cacert
/
cacert-webdb
8
0
Fork 0
Code Issues Pull Requests 7 Projects Releases 2 Wiki Activity

security fixes

Browse Source
pull/1/head
root 18 years ago
parent 589b2191f7
commit 3af71ece2a
4 changed files with 75 additions and 75 deletions
Show Stats Download Patch File Download Diff File

128
includes/account.php
Unescape Escape View File

@ -29,7 +29,7 @@
showfooter();
exit;
}
if(trim(mysql_escape_string(stripslashes($_REQUEST['newemail']))) == "")
if(trim(mysql_real_escape_string(stripslashes($_REQUEST['newemail']))) == "")
{
showheader(_("My CAcert.org Account!"));
printf(_("Not a valid email address. Can't continue."), $_REQUEST['email']);
@ -37,7 +37,7 @@
exit;
}
unset($oldid);
$_REQUEST['email'] = trim(mysql_escape_string(stripslashes($_REQUEST['newemail'])));
$_REQUEST['email'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['newemail'])));
$query = "select * from `email` where `email`='".$_REQUEST['email']."' and `deleted`=0";
$res = mysql_query($query);
if(mysql_num_rows($res) > 0)
@ -295,14 +295,14 @@
$query = "insert into `emailcerts` set `CN`='$defaultemail', `keytype`='MS',
`memid`='".$_SESSION['profile']['id']."',
`created`=FROM_UNIXTIME(UNIX_TIMESTAMP()),
`subject`='$csrsubject',
`subject`='".mysql_real_escape_string($csrsubject)."',
`codesign`='".$_SESSION['_config']['codesign']."',
`rootcert`='".$_SESSION['_config']['rootcert']."'";
mysql_query($query);
$emailid = mysql_insert_id();
if(is_array($addys))
foreach($addys as $addy)
mysql_query("insert into `emaillink` set `emailcertsid`='$emailid', `emailid`='$addy'");
mysql_query("insert into `emaillink` set `emailcertsid`='$emailid', `emailid`='".mysql_real_escape_string($addy)."'");
$CSRname = $_SESSION['_config']['filepath']."/csr/client-$emailid.csr";
$fp = fopen($CSRname, "w");
fputs($fp, $csr);
@ -336,7 +336,7 @@
}
$newdom = trim(escapeshellarg($newdomain));
$newdomain = mysql_escape_string(trim($newdomain));
$newdomain = mysql_real_escape_string(trim($newdomain));
$res1 = mysql_query("select * from `orgdomains` where `domain`='$newdomain'");
$query = "select * from `domains` where `domain`='$newdomain' and `deleted`=0";
@ -367,7 +367,7 @@
$bits = explode(":", $line, 2);
$line = trim($bits[1]);
if(!in_array($line, $addy) && $line != "")
$addy[] = trim(mysql_escape_string(stripslashes($line)));
$addy[] = trim(mysql_real_escape_string(stripslashes($line)));
}
} else {
if(is_array($adds))
@ -384,7 +384,7 @@
$line = $bit;
}
if(!in_array($line, $addy) && $line != "")
$addy[] = trim(mysql_escape_string(stripslashes($line)));
$addy[] = trim(mysql_real_escape_string(stripslashes($line)));
}
}
@ -393,7 +393,7 @@
if(!in_array($sub, $addy))
$addy[] = $sub;
$_SESSION['_config']['addy'] = $addy;
$_SESSION['_config']['domain'] = mysql_escape_string($newdomain);
$_SESSION['_config']['domain'] = mysql_real_escape_string($newdomain);
}
if($_REQUEST['process'] != "" && $oldid == 8)
@ -401,7 +401,7 @@
unset($oldid);
$id = 8;
$authaddy = trim(mysql_escape_string(stripslashes($_POST['authaddy'])));
$authaddy = trim(mysql_real_escape_string(stripslashes($_POST['authaddy'])));
if($authaddy == "" || !is_array($_SESSION['_config']['addy']))
{
@ -419,7 +419,7 @@
exit;
}
$query = "select * from `domains` where `domain`='".$_SESSION['_config']['domain']."' and `deleted`=0";
$query = "select * from `domains` where `domain`='".mysql_real_escape_string($_SESSION['_config']['domain'])."' and `deleted`=0";
$res = mysql_query($query);
if(mysql_num_rows($res) > 0)
{
@ -442,7 +442,7 @@
$hash = md5(fgets($rnd, 64));
fclose($rnd);
$query = "insert into `domains` set `domain`='".$_SESSION['_config']['domain']."',
$query = "insert into `domains` set `domain`='".mysql_real_escape_string($_SESSION['_config']['domain'])."',
`memid`='".$_SESSION['profile']['id']."',`created`=NOW(),`hash`='$hash'";
mysql_query($query);
$domainid = mysql_insert_id();
@ -563,15 +563,15 @@
if($_SESSION['_config']['rowid']['0'] > 0)
{
$query = "insert into `domaincerts` set `CN`='".$_SESSION['_config']['rows']['0']."',
