Release v0.8.14

Causes missing parameters in $_GET query

CHANGELOG.md

@@ -1,13 +1,25 @@
 # Changelog
 
+## [0-8.14 - 27.11.2023]
+Security fixes.
+
+### Fixed
+* XSS vulnerability in bugtracker (https://github.com/slawkens/myaac/commit/83a91ec540072d319dd338abff45f8d5ebf48190)
+* XSS vulnerability in forum (https://github.com/slawkens/myaac/commit/d1bc63d07ad88a143358cacd2c417891eea74dcc + https://github.com/slawkens/myaac/commit/55dbade8d5280c5baed45e5f7ebc3613b8e9b9e8)
+* Session Fixation (https://github.com/slawkens/myaac/commit/483155cf4c1e3068aaee0d44541dfa61f6223379)
+* displaying ban info on account page (https://github.com/slawkens/myaac/commit/764db0c203d1826ffce3a5a78f83a97e56bd0685)
+
+### Changed
+* Clear some additional cache keys - like database cache (https://github.com/slawkens/myaac/commit/4327b66f915d06dce504211692173606b9ef3b4e)
+
 ## [0.8.13 - 16.09.2023]
 
 ### Added
-* latest client versions to config
+* latest client versions to config (https://github.com/slawkens/myaac/commit/765886f0c782807400c429577cde5e45bd7c308f)
-* patching from develop - twig context for hooks
+* patching from develop - twig context for hooks (https://github.com/slawkens/myaac/commit/f1670f4012cc7595433fe0b1937c1f9b15a60b07)
 
 ### Fixed
-* fixed XSS vulnerability in some pages
+* fixed XSS vulnerability in some pages (https://github.com/slawkens/myaac/commit/5c3b01aca4f3cfe8abc86b8ce48194b2da87b808)
 
 Nothing more or less!
 

admin/pages/items.php

@@ -10,8 +10,8 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Load items.xml';
 
-require LIBS . 'items.php';
+require_once LIBS . 'items.php';
-require LIBS . 'weapons.php';
+require_once LIBS . 'weapons.php';
 
 $twig->display('admin.items.html.twig');
 

common.php

@@ -26,7 +26,7 @@
 if (version_compare(phpversion(), '7.2.5', '<')) die('PHP version 7.2.5 or higher is required.');
 
 define('MYAAC', true);
-define('MYAAC_VERSION', '0.8.13');
+define('MYAAC_VERSION', '0.8.14');
 define('DATABASE_VERSION', 33);
 define('TABLE_PREFIX', 'myaac_');
 define('START_TIME', microtime(true));

nginx-sample.conf

@@ -25,7 +25,7 @@ server {
 	}
 
 	location / {
-		try_files $uri $uri/ /index.php;
+		try_files $uri $uri/ /index.php?$query_string;;
 	}
 
 	location ~ \.php$ {

system/functions.php

@@ -1146,9 +1146,30 @@ function clearCache()
 		if ($cache->fetch('failed_logins', $tmp))
 			$cache->delete('failed_logins');
 
-		global $template_name;
+		foreach (get_templates() as $template) {
-		if ($cache->fetch('template_ini' . $template_name, $tmp))
+			if ($cache->fetch('template_ini_' . $template, $tmp)) {
-			$cache->delete('template_ini' . $template_name);
+				$cache->delete('template_ini_' . $template);
+			}
+		}
+
+		if ($cache->fetch('template_menus', $tmp)) {
+			$cache->delete('template_menus');
+		}
+		if ($cache->fetch('database_tables', $tmp)) {
+			$cache->delete('database_tables');
+		}
+		if ($cache->fetch('database_columns', $tmp)) {
+			$cache->delete('database_columns');
+		}
+		if ($cache->fetch('database_checksum', $tmp)) {
+			$cache->delete('database_checksum');
+		}
+		if ($cache->fetch('hooks', $tmp)) {
+			$cache->delete('hooks');
+		}
+		if ($cache->fetch('last_kills', $tmp)) {
+			$cache->delete('last_kills');
+		}
 	}
 
 	deleteDirectory(CACHE . 'signatures', ['index.html'], true);

