Digitalstack/myaac
2
0
Fork 0
mirror of https://github.com/slawkens/myaac.git synced 2025-09-14 12:33:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Digitalstack:v0.8.13
Branches Tags
Digitalstack:main Digitalstack:feature/2fa Digitalstack:feature/plugins-versions-check Digitalstack:0.8 Digitalstack:feature/pot-hook-filter Digitalstack:feature/highscores-customize Digitalstack:develop Digitalstack:feature/twig-hooks-filters Digitalstack:feature/app-rewrite Digitalstack:feature/account-actions-ip-rework Digitalstack:feature/docker Digitalstack:feature/refactor-account-lost Digitalstack:feature-tables-headline Digitalstack:feature/phpstan Digitalstack:feature/eloquent-db-dump Digitalstack:feature/debug-bar Digitalstack:feature/csrf Digitalstack:0.9 Digitalstack:feature/cronjob Digitalstack:feature/settings Digitalstack:feature/new-router Digitalstack:feature/recaptcha-v3-plus-login Digitalstack:0.7
Digitalstack:v1.8.1 Digitalstack:v1.8 Digitalstack:v1.7.1 Digitalstack:v1.7 Digitalstack:v1.6.1 Digitalstack:v0.8.24 Digitalstack:v1.6 Digitalstack:v1.5 Digitalstack:v0.8.23 Digitalstack:v1.4 Digitalstack:v1.3.3 Digitalstack:v1.3.2 Digitalstack:v1.3.1 Digitalstack:v1.3 Digitalstack:v1.2 Digitalstack:v1.1 Digitalstack:v0.8.22 Digitalstack:v1.0.1 Digitalstack:v1.0 Digitalstack:v0.8.21 Digitalstack:v0.8.20 Digitalstack:v0.8.19 Digitalstack:v1.0-RC Digitalstack:v0.8.18 Digitalstack:v1.0-beta Digitalstack:v0.8.17 Digitalstack:v0.8.16 Digitalstack:v0.8.15 Digitalstack:v0.8.14 Digitalstack:v0.8.13 Digitalstack:v0.8.12 Digitalstack:v0.8.11 Digitalstack:v0.9.0-alpha Digitalstack:v0.8.10 Digitalstack:v0.8.9 Digitalstack:v0.8.8 Digitalstack:v0.8.7 Digitalstack:v0.8.6 Digitalstack:v0.7.12a Digitalstack:v0.7.11 Digitalstack:v0.7.10 Digitalstack:v0.7.9 Digitalstack:v0.7.8 Digitalstack:v0.7.7 Digitalstack:v0.7.6 Digitalstack:v0.7.5 Digitalstack:v0.7.4 Digitalstack:v0.7.3 Digitalstack:v0.7.1 Digitalstack:v0.7.0 Digitalstack:v0.6.6 Digitalstack:v0.6.5 Digitalstack:v0.6.4 Digitalstack:v0.6.3 Digitalstack:v0.6.2 Digitalstack:v0.6.1 Digitalstack:v0.6.0 Digitalstack:v0.5.1 Digitalstack:v0.5.0 Digitalstack:v0.4.3 Digitalstack:v0.4.2 Digitalstack:v0.4.1 Digitalstack:v0.4.0 Digitalstack:v0.3.1 Digitalstack:v0.3.0 Digitalstack:v0.2.4 Digitalstack:v0.2.3 Digitalstack:v0.2.2 Digitalstack:v0.2.1 Digitalstack:v0.2.0 Digitalstack:v0.1.5 Digitalstack:v0.1.4 Digitalstack:v0.1.3 Digitalstack:v0.1.1 Digitalstack:v0.1.2 Digitalstack:v0.1.0 Digitalstack:v0.0.6 Digitalstack:v0.0.5 Digitalstack:v0.0.4 Digitalstack:v0.0.3 Digitalstack:v0.0.2 Digitalstack:v0.0.1
...
compare: Digitalstack:v0.8.15
Branches Tags
Digitalstack:feature/2fa Digitalstack:main Digitalstack:feature/plugins-versions-check Digitalstack:0.8 Digitalstack:feature/pot-hook-filter Digitalstack:feature/highscores-customize Digitalstack:develop Digitalstack:feature/twig-hooks-filters Digitalstack:feature/app-rewrite Digitalstack:feature/account-actions-ip-rework Digitalstack:feature/docker Digitalstack:feature/refactor-account-lost Digitalstack:feature-tables-headline Digitalstack:feature/phpstan Digitalstack:feature/eloquent-db-dump Digitalstack:feature/debug-bar Digitalstack:feature/csrf Digitalstack:0.9 Digitalstack:feature/cronjob Digitalstack:feature/settings Digitalstack:feature/new-router Digitalstack:feature/recaptcha-v3-plus-login Digitalstack:0.7
Digitalstack:v1.8.1 Digitalstack:v1.8 Digitalstack:v1.7.1 Digitalstack:v1.7 Digitalstack:v1.6.1 Digitalstack:v0.8.24 Digitalstack:v1.6 Digitalstack:v1.5 Digitalstack:v0.8.23 Digitalstack:v1.4 Digitalstack:v1.3.3 Digitalstack:v1.3.2 Digitalstack:v1.3.1 Digitalstack:v1.3 Digitalstack:v1.2 Digitalstack:v1.1 Digitalstack:v0.8.22 Digitalstack:v1.0.1 Digitalstack:v1.0 Digitalstack:v0.8.21 Digitalstack:v0.8.20 Digitalstack:v0.8.19 Digitalstack:v1.0-RC Digitalstack:v0.8.18 Digitalstack:v1.0-beta Digitalstack:v0.8.17 Digitalstack:v0.8.16 Digitalstack:v0.8.15 Digitalstack:v0.8.14 Digitalstack:v0.8.13 Digitalstack:v0.8.12 Digitalstack:v0.8.11 Digitalstack:v0.9.0-alpha Digitalstack:v0.8.10 Digitalstack:v0.8.9 Digitalstack:v0.8.8 Digitalstack:v0.8.7 Digitalstack:v0.8.6 Digitalstack:v0.7.12a Digitalstack:v0.7.11 Digitalstack:v0.7.10 Digitalstack:v0.7.9 Digitalstack:v0.7.8 Digitalstack:v0.7.7 Digitalstack:v0.7.6 Digitalstack:v0.7.5 Digitalstack:v0.7.4 Digitalstack:v0.7.3 Digitalstack:v0.7.1 Digitalstack:v0.7.0 Digitalstack:v0.6.6 Digitalstack:v0.6.5 Digitalstack:v0.6.4 Digitalstack:v0.6.3 Digitalstack:v0.6.2 Digitalstack:v0.6.1 Digitalstack:v0.6.0 Digitalstack:v0.5.1 Digitalstack:v0.5.0 Digitalstack:v0.4.3 Digitalstack:v0.4.2 Digitalstack:v0.4.1 Digitalstack:v0.4.0 Digitalstack:v0.3.1 Digitalstack:v0.3.0 Digitalstack:v0.2.4 Digitalstack:v0.2.3 Digitalstack:v0.2.2 Digitalstack:v0.2.1 Digitalstack:v0.2.0 Digitalstack:v0.1.5 Digitalstack:v0.1.4 Digitalstack:v0.1.3 Digitalstack:v0.1.1 Digitalstack:v0.1.2 Digitalstack:v0.1.0 Digitalstack:v0.0.6 Digitalstack:v0.0.5 Digitalstack:v0.0.4 Digitalstack:v0.0.3 Digitalstack:v0.0.2 Digitalstack:v0.0.1