`domid`='".$_SESSION['_config']['rowid']['0']."',
`created`=NOW(),`subject`='$subject',
`rootcert`='".$_SESSION['_config']['rootcert']."'";
$query = "insert into `domaincerts` set `CN`='".mysql_real_escape_string($_SESSION['_config']['rows']['0'])."',
`domid`='".mysql_real_escape_string($_SESSION['_config']['rowid']['0'])."',
`created`=NOW(),`subject`='".mysql_real_escape_string($subject)."',
`rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."'";
} else {
$query = "insert into `domaincerts` set `CN`='".$_SESSION['_config']['altrows']['0']."',
`domid`='".$_SESSION['_config']['altid']['0']."',
`created`=NOW(),`subject`='$subject',
`rootcert`='".$_SESSION['_config']['rootcert']."'";
$query = "insert into `domaincerts` set `CN`='".mysql_real_escape_string($_SESSION['_config']['altrows']['0'])."',
`domid`='".mysql_real_escape_string($_SESSION['_config']['altid']['0'])."',
`created`=NOW(),`subject`='".mysql_real_escape_string($subject)."',
`rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."'";
}
mysql_query($query);
$CSRid = mysql_insert_id();
@ -630,7 +630,7 @@
}
mysql_query("update `domaincerts` set `renewed`='1' where `id`='$id'");
$row = mysql_fetch_assoc($res);
$query = "insert into `domaincerts` set `domid`='".$row['domid']."', `CN`='".$row['CN']."',
$query = "insert into `domaincerts` set `domid`='".$row['domid']."', `CN`='".mysql_real_escape_string($row['CN'])."',
`csr_name`='".$row['csr_name']."', `created`='".$row['created']."',
`modified`=NOW(), `rootcert`='".$row['rootcert']."'";
mysql_query($query);
@ -679,7 +679,7 @@
if(!strstr($subject, "=$row/") &&
substr($subject, -strlen("=$row")) != "=$row")
$subject .= "/subjectAltName=$row";
$subject = mysql_real_escape_string($subject);
mysql_query("update `domaincerts` set `subject`='$subject',`csr_name`='$newfile' where `id`='$newid'");
echo _("Renewing").": ".$_SESSION['_config']['0.CN']."<br>\n";
@ -783,7 +783,7 @@
}
mysql_query("update `emailcerts` set `renewed`='1' where `id`='$id'");
$row = mysql_fetch_assoc($res);
$query = "insert into `emailcerts` set `memid`='".$row['memid']."', `CN`='".$row['CN']."',
$query = "insert into `emailcerts` set `memid`='".$row['memid']."', `CN`='".mysql_real_escape_string($row['CN'])."',
`keytype`='".$row['keytype']."', `csr_name`='".$row['csr_name']."',
`created`='".$row['created']."', `modified`=NOW(),
`rootcert`='".$row['rootcert']."'";
@ -883,23 +883,23 @@
if($oldid == 13 && $_REQUEST['process'] != "")
{
$_SESSION['_config']['user']['fname'] = trim(mysql_escape_string(stripslashes($fname)));
$_SESSION['_config']['user']['mname'] = trim(mysql_escape_string(stripslashes($mname)));
$_SESSION['_config']['user']['lname'] = trim(mysql_escape_string(stripslashes($lname)));
$_SESSION['_config']['user']['suffix'] = trim(mysql_escape_string(stripslashes($suffix)));
$_SESSION['_config']['user']['fname'] = trim(mysql_real_escape_string(stripslashes($fname)));
$_SESSION['_config']['user']['mname'] = trim(mysql_real_escape_string(stripslashes($mname)));
$_SESSION['_config']['user']['lname'] = trim(mysql_real_escape_string(stripslashes($lname)));
$_SESSION['_config']['user']['suffix'] = trim(mysql_real_escape_string(stripslashes($suffix)));
$_SESSION['_config']['user']['day'] = intval($day);
$_SESSION['_config']['user']['month'] = intval($month);
$_SESSION['_config']['user']['year'] = intval($year);
$_SESSION['_config']['user']['Q1'] = trim(mysql_escape_string(stripslashes($Q1)));
$_SESSION['_config']['user']['Q2'] = trim(mysql_escape_string(stripslashes($Q2)));
$_SESSION['_config']['user']['Q3'] = trim(mysql_escape_string(stripslashes($Q3)));
$_SESSION['_config']['user']['Q4'] = trim(mysql_escape_string(stripslashes($Q4)));
$_SESSION['_config']['user']['Q5'] = trim(mysql_escape_string(stripslashes($Q5)));
$_SESSION['_config']['user']['A1'] = trim(mysql_escape_string(stripslashes($A1)));
$_SESSION['_config']['user']['A2'] = trim(mysql_escape_string(stripslashes($A2)));
$_SESSION['_config']['user']['A3'] = trim(mysql_escape_string(stripslashes($A3)));
