diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 5c151ec2e5..45df29ced8 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -65,6 +65,7 @@ p,ul,td {font-size:10pt;}
  • Fixed vulnerability allowing server side variable access in search - tendor
  • Fixed potential vulnerability in 2.0.5 login username entry - throw away/eomer
  • Fixed sql injection with reset date format field in profile - tendor
    • +
  • Fixed several vulnerabilities in modcp - Robert Lavierck

    • 1.ii. Changes since 2.0.4

    diff --git a/phpBB/includes/emailer.php b/phpBB/includes/emailer.php index 9a99fa1886..5220562a41 100755 --- a/phpBB/includes/emailer.php +++ b/phpBB/includes/emailer.php @@ -36,13 +36,14 @@ class emailer { $this->reset(); $this->use_smtp = $use_smtp; + $this->reply_to = $this->from = ''; } // Resets all the data (address, template file, etc etc to default function reset() { $this->addresses = array(); - $this->vars = $this->msg = $this->extra_headers = $this->replyto = $this->from = ''; + $this->vars = $this->msg = $this->extra_headers = ''; } // Sets an email address to send to @@ -63,7 +64,7 @@ class emailer function replyto($address) { - $this->replyto = trim($address); + $this->reply_to = trim($address); } function from($address) @@ -191,7 +192,7 @@ class emailer $bcc = (count($this->addresses['bcc'])) ? implode(', ', $this->addresses['bcc']) : ''; // Build header - $this->extra_headers = (($this->replyto != '') ? "Reply-to: $this->replyto\n" : '') . (($this->from != '') ? "From: $this->from\n" : "From: " . $board_config['board_email'] . "\n") . "Return-Path: " . $board_config['board_email'] . "\nMessage-ID: <" . md5(uniqid(time())) . "@" . $board_config['server_name'] . ">\nMIME-Version: 1.0\nContent-type: text/plain; charset=" . $this->encoding . "\nContent-transfer-encoding: 8bit\nDate: " . date('r', time()) . "\nX-Priority: 3\nX-MSMail-Priority: Normal\nX-Mailer: PHP\nX-MimeOLE: Produced By phpBB2\n" . $this->extra_headers . (($cc != '') ? "Cc: $cc\n" : '') . (($bcc != '') ? "Bcc: $bcc\n" : ''); + $this->extra_headers = (($this->reply_to != '') ? "Reply-to: $this->reply_to\n" : '') . (($this->from != '') ? "From: $this->from\n" : "From: " . $board_config['board_email'] . "\n") . "Return-Path: " . $board_config['board_email'] . "\nMessage-ID: <" . md5(uniqid(time())) . "@" . $board_config['server_name'] . ">\nMIME-Version: 1.0\nContent-type: text/plain; charset=" . $this->encoding . "\nContent-transfer-encoding: 8bit\nDate: " . date('r', time()) . "\nX-Priority: 3\nX-MSMail-Priority: Normal\nX-Mailer: PHP\nX-MimeOLE: Produced By phpBB2\n" . $this->extra_headers . (($cc != '') ? "Cc: $cc\n" : '') . (($bcc != '') ? "Bcc: $bcc\n" : ''); // Send message ... removed $this->encode() from subject for time being if ( $this->use_smtp ) @@ -260,7 +261,7 @@ class emailer $str = chunk_split(base64_encode($str), $length, $spacer); // remove trailing spacer and add start and end delimiters - $str = preg_replace('#' . phpbb_preg_quote($spacer) . '$#', '', $str); + $str = preg_replace('#' . phpbb_preg_quote($spacer, '#') . '$#', '', $str); return $start . $str . $end; } diff --git a/phpBB/modcp.php b/phpBB/modcp.php index 7343f09fca..27c264d084 100644 --- a/phpBB/modcp.php +++ b/phpBB/modcp.php @@ -221,14 +221,30 @@ switch( $mode ) { include($phpbb_root_path . 'includes/functions_search.'.$phpEx); - $topics = ( isset($HTTP_POST_VARS['topic_id_list']) ) ? $HTTP_POST_VARS['topic_id_list'] : array($topic_id); + $topics = ( isset($HTTP_POST_VARS['topic_id_list']) ) ? $HTTP_POST_VARS['topic_id_list'] : array($topic_id); $topic_id_sql = ''; for($i = 0; $i < count($topics); $i++) { - $topic_id_sql .= ( ( $topic_id_sql != '' ) ? ', ' : '' ) . $topics[$i]; + $topic_id_sql .