XSS fixes

includes/general_stuff.php

@@ -56,7 +56,7 @@ function hideall() {
 google_ad_client = "pub-0959373285729680";
 google_alternate_ad_url = "http://text.happysnapper.net/?userid=06f45be90b9c7456f98f304d0cae3405&border=FFFFFF&bg=FFFFFF&nourl=www.cacert.org";
 google_ad_width = 728;
-google_ad_height = 60;
+google_ad_height = 90;
 google_ad_format = "728x90_as";
 google_color_link = "000000";
 google_color_url = "000000";
@@ -78,7 +78,7 @@ google_color_border = "FFFFFF";
       <a href="https://<?=$_SESSION['_config']['normalhostname']?>/index.php?id=4"><?=_("Password Login")?></a> 
       <a href="https://<?=$_SESSION['_config']['normalhostname']?>/index.php?id=5"><?=_("Lost Password")?></a>
       <a href="https://<?=$_SESSION['_config']['normalhostname']?>/index.php?id=4&amp;noauto=1"><?=_("Net Cafe Login")?></a> 
-      <a href="https://<?=$_SESSION['_config']['securehostname']?>/index.php?id=4"><?=_("Certificate Login")?></a>
+      <!-- a href="https://<?=$_SESSION['_config']['securehostname']?>/index.php?id=4"><?=_("Certificate Login")?></a -->
     </div>
     <div class="relatedLinks">
       <h3 onclick="explode('misc')"><?=_("Miscellaneous")?></h3>
@@ -89,7 +89,7 @@ google_color_border = "FFFFFF";
       <ul class="menu" id="trans"><? foreach($_SESSION['_config']['translations'] as $key => $val) { ?><li><a href="<?=$_SERVER['SCRIPT_NAME']?>?id=<?=$id?>&lang=<?=$key?>"><?=$val?></a></li><? } ?></ul>
     </div>
     <div class="relatedLinks">
-      <h3 onclick="explode('recom')"><?=_("Web Links")?></h3>
+      <h3 onclick="explode('recom')"><?=_("Advertising")?></h3>
       <ul class="menu" id="recom"><?
 	$query = "select * from `advertising` where `expires`>NOW() and `active`=1";
 	$res = mysql_query($query);

pages/gpg/0.php

@@ -16,7 +16,7 @@
 ?>
 <p><?=_("Paste your GPG key below...")?></p>
 <form method="post" action="gpg.php">
-<textarea name="CSR" cols="80" rows="15"><?=$_POST['CSR']?></textarea><br>
+<textarea name="CSR" cols="80" rows="15"><?=strip_tags($_POST['CSR'])?></textarea><br>
 <input type="submit" name="process" value="<?=_("Submit")?>">
 <input type="hidden" name="oldid" value="<?=$id?>">
 </form>

