Skip to content

Commit

Permalink
Security fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
@openSISAdmin
openSISAdmin committed Sep 13, 2021
1 parent 043230e commit a2d6179
Show file tree
Hide file tree
Showing 12 changed files with 245 additions and 293 deletions.
Binary file added .vs/slnx.sqlite
View file
Binary file not shown.
8 changes: 5 additions & 3 deletions Ajax.php
View file
Expand Up @@ -27,8 +27,10 @@
#
#***************************************************************************************

include("functions/ParamLibFnc.php");
session_start();
isset($_SESSION['login']) or die('Access denied!');

include "functions/ParamLibFnc.php";
echo '<script type="text/javascript" src="assets/js/pages/components_popups.js"></script>';
echo '<script type="text/javascript" src="assets/js/pages/picker_date.js"></script>';
echo '<script type="text/javascript" src="assets/js/pages/form_checkboxes_radios.js"></script>';
Expand Down Expand Up @@ -164,7 +166,6 @@
// For Eligibility
'eligibility/Student.php'
);
// echo "<pre>";print_r($_REQUEST);echo "</pre>";

if ($count_student_RET[1]['NUM'] > 1) {
$title_set = 'y';
Expand Down Expand Up @@ -258,7 +259,8 @@
if (Preferences('SEARCH') != 'Y' && substr(clean_param($modname, PARAM_NOTAGS), 0, 6) != 'users/')
$_REQUEST['search_modfunc'] = 'list';

include('modules/' . $modname);
if (preg_match('/\.\./', $modname) !== 1)
include 'modules/' . $modname;
}
else {
if (User('USERNAME')) {
Expand Down
33 changes: 31 additions & 2 deletions Ajax_url_encode.php
View file
@@ -1,7 +1,36 @@
<?php

#**************************************************************************
# openSIS is a free student information system for public and non-public
# schools from Open Solutions for Education, Inc. web: www.os4ed.com
#
# openSIS is web-based, open source, and comes packed with features that
# include student demographic info, scheduling, grade book, attendance,
# report cards, eligibility, transcripts, parent portal,
# student portal and more.
#
# Visit the openSIS web site at http://www.opensis.com to learn more.
# If you have question regarding this system or the license, please send
# an email to info@os4ed.com.
#
# This program is released under the terms of the GNU General Public License as
# published by the Free Software Foundation, version 2 of the License.
# See license.txt.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#***************************************************************************************

require_once 'functions/UrlFnc.php';

$encoded_url = encode_url($_REQUEST['link_url']);
echo $encoded_url;
?>

echo htmlentities($encoded_url);

?>
13 changes: 9 additions & 4 deletions ForExport.php
View file
Expand Up @@ -25,10 +25,13 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#***************************************************************************************
include("functions/ParamLibFnc.php");

session_start();
isset($_SESSION['login']) or die('Access denied!');
include "functions/ParamLibFnc.php";
//include("functions/UrlFnc.php");
include('RedirectRootInc.php');
// include('functions/SqlSecurityFnc.php');
include 'RedirectRootInc.php';

//$url=validateQueryString(curPageURL());
//if($url===FALSE)
// {
Expand Down Expand Up @@ -123,7 +126,9 @@
{
if(Preferences('SEARCH')!='Y')
$_REQUEST['search_modfunc'] = 'list';
include('modules/'.$modname);

if (preg_match('/\.\./', $modname) !== 1)
include 'modules/' . $modname;
}
else
{
Expand Down
15 changes: 12 additions & 3 deletions ForWindow.php
View file
Expand Up @@ -26,16 +26,23 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#***************************************************************************************
session_start();
isset($_SESSION['login']) or die('Access denied!');
include "functions/ParamLibFnc.php";

include("functions/ParamLibFnc.php");
$url = validateQueryString(curPageURL());
if ($url === FALSE) {
header('Location: index.php');
}
include('RedirectRootInc.php');

include 'RedirectRootInc.php';

error_reporting(E_ERROR);