$_SESSION['_config']['user']['A4'] = trim(mysql_escape_string(stripslashes($A4)));
$_SESSION['_config']['user']['A5'] = trim(mysql_escape_string(stripslashes($A5)));
$_SESSION['_config']['user']['Q1'] = trim(mysql_real_escape_string(stripslashes($Q1)));
$_SESSION['_config']['user']['Q2'] = trim(mysql_real_escape_string(stripslashes($Q2)));
$_SESSION['_config']['user']['Q3'] = trim(mysql_real_escape_string(stripslashes($Q3)));
$_SESSION['_config']['user']['Q4'] = trim(mysql_real_escape_string(stripslashes($Q4)));
$_SESSION['_config']['user']['Q5'] = trim(mysql_real_escape_string(stripslashes($Q5)));
$_SESSION['_config']['user']['A1'] = trim(mysql_real_escape_string(stripslashes($A1)));
$_SESSION['_config']['user']['A2'] = trim(mysql_real_escape_string(stripslashes($A2)));
$_SESSION['_config']['user']['A3'] = trim(mysql_real_escape_string(stripslashes($A3)));
$_SESSION['_config']['user']['A4'] = trim(mysql_real_escape_string(stripslashes($A4)));
$_SESSION['_config']['user']['A5'] = trim(mysql_real_escape_string(stripslashes($A5)));
if($_SESSION['_config']['user']['Q1'] == "" || $_SESSION['_config']['user']['Q2'] == "" ||
$_SESSION['_config']['user']['Q3'] == "" || $_SESSION['_config']['user']['Q4'] == "" ||
@ -973,9 +973,9 @@
if($oldid == 14 && $_REQUEST['process'] != "")
{
$_SESSION['_config']['user']['oldpass'] = trim(mysql_escape_string(stripslashes($oldpassword)));
$_SESSION['_config']['user']['pword1'] = trim(mysql_escape_string(stripslashes($pword1)));
$_SESSION['_config']['user']['pword2'] = trim(mysql_escape_string(stripslashes($pword2)));
$_SESSION['_config']['user']['oldpass'] = trim(mysql_real_escape_string(stripslashes($oldpassword)));
$_SESSION['_config']['user']['pword1'] = trim(mysql_real_escape_string(stripslashes($pword1)));
$_SESSION['_config']['user']['pword2'] = trim(mysql_real_escape_string(stripslashes($pword2)));
$id = 14;
showheader(_("My CAcert.org Account!"));
@ -1013,7 +1013,7 @@
foreach($_POST['emails'] as $val)
{
$val = mysql_escape_string(stripslashes(trim($val)));
$val = mysql_real_escape_string(stripslashes(trim($val)));
$bits = explode("@", $val);
$count = count($bits);
if($count != 2)
@ -1030,7 +1030,7 @@
if($val != "")
$_SESSION['_config']['emails'][] = $val;
}
$_SESSION['_config']['name'] = mysql_escape_string(stripslashes(trim($name)));
$_SESSION['_config']['name'] = mysql_real_escape_string(stripslashes(trim($name)));
}
if($oldid == 16 && (intval(count($_SESSION['_config']['emails'])) + 0) <= 0)
@ -1575,12 +1575,12 @@
if($oldid == 24 && $_REQUEST['process'] != "")
{
$id = intval($oldid);
$_SESSION['_config']['O'] = trim(mysql_escape_string(stripslashes($O)));
$_SESSION['_config']['contact'] = trim(mysql_escape_string(stripslashes($contact)));
$_SESSION['_config']['L'] = trim(mysql_escape_string(stripslashes($L)));
$_SESSION['_config']['ST'] = trim(mysql_escape_string(stripslashes($ST)));
$_SESSION['_config']['C'] = trim(mysql_escape_string(stripslashes($C)));
$_SESSION['_config']['comments'] = trim(mysql_escape_string(stripslashes($comments)));
$_SESSION['_config']['O'] = trim(mysql_real_escape_string(stripslashes($O)));
$_SESSION['_config']['contact'] = trim(mysql_real_escape_string(stripslashes($contact)));
$_SESSION['_config']['L'] = trim(mysql_real_escape_string(stripslashes($L)));
$_SESSION['_config']['ST'] = trim(mysql_real_escape_string(stripslashes($ST)));
$_SESSION['_config']['C'] = trim(mysql_real_escape_string(stripslashes($C)));
$_SESSION['_config']['comments'] = trim(mysql_real_escape_string(stripslashes($comments)));
if($_SESSION['_config']['O'] == "" || $_SESSION['_config']['contact'] == "")
{
@ -1602,12 +1602,12 @@
if($oldid == 27 && $_REQUEST['process'] != "")
{
$id = intval($oldid);
$_SESSION['_config']['O'] = trim(mysql_escape_string(stripslashes($O)));
$_SESSION['_config']['contact'] = trim(mysql_escape_string(stripslashes($contact)));
$_SESSION['_config']['L'] = trim(mysql_escape_string(stripslashes($L)));
$_SESSION['_config']['ST'] = trim(mysql_escape_string(stripslashes($ST)));
$_SESSION['_config']['C'] = trim(mysql_escape_string(stripslashes($C)));
