6 characters.'; } - if (strlen($_POST['password']) > 33) { - $errors[] = 'Your password must be less than 33 characters.'; + if (strlen($_POST['password']) > 100) { + $errors[] = 'Your password must be less than 100 characters.'; } if ($_POST['password'] !== $_POST['password_again']) { $errors[] = 'Your passwords do not match.';