Fix low severity stored xss in batch transfer wizard.

Revert `isEmail()` function to use regex rather than PHP `filter_var` which is vulnerable to xss :/
bigprof-software · Jul 10, 2021 · 6260f20 · 6260f20
1 parent 9d30d08
commit 6260f20
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 9 deletions.
diff --git a/app/admin/incFunctions.php b/app/admin/incFunctions.php
@@ -883,7 +883,7 @@ function bootstrapSQLSelect($name, $sql, $selectedValue, $class = '', $selectedC
 	}
 	########################################################################
 	function isEmail($email){
-		if(preg_match('/^([*+!.&#$¦\'\\%\/0-9a-z^_`{}=?~:-]+)@(([0-9a-z-]+\.)+[0-9a-z]{2,30})$/i', $email))
+		if(preg_match('/^([*+!.&#$¦\'\\%\/0-9a-z^_`{}=?~:-]+)@(([0-9a-z-]+\.)+[0-9a-z]{2,30})$/i', $email))
 			return $email;
 
 		return false;

diff --git a/app/admin/pageServerStatus.php b/app/admin/pageServerStatus.php
@@ -1,6 +1,6 @@
 <?php
 	$appgini_version = '6.0.1145';
-	$generated_ts = '10/7/2021 9:21:28 PM';
+	$generated_ts = '11/7/2021 1:52:42 AM';
 
 	$currDir = dirname(__FILE__);
 	require("{$currDir}/incCommon.php");

diff --git a/app/admin/pageTransferOwnership.php b/app/admin/pageTransferOwnership.php
@@ -46,8 +46,8 @@
 		}
 
 		// get group names
-		$sourceGroup=sqlValue("select name from membership_groups where groupID='$sourceGroupID'");
-		$destinationGroup=sqlValue("select name from membership_groups where groupID='$destinationGroupID'");
+		$sourceGroup = htmlspecialchars(sqlValue("SELECT `name` FROM `membership_groups` WHERE `groupID`='$sourceGroupID'"));
+		$destinationGroup = htmlspecialchars(sqlValue("SELECT `name` FROM `membership_groups` WHERE `groupID`='$destinationGroupID'"));
 
 		// begin transfer
 		if($moveMembers && $sourceMemberID != -1) {
@@ -170,7 +170,7 @@
 					<span class="pull-right text-success">
 						<i class="glyphicon glyphicon-ok"></i> 
 						<?php echo $Translation['source group']; ?>:
-						<b><?php echo sqlValue("select name from membership_groups where groupID='{$sourceGroupID}'"); ?></b>
+						<b><?php echo htmlspecialchars(sqlValue("SELECT `name` FROM `membership_groups` WHERE `groupID`='{$sourceGroupID}'")); ?></b>
 					</span>
 				<?php } ?>
 			</h3>
@@ -266,7 +266,7 @@
 						<span class="pull-right text-success">
 							<i class="glyphicon glyphicon-ok"></i> 
 							<?php echo $Translation['destination group']; ?>:
-							<b><?php echo sqlValue("select name from membership_groups where groupID='{$destinationGroupID}'"); ?></b>
+							<b><?php echo htmlspecialchars(sqlValue("SELECT `name` FROM `membership_groups` WHERE `groupID`='{$destinationGroupID}'")); ?></b>
 						</span>
 					<?php } ?>
 				</h3>

diff --git a/app/setup.php b/app/setup.php
@@ -28,8 +28,11 @@
 	(isset($_GET['finish'])    ? $finish = true :
 		false))));
 
-	function isEmail($email) {
-		return filter_var(trim($email), FILTER_VALIDATE_EMAIL);
+	function isEmail($email){
+		if(preg_match('/^([*+!.&#$¦\'\\%\/0-9a-z^_`{}=?~:-]+)@(([0-9a-z-]+\.)+[0-9a-z]{2,30})$/i', $email))
+			return $email;
+
+		return false;
 	}
 
 	function setup_allowed_username($username) {

diff --git a/orpm.axp b/orpm.axp