$start_time = time();

include 'Warehouse.php';

array_rwalk($_REQUEST, 'strip_tags');

$css = getCSS();
Expand Down Expand Up @@ -109,7 +116,9 @@
if ($allowed) {
if (Preferences('SEARCH') != 'Y')
$_REQUEST['search_modfunc'] = 'list';
include('modules/' . $modname);

if (preg_match('/\.\./', $modname) !== 1)
include 'modules/' . $modname;
}
else {
if (User('USERNAME')) {
Expand Down
12 changes: 9 additions & 3 deletions Modules.php
View file
Expand Up @@ -26,10 +26,14 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#***************************************************************************************

error_reporting(0);
session_start();
isset($_SESSION['login']) or die('Access denied!');

include 'RedirectRootInc.php';
include "functions/ParamLibFnc.php";

include('RedirectRootInc.php');
include("functions/ParamLibFnc.php");
$url = validateQueryString(curPageURL());
if ($url === FALSE) {
header('Location: index.php');
Expand Down Expand Up @@ -1046,7 +1050,9 @@

if (Preferences('SEARCH') != 'Y' && substr(clean_param($modname, PARAM_NOTAGS), 0, 6) != 'users/')
$_REQUEST['search_modfunc'] = 'list';
include('modules/' . $modname);

if (preg_match('/\.\./', $modname) !== 1)
include 'modules/' . $modname;
}
else {
if (User('USERNAME')) {
Expand Down
3 changes: 2 additions & 1 deletion functions/HackingLogFnc.php
View file
Expand Up @@ -25,7 +25,8 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#***************************************************************************************

session_start();
isset($_SESSION['login']) or die('Access denied!');
function HackingLog()
{
echo ""._youReNotAllowedToUseThisProgram."! "._thisAttemptedViolationHasBeenLoggedAndYourIpAddressWasCaptured.".";
Expand Down
28 changes: 18 additions & 10 deletions install/Ins4.php
View file
Expand Up @@ -25,27 +25,35 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
#***************************************************************************************

error_reporting(0);
session_start();

$_SESSION['admin_name'] = $_POST['auname'];
$_SESSION['admin_pwd'] = md5($_POST['apassword']);


require_once("../functions/PragRepFnc.php");
require_once "../functions/PragRepFnc.php";
//mysql_select_db($_SESSION['db']);
$dbconn = new mysqli($_SESSION['server'],$_SESSION['username'],$_SESSION['password'],$_SESSION['db'],$_SESSION['port']);
if($dbconn->connect_errno!=0)
{
echo "<h2>" . $dbconn->error . "</h2>\n";
exit;
}
$sql="update staff set first_name='$_POST[fname]',last_name='$_POST[lname]',middle_name='$_POST[mname]', profile_id=0 where staff_id=1 ";
{
echo "<h2>" . $dbconn->error . "</h2>\n";
exit;
}

$_POST['fname'] = strip_tags(urldecode($_POST['fname']));
$_POST['lname'] = strip_tags(urldecode($_POST['lname']));
$_POST['mname'] = strip_tags(urldecode($_POST['mname']));

$sql = "UPDATE staff SET first_name = '" . $_POST['fname'] . "', last_name = '" . $_POST['lname'] . "', middle_name = '" . $_POST['mname'] . "', profile_id = 0 WHERE staff_id = 1";
$result = $dbconn->query($sql);
$sql="update login_authentication set username='".$_SESSION['admin_name']."', password='".$_SESSION['admin_pwd']."' WHERE user_id=1 AND profile_id=0";

$sql = "UPDATE login_authentication SET username='".$_SESSION['admin_name']."', password='".$_SESSION['admin_pwd']."' WHERE user_id=1 AND profile_id=0";
$dbconn->query($sql);