system/login.php

@@ -94,6 +94,7 @@ else
 				&& (!isset($t) || $t['attempts'] < 5)
 				)
 			{
+				session_regenerate_id();
 				setSession('account', $account_logged->getId());
 				setSession('password', encrypt(($config_salt_enabled ? $account_logged->getCustomField('salt') : '') . $login_password));
 				if($remember_me) {

system/pages/bugtracker.php

@@ -181,9 +181,9 @@ $showed = $post = $reply = false;
                     $value = '<span style="color: red">[CLOSED]</span>';
 
                 echo '<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Bug Tracker</B></TD></TR>';
-                echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.$bug[2]['subject'].' '.$value.'</td></tr>';
+                echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.escapeHtml($bug[2]['subject']).' '.$value.'</td></tr>';
                 echo '<TR BGCOLOR="'.$light.'"><td colspan=2><i><b>Description</b></i></td></tr>';
-                echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br($bug[2]['text']).'</td></tr>';
+                echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br(escapeHtml($bug[2]['text'])).'</td></tr>';
                 echo '</TABLE>';
 
                 $answers = $db->query('SELECT * FROM '.$db->tableName('myaac_bugtracker').' where `account` = '.$account_logged->getId().' and `id` = '.$id.' and `type` = 2 order by `reply`');
@@ -274,7 +274,7 @@ $showed = $post = $reply = false;
                         $bgcolor = $light;
                     }
 
-                    echo '<TR BGCOLOR="'.$bgcolor.'"><td width=75%><a href="?subtopic=bugtracker&id='.$report['id'].'">'.$tags[$report['tag']].' '.$report['subject'].'</a></td><td>'.$value.'</td></tr>';
+                    echo '<TR BGCOLOR="'.$bgcolor.'"><td width=75%><a href="?subtopic=bugtracker&id='.$report['id'].'">'.$tags[$report['tag']].' '.escapeHtml($report['subject']).'</a></td><td>'.$value.'</td></tr>';
 
                     $showed=true;
                 }

system/pages/forum/edit_post.php

@@ -37,6 +37,10 @@ if(Forum::canPost($account_logged))
 				$smile = isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0;
 				$html = isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0;
 
+				if (!superAdmin()) {
+					$html = 0;
+				}
+
 				$length = strlen($post_topic);
 				if(($length < 1 || $length > 60) && $thread['id'] == $thread['first_post'])
 					$errors[] = "Too short or too long topic (Length: $length letters). Minimum 1 letter, maximum 60 letters.";

system/pages/forum/new_post.php

@@ -33,6 +33,11 @@ if(Forum::canPost($account_logged))
 		$smile = (isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0);
 		$html = (isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0);
 		$saved = false;
+
+		if (!superAdmin()) {
+			$html = 0;
+		}
+		
 		if(isset($_REQUEST['quote']))
 		{
 			$quoted_post = $db->query("SELECT `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`post_text`, `" . FORUM_TABLE_PREFIX . "forum`.`post_date` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $quote)->fetchAll();

system/pages/forum/new_thread.php

@@ -26,6 +26,11 @@ if(Forum::canPost($account_logged))
 			$post_topic = isset($_REQUEST['topic']) ? stripslashes($_REQUEST['topic']) : '';
 			$smile = (isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0);
 			$html = (isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0);
+
+			if (!superAdmin()) {
+				$html = 0;
+			}
+
 			$saved = false;
 			if (isset($_REQUEST['save'])) {
 				$length = strlen($post_topic);

templates/tibiacom/account.management.html.twig

@@ -35,7 +35,7 @@
 			<td>
 				<img src="{{ template_path }}/images/content/headline-bracer-left.gif" />
 			</td>
-			<td style="text-align:center;vertical-align:middle;horizontal-align:center;font-size:17px;font-weight:bold;" >{{ welcome_message }}<br/></td>
+			<td style="text-align:center;vertical-align:middle;horizontal-align:center;font-size:17px;font-weight:bold;" >{{ welcome_message|raw }}<br/></td>
 			<td><img src="{{ template_path }}/images/content/headline-bracer-right.gif" /></td>
 		</tr>
 	</table>