18 Commits
v0.8.13 ... v0.8.15

Author SHA1 Message Date
slawkens
e3aa3d4031 Release v 0.8.15 2023-12-09 00:14:16 +01:00
slawkens
156a68f8bd Update phplint.yml 2023-12-09 00:11:01 +01:00
slawkens
6a28da5d33 Update phplint.yml 2023-12-09 00:04:20 +01:00
slawkens
ee32384dca Seems there was more XSS in bugtracker 2023-12-08 23:45:13 +01:00
slawkens
19afd73e8a This is better 2023-11-29 15:48:03 +01:00
slawkens
eead6a2975 Fix exception showing 2023-11-28 17:11:04 +01:00
slawkens
11b11dd3ee Release v0.8.14 2023-11-27 23:31:45 +01:00
slawkens
483155cf4c Prevent session fixation 2023-11-27 23:16:51 +01:00
slawkens
55dbade8d5 Fix XSS in forum 2023-11-27 22:58:24 +01:00
slawkens
d1bc63d07a Fix forum XSS 2023-11-27 22:58:00 +01:00
slawkens
83a91ec540 Fix XSS in bugtracker.php 2023-11-27 20:28:43 +01:00
slawkens
7b43c972dd Fix missing query_string in nginx sample config 
Causes missing parameters in $_GET query
 2023-11-25 16:34:57 +01:00
slawkens
3fdf1d3f44 require_once is better 2023-11-05 20:13:31 +01:00
slawkens
764db0c203 Fix display ban info on account page 
https://otland.net/threads/myacc-bans-display-problem.286825/
 2023-11-02 22:06:07 +01:00
slawkens
538076bc45 My fault 2023-09-26 22:00:45 +02:00
slawkens
4327b66f91 Clear some additional cache keys 2023-09-26 20:45:50 +02:00
slawkens
3f27724569 Update common.php 2023-09-16 10:46:17 +02:00
slawkens
9c0c2bbece Update CHANGELOG.md 2023-09-16 10:45:54 +02:00
12 changed files with 81 additions and 24 deletions
Expand all files Collapse all files