$_SESSION['_config']['comments'] = trim(mysql_escape_string(stripslashes($comments)));
$_SESSION['_config']['O'] = trim(mysql_real_escape_string(stripslashes($O)));
$_SESSION['_config']['contact'] = trim(mysql_real_escape_string(stripslashes($contact)));
$_SESSION['_config']['L'] = trim(mysql_real_escape_string(stripslashes($L)));
$_SESSION['_config']['ST'] = trim(mysql_real_escape_string(stripslashes($ST)));
$_SESSION['_config']['C'] = trim(mysql_real_escape_string(stripslashes($C)));
$_SESSION['_config']['comments'] = trim(mysql_real_escape_string(stripslashes($comments)));
if($_SESSION['_config']['O'] == "" || $_SESSION['_config']['contact'] == "")
{
@ -1629,7 +1629,7 @@
if($oldid == 28 && $_REQUEST['process'] != "")
{
$domain = $_SESSION['_config']['domain'] = trim(mysql_escape_string(stripslashes($domainname)));
$domain = $_SESSION['_config']['domain'] = trim(mysql_real_escape_string(stripslashes($domainname)));
$res1 = mysql_query("select * from `orgdomains` where `domain`='$domain'");
if(mysql_num_rows($res1) > 0)
{
@ -1657,7 +1657,7 @@
if($oldid == 29 && $_REQUEST['process'] != "")
{
$domain = mysql_escape_string(stripslashes(trim($domainname)));
$domain = mysql_real_escape_string(stripslashes(trim($domainname)));
$res1 = mysql_query("select * from `orgdomains` where `domain` like '$domain' and `id`!='".$_SESSION['_config']['domid']."'");
$res2 = mysql_query("select * from `domains` where `domain` like '$domain' and `deleted`=0");
@ -1806,9 +1806,9 @@
$masteracc = $_SESSION['_config'][masteracc] = intval($masteracc);
else
$masteracc = $_SESSION['_config'][masteracc] = 0;
$_REQUEST['email'] = $_SESSION['_config']['email'] = mysql_escape_string(stripslashes(trim($_REQUEST['email'])));
$OU = $_SESSION['_config']['OU'] = mysql_escape_string(stripslashes(trim($OU)));
$comments = $_SESSION['_config']['comments'] = mysql_escape_string(stripslashes(trim($comments)));
$_REQUEST['email'] = $_SESSION['_config']['email'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['email'])));
$OU = $_SESSION['_config']['OU'] = mysql_real_escape_string(stripslashes(trim($OU)));
$comments = $_SESSION['_config']['comments'] = mysql_real_escape_string(stripslashes(trim($comments)));
$res = mysql_query("select * from `users` where `email`='".$_REQUEST['email']."'");
if(mysql_num_rows($res) <= 0)
{
@ -1867,7 +1867,7 @@
if($oldid == 41)
{
$lang = mysql_escape_string($_POST['lang']);
$lang = mysql_real_escape_string($_POST['lang']);
foreach($_SESSION['_config']['translations'] as $key => $val)
{
if($key == $lang)
@ -1914,9 +1914,9 @@
$regid = intval($_REQUEST['regid']);
$newreg = intval($_REQUEST['newreg']);
$locid = intval($_REQUEST['locid']);
$name = mysql_escape_string($_REQUEST['name']);
$long = mysql_escape_string($_REQUEST['longitude']);
$lat = mysql_escape_string($_REQUEST['latitude']);
$name = mysql_real_escape_string($_REQUEST['name']);
$long = mysql_real_escape_string($_REQUEST['longitude']);
$lat = mysql_real_escape_string($_REQUEST['latitude']);
if($locid > 0 && $_REQUEST['action'] == "edit" && $name == htmlentities($name))
{
@ -2032,7 +2032,7 @@
{
echo _("No such user found.");
} else {
mysql_query("update `users` set `password`=sha1('".mysql_escape_string(stripslashes($_POST['newpass']))."') where `id`='".intval($_POST['userid'])."'");
mysql_query("update `users` set `password`=sha1('".mysql_real_escape_string(stripslashes($_POST['newpass']))."') where `id`='".intval($_POST['userid'])."'");
$row = mysql_fetch_assoc(mysql_query("select * from `users` where `id`='".$_POST['userid']."'"));
printf(_("The password for %s has been updated successfully in the system."), $row['email']);
}
@ -2252,7 +2252,7 @@
`tverify`='$uid',
`memid`='".$_SESSION['profile']['id']."',
`when`=NOW(), `vote`='$vote',
`comment`='".mysql_escape_string($_POST['comment'])."'";
`comment`='".mysql_real_escape_string($_POST['comment'])."'";
mysql_query($query);
$rc = mysql_num_rows(mysql_query("select * from `tverify-vote` where `tverify`='$uid' and `vote`='1'"));

