Skip to content
This repository has been archived by the owner on Oct 12, 2021. It is now read-only.

Commit

Permalink
Fixed XSS on classes/options/zip.php
Browse files Browse the repository at this point in the history
  • Loading branch information
@Th3-822
Th3-822 committed Sep 11, 2021
1 parent e771690 commit 885a87e
Showing 1 changed file with 13 additions and 14 deletions.
27 changes: 13 additions & 14 deletions classes/options/zip.php
View file
@@ -1,8 +1,8 @@
<?php
function zip() {
global $list, $options, $PHP_SELF;
global $list, $options;
?>
<form name="ziplist" method="post" action="<?php echo $PHP_SELF; ?>"><input type="hidden" name="act" value="zip_go" />
<form name="ziplist" method="post" action="<?php echo $_SERVER['SCRIPT_NAME']; ?>"><input type="hidden" name="act" value="zip_go" />
<table cellspacing="5">
<tr>
<td align="center"><strong>Adding files to a ZIP archive</strong></td>
Expand Down Expand Up @@ -42,7 +42,7 @@ function zip() {
function zip_go() {
global $list, $options;
$saveTo = realpath ( $options['download_dir'] ) . '/';
$_POST ["archive"] = (strlen ( trim ( urldecode ( $_POST ["archive"] ) ) ) > 4 && substr ( trim ( urldecode ( $_POST ["archive"] ) ), - 4 ) == ".zip") ? trim ( urldecode ( $_POST ["archive"] ) ) : "archive.zip";
$_POST ["archive"] = (strlen ( trim ( urldecode ($_POST['archive']) ) ) > 4 && substr ( trim ( urldecode ($_POST['archive']) ), - 4 ) == ".zip") ? trim ( urldecode ($_POST['archive']) ) : "archive.zip";
$_POST ["archive"] = $saveTo.basename($_POST ["archive"]);
for($i = 0; $i < count ( $_POST ["files"] ); $i ++) {
$files [] = $list [($_POST ["files"] [$i])];
Expand All @@ -55,25 +55,24 @@ function zip_go() {
}
}
require_once (CLASS_DIR . "pclzip.php");
$archive = new PclZip ( $_POST ["archive"] );
$archive = new PclZip ($_POST['archive']);
$no_compression = ($options['disable_archive_compression'] || isset($_POST["no_compression"]));
if (file_exists ( $_POST ["archive"] )) {
if (file_exists ($_POST['archive'])) {
if ($no_compression) { $v_list = $archive->add ( $add_files, PCLZIP_OPT_REMOVE_ALL_PATH, PCLZIP_OPT_NO_COMPRESSION); }
else { $v_list = $archive->add ( $add_files, PCLZIP_OPT_REMOVE_ALL_PATH); }
} else {
if ($no_compression) { $v_list = $archive->create ( $add_files, PCLZIP_OPT_REMOVE_ALL_PATH, PCLZIP_OPT_NO_COMPRESSION); }
else { $v_list = $archive->create ( $add_files, PCLZIP_OPT_REMOVE_ALL_PATH); }
}
if ($v_list == 0) {
echo "Error: " . $archive->errorInfo ( true ) . "<br /><br />";
return;
} else {
echo "Archive <b>" . $_POST ["archive"] . "</b> successfully created!<br /><br />";
}
if (is_file($_POST['archive'])) {

if ($v_list != 0 && is_file($_POST['archive'])) {
echo "Archive <b>" . htmlspecialchars($_POST['archive']) . "</b> successfully created!<br /><br />";

$time = filemtime($_POST['archive']); while (isset($list[$time])) { $time++; }
$list[$time] = array("name" => $_POST['archive'], "size" => bytesToKbOrMbOrGb(filesize($_POST['archive'])), "date" => $time);
if (!updateListInFile($list)) { echo lang(146)."<br /><br />"; }
} else {
echo "Error: " . htmlspecialchars($archive->errorInfo(true)) . "<br /><br />";
return;
}
}
?>
}

3 comments on commit 885a87e

@Th3-822
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Anybody knows how I can get this repo optout from huntr[.]dev?

I'm planning to archive the repo if i get more mails from them

@JamieSlome
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Th3-822 - this repository has been opted out from huntr.dev and no longer accepts disclosures.

@sasansi
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Th3-822

Why it should be stopped, let them review your codes and find out the bugs, so we will have a secure code base here.

@JamieSlome

why you stop your mission to secure the world under the contributors requests, you have to do what it takes to secure the world no matter what!

in general I`m thoroughly disappointed in both of you, because your mission is to secure the world wide web as best as you can, but one is whining at the laziness (or not have time to fix) and the other start to ignore his mission

regards,

Please sign in to comment.