2
.github/workflows/phplint.yml vendored
View File

@@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: overtrue/phplint@7.4
- uses: overtrue/phplint@3.4.0
with:
path: .
options: --exclude="system/libs/polyfill-mbstring/bootstrap80.php"

22
CHANGELOG.md
View File

@@ -1,13 +1,29 @@
# Changelog
## [0.8.15 - 09.12.2023]
More security fixes, especially in bugtracker.
## [0-8.14 - 27.11.2023]
Security fixes.
### Fixed
* XSS vulnerability in bugtracker (https://github.com/slawkens/myaac/commit/83a91ec540072d319dd338abff45f8d5ebf48190)
* XSS vulnerability in forum (https://github.com/slawkens/myaac/commit/d1bc63d07ad88a143358cacd2c417891eea74dcc + https://github.com/slawkens/myaac/commit/55dbade8d5280c5baed45e5f7ebc3613b8e9b9e8)
* Session Fixation (https://github.com/slawkens/myaac/commit/483155cf4c1e3068aaee0d44541dfa61f6223379)
* displaying ban info on account page (https://github.com/slawkens/myaac/commit/764db0c203d1826ffce3a5a78f83a97e56bd0685)
### Changed
* Clear some additional cache keys - like database cache (https://github.com/slawkens/myaac/commit/4327b66f915d06dce504211692173606b9ef3b4e)
## [0.8.13 - 16.09.2023]
### Added
* latest client versions to config
* patching from develop - twig context for hooks
* latest client versions to config (https://github.com/slawkens/myaac/commit/765886f0c782807400c429577cde5e45bd7c308f)
* patching from develop - twig context for hooks (https://github.com/slawkens/myaac/commit/f1670f4012cc7595433fe0b1937c1f9b15a60b07)
### Fixed
* fixed XSS vulnerability in some pages
* fixed XSS vulnerability in some pages (https://github.com/slawkens/myaac/commit/5c3b01aca4f3cfe8abc86b8ce48194b2da87b808)
Nothing more or less!

4
admin/pages/items.php
View File

@@ -10,8 +10,8 @@
defined('MYAAC') or die('Direct access not allowed!');
$title = 'Load items.xml';
require LIBS . 'items.php';
require LIBS . 'weapons.php';
require_once LIBS . 'items.php';
require_once LIBS . 'weapons.php';
$twig->display('admin.items.html.twig');

9
common.php
View File

@@ -26,7 +26,7 @@
if (version_compare(phpversion(), '7.2.5', '<')) die('PHP version 7.2.5 or higher is required.');
define('MYAAC', true);
define('MYAAC_VERSION', '0.8.13');
define('MYAAC_VERSION', '0.8.15');
define('DATABASE_VERSION', 33);
define('TABLE_PREFIX', 'myaac_');
define('START_TIME', microtime(true));
@@ -100,6 +100,10 @@ for($i = 1; $i < $size; $i++)
$basedir = str_replace(array('/admin', '/install', '/tools'), '', $basedir);
define('BASE_DIR', $basedir);
if (file_exists(BASE . 'config.local.php')) {
require BASE . 'config.local.php';
}
if(!IS_CLI) {
if (isset($_SERVER['HTTP_HOST'][0])) {
$baseHost = $_SERVER['HTTP_HOST'];
@@ -116,7 +120,8 @@ if(!IS_CLI) {
define('ADMIN_URL', SERVER_URL . BASE_DIR . '/admin/');
//define('CURRENT_URL', BASE_URL . $_SERVER['REQUEST_URI']);
if(@$config['env'] === 'dev') {
require SYSTEM . 'exception.php';
}
}
require SYSTEM . 'autoload.php';