10
www/ac.php
Unescape Escape View File

@ -4,17 +4,17 @@
if($_REQUEST['i'] != "")
echo "<html><body><script language=\"JavaScript\"><!--\n";
$s = mysql_escape_string($_REQUEST['s']);
$s = mysql_real_escape_string($_REQUEST['s']);
$id = $_REQUEST['id'];
$id = intval($_REQUEST['id']);
echo "parent._ac_rpc('$id',";
$bits = explode(",", $s);
$loc = trim(mysql_escape_string($bits['0']));
$reg = trim(mysql_escape_string($bits['1']));
$ccname = trim(mysql_escape_string($bits['2']));
$loc = trim(mysql_real_escape_string($bits['0']));
$reg = trim(mysql_real_escape_string($bits['1']));
$ccname = trim(mysql_real_escape_string($bits['2']));
$query = "select `locations`.`id` as `locid`, `locations`.`name` as `locname`, `regions`.`name` as `regname`,
`countries`.`name` as `ccname` from `locations`, `regions`, `countries` where
`locations`.`name` like '$loc%' and `regions`.`name` like '$reg%' and `countries`.`name` like '$ccname%' and

10
www/gpg.php
Unescape Escape View File

@ -42,7 +42,7 @@
if($oldid == "0" && $_POST['CSR'] != "")
{
$gpgkey = $_POST['CSR'];
$gpg = `echo "$gpgkey"|gpg --with-colons --homedir /tmp 2>&1`;
$gpg = mysql_real_escape_string(trim(`echo "$gpgkey"|gpg --with-colons --homedir /tmp 2>&1`));
$lines = "";
foreach(explode("\n", $gpg) as $line)
{
@ -124,7 +124,7 @@
foreach($emailaddies as $email)
{
if(mysql_num_rows(mysql_query("select * from `email` where `memid`='".$_SESSION['profile']['id']."' and
`email`='$email' and `deleted`=0 and `hash`=''")) > 0)
`email`='".mysql_real_escape_string($email)."' and `deleted`=0 and `hash`=''")) > 0)
continue;
$_SESSION['_config']['errmsg'] = _("No suitable emails could be matched from your PGP/GPG keys to what we have in the database. ('$email')");
unset($_POST['process']);
@ -142,10 +142,10 @@
if($oldid == "0" && $_POST['CSR'] != "")
{
$query = "insert into `gpg` set `memid`='".$_SESSION['profile']['id']."',
`email`='".$emailaddies['0']."',
`email`='".mysql_real_escape_string($emailaddies['0'])."',
`level`='1',
`expires`='$expires',
`multiple`='$multiple'";
`expires`='".mysql_real_escape_string($expires)."',
`multiple`='".mysql_real_escape_string($multiple)."'";
mysql_query($query);
$id = mysql_insert_id();

2
www/src-lic.php
Unescape Escape View File

@ -1,7 +1,7 @@
<?
if($process == "Confirm, I agree to these terms and conditions" && $iagree == "yes")
{
$output_file = $fname = "cacert-20060417.tar.bz2";
$output_file = $fname = "cacert-20060421.tar.bz2";
header('Pragma: public');

Write Preview
Loading…
Cancel
Save