= ( ( $topic_id_sql != '' ) ? ', ' : '' ) . intval($topics[$i]); } + $sql = "SELECT topic_id + FROM " . TOPICS_TABLE . " + WHERE topic_id IN ($topic_id_sql) + AND forum_id = $forum_id"; + if ( !($result = $db->sql_query($sql)) ) + { + message_die(GENERAL_ERROR, 'Could not get topic id information', '', __LINE__, __FILE__, $sql); + } + + $topic_id_sql = ''; + while ($row = $db->sql_fetchrow($result)) + { + $topic_id_sql .= (($topic_id_sql != '') ? ', ' : '') . intval($row['topic_id']); + } + $db->sql_freeresult($result); + $sql = "SELECT poster_id, COUNT(post_id) AS posts FROM " . POSTS_TABLE . " WHERE topic_id IN ($topic_id_sql) @@ -269,7 +285,7 @@ switch( $mode ) $post_id_sql = ''; while ( $row = $db->sql_fetchrow($result) ) { - $post_id_sql .= ( ( $post_id_sql != '' ) ? ', ' : '' ) . $row['post_id']; + $post_id_sql .= ( ( $post_id_sql != '' ) ? ', ' : '' ) . intval($row['post_id']); } $db->sql_freeresult($result); @@ -433,7 +449,7 @@ switch( $mode ) message_die(GENERAL_MESSAGE, $lang['None_selected']); } - $new_forum_id = $HTTP_POST_VARS['new_forum']; + $new_forum_id = intval($HTTP_POST_VARS['new_forum']); $old_forum_id = $forum_id; if ( $new_forum_id != $old_forum_id ) @@ -448,7 +464,8 @@ switch( $mode ) $sql = "SELECT * FROM " . TOPICS_TABLE . " - WHERE topic_id IN ($topic_list) + WHERE topic_id IN ($topic_list) + AND forum_id = $old_forum_id AND topic_status <> " . TOPIC_MOVED; if ( !($result = $db->sql_query($sql, BEGIN_TRANSACTION)) ) { @@ -582,12 +599,13 @@ switch( $mode ) $topic_id_sql = ''; for($i = 0; $i < count($topics); $i++) { - $topic_id_sql .= ( ( $topic_id_sql != '' ) ? ', ' : '' ) . $topics[$i]; + $topic_id_sql .= ( ( $topic_id_sql != '' ) ? ', ' : '' ) . intval($topics[$i]); } $sql = "UPDATE " . TOPICS_TABLE . " SET topic_status = " . TOPIC_LOCKED . " WHERE topic_id IN ($topic_id_sql) + AND forum_id = $forum_id AND topic_moved_id = 0"; if ( !($result = $db->sql_query($sql)) ) { @@ -626,12 +644,13 @@ switch( $mode ) $topic_id_sql = ''; for($i = 0; $i < count($topics); $i++) { - $topic_id_sql .= ( ( $topic_id_sql != "") ? ', ' : '' ) . $topics[$i]; + $topic_id_sql .= ( ( $topic_id_sql != "") ? ', ' : '' ) . intval($topics[$i]); } $sql = "UPDATE " . TOPICS_TABLE . " SET topic_status = " . TOPIC_UNLOCKED . " WHERE topic_id IN ($topic_id_sql) + AND forum_id = $forum_id AND topic_moved_id = 0"; if ( !($result = $db->sql_query($sql)) ) { @@ -677,6 +696,21 @@ switch( $mode ) if ($post_id_sql != '') { + $sql = "SELECT post_id + FROM " . POSTS_TABLE . " + WHERE post_id IN ($post_id_sql) + AND forum_id = $forum_id"; + if ( !($result = $db->sql_query($sql)) ) + { + message_die(GENERAL_ERROR, 'Could not get post id information', '', __LINE__, __FILE__, $sql); + } + + $post_id_sql = ''; + while ($row = $db->sql_fetchrow($result)) + { + $post_id_sql .= (($post_id_sql != '') ? ', ' : '') . intval($row['post_id']); + } + $db->sql_freeresult($result); $sql = "SELECT post_id, poster_id, topic_id, post_time FROM " . POSTS_TABLE . " @@ -710,7 +744,7 @@ switch( $mode ) $new_forum_id = intval($HTTP_POST_VARS['new_forum_id']); $topic_time = time(); - + $sql = "INSERT INTO " . TOPICS_TABLE . " (topic_title, topic_poster, topic_time, forum_id, topic_status, topic_type) VALUES ('" . str_replace("\'", "''", $post_subject) . "', $first_poster, " . $topic_time . ", $new_forum_id, " . TOPIC_UNLOCKED . ", " . POST_NORMAL . ")"; if (!($db->sql_query($sql, BEGIN_TRANSACTION))) @@ -901,7 +935,8 @@ switch( $mode ) // Look up relevent data for this post $sql = "SELECT poster_ip, poster_id FROM " . POSTS_TABLE . " - WHERE post_id = $post_id"; + WHERE post_id = $post_id + AND forum_id = $forum_id"; if ( !($result = $db->sql_query($sql)) ) { message_die(GENERAL_ERROR, 'Could not get poster IP information', '', __LINE__, __FILE__, $sql);