2
nginx-sample.conf
View File

@@ -25,7 +25,7 @@ server {
}
location / {
try_files $uri $uri/ /index.php;
try_files $uri $uri/ /index.php?$query_string;;
}
location ~ \.php$ {

27
system/functions.php
View File

@@ -1146,9 +1146,30 @@ function clearCache()
if ($cache->fetch('failed_logins', $tmp))
$cache->delete('failed_logins');
global $template_name;
if ($cache->fetch('template_ini' . $template_name, $tmp))
$cache->delete('template_ini' . $template_name);
foreach (get_templates() as $template) {
if ($cache->fetch('template_ini_' . $template, $tmp)) {
$cache->delete('template_ini_' . $template);
}
}
if ($cache->fetch('template_menus', $tmp)) {
$cache->delete('template_menus');
}
if ($cache->fetch('database_tables', $tmp)) {
$cache->delete('database_tables');
}
if ($cache->fetch('database_columns', $tmp)) {
$cache->delete('database_columns');
}
if ($cache->fetch('database_checksum', $tmp)) {
$cache->delete('database_checksum');
}
if ($cache->fetch('hooks', $tmp)) {
$cache->delete('hooks');
}
if ($cache->fetch('last_kills', $tmp)) {
$cache->delete('last_kills');
}
}
deleteDirectory(CACHE . 'signatures', ['index.html'], true);

1
system/login.php
View File

@@ -94,6 +94,7 @@ else
&& (!isset($t) || $t['attempts'] < 5)
)
{
session_regenerate_id();
setSession('account', $account_logged->getId());
setSession('password', encrypt(($config_salt_enabled ? $account_logged->getCustomField('salt') : '') . $login_password));
if($remember_me) {

20
system/pages/bugtracker.php
View File

@@ -54,7 +54,7 @@ $showed = $post = $reply = false;
$value = '<span style="color: blue">[NEW ANSWER]</span>';
echo '<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Bug Tracker</B></TD></TR>';
echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.$bug[2]['subject'].' '.$value.'</td></tr>';
echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.escapeHtml($bug[2]['subject']).' '.$value.'</td></tr>';
echo '<TR BGCOLOR="'.$light.'"><td><i><b>Posted by</b></i></td><td>';
foreach($players as $player)
@@ -64,7 +64,7 @@ $showed = $post = $reply = false;
echo '</td></tr>';
echo '<TR BGCOLOR="'.$dark.'"><td colspan=2><i><b>Description</b></i></td></tr>';
echo '<TR BGCOLOR="'.$light.'"><td colspan=2>'.nl2br($bug[2]['text']).'</td></tr>';
echo '<TR BGCOLOR="'.$light.'"><td colspan=2>'.nl2br(escapeHtml($bug[2]['text'])).'</td></tr>';
echo '</TABLE>';
$answers = $db->query('SELECT * FROM '.$db->tableName(TABLE_PREFIX . 'bugtracker').' where `account` = '.$_REQUEST['acc'].' and `id` = '.$_REQUEST['id'].' and `type` = 2 order by `reply`');
@@ -75,10 +75,10 @@ $showed = $post = $reply = false;
else
$who = '<span style="color: green">[PLAYER]</span>';
echo '<br><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Answer #'.$answer['reply'].'</B></TD></TR>';
echo '<br><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Answer #'.escapeHtml($answer['reply']).'</B></TD></TR>';
echo '<TR BGCOLOR="'.$dark.'"><td width=70%><i><b>Posted by</b></i></td><td>'.$who.'</td></tr>';
echo '<TR BGCOLOR="'.$light.'"><td colspan=2><i><b>Description</b></i></td></tr>';
echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br($answer['text']).'</td></tr>';
echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br(escapeHtml($answer['text'])).'</td></tr>';
echo '</TABLE>';
}
if($bug[2]['status'] != 3)
@@ -137,7 +137,7 @@ $showed = $post = $reply = false;
elseif($report['status'] == 1)
$value = '<span style="color: blue">[NEW ANSWER]</span>';
echo '<TR BGCOLOR="' . getStyle($i) . '"><td width=75%><a href="?subtopic=bugtracker&control=true&id='.$report['id'].'&acc='.$report['account'].'">'.$tags[$report['tag']].' '.$report['subject'].'</a></td><td>'.$value.'</td></tr>';
echo '<TR BGCOLOR="' . getStyle($i) . '"><td width=75%><a href="?subtopic=bugtracker&control=true&id='.$report['id'].'&acc='.$report['account'].'">'.$tags[$report['tag']].' '.escapeHtml($report['subject']).'</a></td><td>'.$value.'</td></tr>';
$showed=true;
$i++;
@@ -181,9 +181,9 @@ $showed = $post = $reply = false;
$value = '<span style="color: red">[CLOSED]</span>';
echo '<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Bug Tracker</B></TD></TR>';
echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.$bug[2]['subject'].' '.$value.'</td></tr>';
echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.escapeHtml($bug[2]['subject']).' '.$value.'</td></tr>';
echo '<TR BGCOLOR="'.$light.'"><td colspan=2><i><b>Description</b></i></td></tr>';
echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br($bug[2]['text']).'</td></tr>';
echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br(escapeHtml($bug[2]['text'])).'</td></tr>';
echo '</TABLE>';
$answers = $db->query('SELECT * FROM '.$db->tableName('myaac_bugtracker').' where `account` = '.$account_logged->getId().' and `id` = '.$id.' and `type` = 2 order by `reply`');
@@ -194,10 +194,10 @@ $showed = $post = $reply = false;
else
$who = '<span style="color: green">[YOU]</span>';
echo '<br><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Answer #'.$answer['reply'].'</B></TD></TR>';
echo '<br><TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Answer #'.escapeHtml($answer['reply']).'</B></TD></TR>';
echo '<TR BGCOLOR="'.$dark.'"><td width=70%><i><b>Posted by</b></i></td><td>'.$who.'</td></tr>';
echo '<TR BGCOLOR="'.$light.'"><td colspan=2><i><b>Description</b></i></td></tr>';
echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br($answer['text']).'</td></tr>';
echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br(escapeHtml($answer['text'])).'</td></tr>';
echo '</TABLE>';
}
if($bug[2]['status'] != 3)
@@ -274,7 +274,7 @@ $showed = $post = $reply = false;
$bgcolor = $light;
}
echo '<TR BGCOLOR="'.$bgcolor.'"><td width=75%><a href="?subtopic=bugtracker&id='.$report['id'].'">'.$tags[$report['tag']].' '.$report['subject'].'</a></td><td>'.$value.'</td></tr>';
echo '<TR BGCOLOR="'.$bgcolor.'"><td width=75%><a href="?subtopic=bugtracker&id='.$report['id'].'">'.$tags[$report['tag']].' '.escapeHtml($report['subject']).'</a></td><td>'.$value.'</td></tr>';
$showed=true;
}