$dbconn->close();
//mysqli_close($dbconn);


header('Location: Step5.php');
?>

?>
112 changes: 8 additions & 104 deletions install/Step5.php
View file
Expand Up @@ -116,11 +116,13 @@

if ($fh == TRUE) {

$THIS_server = sqlSecurityFilterIns($_SESSION['server']);
$THIS_username = sqlSecurityFilterIns($_SESSION['username']);
$THIS_password = sqlSecurityFilterIns($_SESSION['password']);
$THIS_db = sqlSecurityFilterIns($_SESSION['db']);
$THIS_port = sqlSecurityFilterIns($_SESSION['port']);
include '../functions/SqlSecurityFnc.php';

$THIS_server = sqlSecurityFilter($_SESSION['server'], 'no');
$THIS_username = sqlSecurityFilter($_SESSION['username'], 'no');
$THIS_password = sqlSecurityFilter($_SESSION['password'], 'no');
$THIS_db = sqlSecurityFilter($_SESSION['db'], 'no');
$THIS_port = sqlSecurityFilter($_SESSION['port'], 'no');

$string .= "<" . "?php \n";
$string .= "$" . "DatabaseType = 'mysqli'; \n";
Expand Down Expand Up @@ -229,106 +231,8 @@
</body></html>
";
}

session_unset();
session_destroy();

function sqlSecurityFilterIns($variableName = '')
{
$variable = $variableName;
$check_stream = array('union ', 'select ', 'concat', 'concat_ws', 'create ', 'update ', 'insert ', 'delete ', 'extract ', 'drop ', 'truncate ', 'where ', 'trim ', 'format ', 'union%20', 'select%20', 'create%20', 'update%20', 'insert%20', 'delete%20', 'extract%20', 'drop%20', 'truncate%20', 'where%20', 'trim%20', 'format%20', ';', '\'', '--', '../', '..%2f', 'skip-grant-tables');

if ($variable != '') {
$checker = 0;
$checker_k = 0;
$checker_v = 0;
if (is_array($variable)) {

$filter_data = array();
$neat_key = '';
$neat_val = '';

foreach ($variable as $onekey => $oneval) {

$k_check_1 = strip_tags($onekey);
$k_check_2 = addslashes($k_check_1);
// $k_check_3 = mysqli_real_escape_string($connection, $k_check_2);
$k_check_4 = strtolower($k_check_2);

$v_check_1 = strip_tags($oneval);
$v_check_2 = addslashes($v_check_1);
// $v_check_3 = mysqli_real_escape_string($connection, $v_check_2);
$v_check_4 = strtolower($v_check_2);

foreach ($check_stream as $one_check) {
if (strpos($k_check_4, $one_check) !== false)
{
$checker_k++;
}

if(strpos($v_check_4, $one_check) !== false)
{
$checker_v++;
}
}

if(is_array($oneval))
{
$get_child_ret = sqlSecurityFilterIns($oneval); // being recursive

$filter_data[$k_check_3] = $get_child_ret;
}
else
{
if($checker_k != 0 || $checker_v != 0)
{
unset($variable[$onekey]);
}
else
{
unset($variable[$onekey]);

// if(is_array($oneval))
// {
// $get_child_ret = sqlSecurityFilter($oneval); // being recursive

// $filter_data[$k_check_3] = $get_child_ret;
// }
// else
// {
$filter_data[$k_check_3] = $v_check_3;
// }
}
}

// $filter_data[] = $variable;
}

return $filter_data;

unset($checker);
unset($checker_k);
unset($checker_v);
} else {
$check_1 = strip_tags($variable);
$check_2 = addslashes($check_1);
// $check_3 = mysqli_real_escape_string($connection, $check_2);
$check_4 = strtolower($check_2);

foreach ($check_stream as $one_check) {
if (strpos($check_4, $one_check) !== false) {
$checker++;
}
}

if ($checker == 0) {
return $check_2;
} else {
return '';
}
}
} else {
return $variableName;
}
}

?>

0 comments on commit a2d6179

Please sign in to comment.