pages/index/4.php

@@ -16,26 +16,28 @@
 <? if($_SESSION['_config']['hostname'] == $_SESSION['_config']['securehostname']) { ?>
 <p><?=_("Warning! You've attempted to log into the system with a client certificate, but the login failed due to the certificate being expired, revoked or simply not valid for this site. You can login using your Email/Pass Phrase to get a new certificate, by clicking on 'Normal Login' to the right of your screen.")?></p>
 <? } else { ?>
-<p><?=_("Warning! This site requires cookies to be enabled to ensure your privacy and security. This site uses session cookies to store temporary values to prevent people from copying and pasting the session ID to someone else exposing their account, personal details and identity theft as a result.")?></p>
-<form method="post" action="index.php"<? if($_REQUEST['noauto'] == 1) echo " autocomplete='off'"; ?>>
+<style>
+.box {visibility:visible;background:#F5F7F7;border:2px solid #cccccc;position:absolute;top:25%;left:35%;height:250px;width:300px;padding:1em;}
+.smalltext {font-size:10px;}
+.story {visibility:hidden;}
+label {width:100px;display:block;float:left;}
+text {width:166px;display:block;float:left;}
+br {clear:left;}
+h1 {font-size:1.9em;text-align:center;}
+</style>
+<div class='box'>
+<form action='index.php' method='post'<? if($_REQUEST['noauto'] == 1) echo " autocomplete='off'"; ?>>
 <? if($_REQUEST['noauto'] == 1) { ?><input type="hidden" name="noauto" value="1"><? } ?>
-<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
-  <tr>
-    <td colspan="2" class="title"><?=_("Login")?></td>
-  </tr>
-  <tr>
-    <td class="DataTD" width="125"><?=_("Email Address")?>: </td>
-    <td class="DataTD" width="125"><input type="text" name="email" value="<?=strip_tags($_REQUEST['email'])?>"></td>
-  </tr>
-  <tr> 
-    <td class="DataTD"><?=_("Pass Phrase")?>: </td>
-    <td class="DataTD"><input type="password" name="pword"></td>
-  </tr> 
-  <tr>
-    <td class="DataTD" colspan="2"><input type="submit" name="process" value="<?=_("Login")?>"></td>
-  </tr>
-</table>     
+<h1><?=_("Login")?></h1>
+<p class='smalltext'><?=_("Warning! This site requires cookies to be enabled to ensure your privacy and security. This site uses session cookies to store temporary values to prevent people from copying and pasting the session ID to someone else exposing their account, personal details and identity theft as a result.")?></p>
+<label for="email"><?=_("Email Address")?>:</label><input type='text' name="email" value="<?=strip_tags($_REQUEST['email'])?>" /><br />
+<label for="pword"><?=_("Pass Phrase")?>:</label><input type='password' name='pword' /><br />
+<input type='submit' name="process" value="<?=_("Login")?>" /><br /><br />
+<a href='https://www.cacert.org/index.php?id=4'>Password Login</a> - 
+<a href='https://www.cacert.org/index.php?id=5'>Lost Password</a> - 
+<a href='https://www.cacert.org/index.php?id=4&amp;noauto=1'>Net Cafe Login</a><br />
+<p class='smalltext'><?=sprintf(_("If you are having trouble with your username or password, please visit our %swiki page%s for more information"), "<a href='http://wiki.cacert.org/wiki/FAQ/LostPasswordOrAccount' target='_new'>", "</a>");?></p>
 <input type="hidden" name="oldid" value="<?=$id?>">
-</form> 
+</form>
+</div>
 <? } ?>
-<p><?=sprintf(_("If you are having trouble with your username or password, please visit our %swiki page%s for more information"), "<a href='http://wiki.cacert.org/wiki/FAQ/LostPasswordOrAccount' target='_new'>", "</a>");?></p>

www/analyse.php

@@ -16,6 +16,8 @@
 	loadem("index");
 
 	showheader(_("Welcome to CAcert.org"));
+
+	
 	
 	if($_POST['csr'] == "")
 	{ ?>
@@ -25,8 +27,9 @@
 <p><input type="submit" name="process" value="<?=_("Analyse")?>"></p>
 </form>
 <?	} else {
-		echo $_POST['csr'];
+		echo "<pre>";
 		print_r(openssl_x509_parse(openssl_x509_read($_POST['csr'])));
+		echo "</pre>";
 	}
 	showfooter();
 ?>

www/api/ccsr.php

@@ -1,6 +1,6 @@
 <?
-	$username = mysql_escape_string($_REQUEST['username']);
-	$password = mysql_escape_string($_REQUEST['password']);
+	$username = mysql_real_escape_string($_REQUEST['username']);
+	$password = mysql_real_escape_string($_REQUEST['password']);
 
 	$query = "select * from `users` where `email`='$username' and (`password`=old_password('$password') or `password`=sha1('$password'))";
 	$res = mysql_query($query);
@@ -11,7 +11,7 @@
 	$emails = "";
 	foreach($_REQUEST['email'] as $email)
 	{
-		$email = mysql_escape_string(trim($email));
+		$email = mysql_real_escape_string(trim($email));
 		$query = "select * from `email` where `memid`='$memid' and `hash`='' and `deleted`=0 and `email`='$email'";
 		$res = mysql_query($query);
 		if(mysql_num_rows($res) > 0)
@@ -28,13 +28,14 @@
 	$points = $row['points'];
 
 	$name = "CAcert WoT User\n";
+	$newname = mysql_real_escape_string(trim($_REQUEST['name']));
 	if($points >= 50)
 	{
-		if($_REQUEST['name'] == $user['fname']." ".$user['lname'] ||
-			$_REQUEST['name'] == $user['fname']." ".$user['mname']." ".$user['lname'] ||
-			$_REQUEST['name'] == $user['fname']." ".$user['lname']." ".$user['suffix'] ||
-			$_REQUEST['name'] == $user['fname']." ".$user['mname']." ".$user['lname']." ".$user['suffix'])
-			$name = $_REQUEST['name'];
+		if($newname == $user['fname']." ".$user['lname'] ||
+			$newname == $user['fname']." ".$user['mname']." ".$user['lname'] ||
+			$newname == $user['fname']." ".$user['lname']." ".$user['suffix'] ||
+			$newname == $user['fname']." ".$user['mname']." ".$user['lname']." ".$user['suffix'])
+			$name = $newname;
 	}
 
 	$codesign = 0;