4
system/pages/forum/edit_post.php
View File

@@ -37,6 +37,10 @@ if(Forum::canPost($account_logged))
$smile = isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0;
$html = isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0;
if (!superAdmin()) {
$html = 0;
}
$length = strlen($post_topic);
if(($length < 1 || $length > 60) && $thread['id'] == $thread['first_post'])
$errors[] = "Too short or too long topic (Length: $length letters). Minimum 1 letter, maximum 60 letters.";

5
system/pages/forum/new_post.php
View File

@@ -33,6 +33,11 @@ if(Forum::canPost($account_logged))
$smile = (isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0);
$html = (isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0);
$saved = false;
if (!superAdmin()) {
$html = 0;
}
if(isset($_REQUEST['quote']))
{
$quoted_post = $db->query("SELECT `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`post_text`, `" . FORUM_TABLE_PREFIX . "forum`.`post_date` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`id` = ".(int) $quote)->fetchAll();

5
system/pages/forum/new_thread.php
View File

@@ -26,6 +26,11 @@ if(Forum::canPost($account_logged))
$post_topic = isset($_REQUEST['topic']) ? stripslashes($_REQUEST['topic']) : '';
$smile = (isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0);
$html = (isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0);
if (!superAdmin()) {
$html = 0;
}
$saved = false;
if (isset($_REQUEST['save'])) {
$length = strlen($post_topic);

2
templates/tibiacom/account.management.html.twig
View File

@@ -35,7 +35,7 @@
<td>
<img src="{{ template_path }}/images/content/headline-bracer-left.gif" />
</td>
<td style="text-align:center;vertical-align:middle;horizontal-align:center;font-size:17px;font-weight:bold;" >{{ welcome_message }}<br/></td>
<td style="text-align:center;vertical-align:middle;horizontal-align:center;font-size:17px;font-weight:bold;" >{{ welcome_message|raw }}<br/></td>
<td><img src="{{ template_path }}/images/content/headline-bracer-right.gif" /></td>
</tr>
</table>