From df7e3739f99ef0c192f7f1de3e1b8a56df4f9195 Mon Sep 17 00:00:00 2001
From: RussH <russellh@ysmail.net>
Date: Tue, 6 Dec 2022 20:30:04 +0000
Subject: [PATCH] Hansmach1ne security fixes (#583)

* Update CareersUI.php

* SQL injection vulnerability fix in $entriesPerPage

* Sanitize parameters against XSS attacks

This commit fixes three XSS vulnerabilities.

1) 'indexFile' parameter
/ajax.php?f=getPipelineJobOrder&joborderID=1&page=0&entriesPerPage=1&sortBy=dateCreatedInt&sortDirection=desc&indexFile=15)"></a><script>alert`xss`</script>&isPopup=0

2) 'entriesPerPage' parameter
/ajax.php?f=getPipelineJobOrder&joborderID=2&page=0&entriesPerPage=15)"></a> <script>alert`xss`</script>&sortBy=dateCreatedInt&sortDirection=desc&indexFile=index.php&isPopup=0

3)'joborderID' parameter
/ajax.php?f=getPipelineJobOrder&joborderID=1)"></a> <script>alert`xss`</script>&page=0&entriesPerPage=1&sortBy=dateCreatedInt&sortDirection=desc&indexFile=index.php&isPopup=0

* Fix for two XSS vulnerabilities in toolbar

This commit will fix two XSS vulnerabilities in toolbar module functionality.

1) GET parameter 'callback'.
/index.php?m=toolbar&callback=<script>alert`xss`</script>&a=authenticate

2) GET parameter 'email'
/index.php?m=toolbar&callback=<script>alert`xss`</script>&a=checkEmailIsInSystem&email=<script>alert(document.domain)</script>

* RCE vulnerability fix via insecure deserialization

* Fix SQL injection vulnerability in Tag deletion

* FIX SQL injection vulnerability in Imports module

Co-authored-by: Mateo <57464251+hansmach1ne@users.noreply.github.com>
---
 lib/Tags.php              | 3 ++-
 modules/import/Import.php | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/Tags.php b/lib/Tags.php
index ebc2a13fd..de3f5d159 100644
--- a/lib/Tags.php
+++ b/lib/Tags.php
@@ -94,7 +94,8 @@ public function delete($tagID)
                 (tag_id = %s OR tag_parent_id = %s)
             AND
                 site_id = %s",
-            $tagID, $tagID,
+            $this->_db->makeQueryString($tagID), 
+	    $this->_db->makeQueryString($tagID),
             $this->_siteID
         );
 
diff --git a/modules/import/Import.php b/modules/import/Import.php
index 880b97775..be86656e1 100755
--- a/modules/import/Import.php
+++ b/modules/import/Import.php
@@ -122,7 +122,7 @@ public function delete($importID)
                 import_id = %s
              AND
                 site_id = %s",
-            $importID,
+            $this->_db->makeQueryString($importID),
             $this->_siteID
         );
         $queryResult = $this->_db->query($sql);
@@ -484,4 +484,4 @@ public function add($dataNamed, $userID, $importID)
 
 }
 
-?>
\ No newline at end of file
+?>