Guest User

Patch for SQL injection vulnerability in Pragyan CMS v.3

a guest
Feb 3rd, 2015
1,581
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. /*
  3.  * Patch for https://github.com/delta/pragyan/issues/206
  4.  * Author: Steffen Rösemann
  5.  *
  6.  * Patches are marked with PATCHED!
  7.  *
  8.  * Use at your own risk! I am not responsible for anything!
  9.  */
  10.  
  11. if(!defined('__PRAGYAN_CMS'))
  12. {
  13.     header($_SERVER['SERVER_PROTOCOL'].' 403 Forbidden');
  14.     echo "<h1>403 Forbidden<h1><h4>You are not authorized to access the page.</h4>";
  15.     echo '<hr/>'.$_SERVER['SERVER_SIGNATURE'];
  16.     exit(1);
  17. }
  18. /**
  19.  * @package pragyan
  20.  * @author Boopathi Rajaa, balanivash
  21.  * @copyright (c) 2011 Pragyan Team
  22.  * @license http://www.gnu.org/licenses/ GNU Public License
  23.  * For more details, see README
  24.  */
  25.  
  26.  
  27. function generatePublicProfile($userProfileId,$accessUserId) {
  28.     /*
  29.      * PATCHED: integer casting via intval() for $userProfileId
  30.      */
  31.     $userId=intval($userProfileId);
  32.     global $urlRequestRoot, $moduleFolder, $cmsFolder,$sourceFolder, $templateFolder;
  33.     require_once("$sourceFolder/$moduleFolder/form/registrationformsubmit.php");
  34.     require_once("$sourceFolder/$moduleFolder/form/viewregistrants.php");
  35.     require_once("$sourceFolder/upload.lib.php");
  36.     require_once ("$sourceFolder/profile.lib.php");
  37.     $profileQuery = 'SELECT `user_name`, `user_fullname`, `user_email` FROM `' . MYSQL_DATABASE_PREFIX . 'users` WHERE `user_id` = \'' .$userId."'";
  38.     $profileResult = mysql_query($profileQuery);
  39.     if(!$profileResult) {
  40.         /*
  41.          * PATCHED: Surpressed displaying of internal database errors (database querys) directly to the user.
  42.          *          It is not recommended in a productive environment.
  43.          */
  44.         displayerror('An error occurred while trying to process your request.<br />');
  45.         return '';
  46.     }
  47.     if(mysql_num_rows($profileResult)==0){
  48.         displayerror("The Requested user is not found." );
  49.         return "Click <a href='".$urlRequestRoot."'>here </a> to return to the home page";
  50.     }
  51.     $profileRow = mysql_fetch_row($profileResult);
  52.     $userName = $profileRow[0];
  53.     $userFullname = $profileRow[1];
  54.     $userEmail = $profileRow[2];
  55.     $fakeModuleComponentId=$userId;
  56.     $profileimgname = getUploadedFiles($fakeModuleComponentId,'profile');
  57.     if($profileimgname==NULL)
  58.     {
  59.         $profileimgname = "$urlRequestRoot/$cmsFolder/$templateFolder/common/images/no-img.jpg";
  60.     }
  61.     else
  62.     {
  63.         $profileimgname = "./+profile&fileget={$profileimgname[0]['upload_filename']}&mcid={$userId}";
  64.     }
  65.  
  66.    
  67.     $profileimg= "<img id=profileimg src='$profileimgname' alt='Profile Image' title='Profile Image' height=120 width=100><br/>";
  68.    
  69.     $dynamicFields = getFormElementsHtmlAsArrayForView(0, $userId);
  70.     $dynamicFields = join($dynamicFields, "</tr>\n<tr>");
  71.     if($dynamicFields != '') {
  72.         $dynamicFields = "<tr>$dynamicFields</tr>";
  73.     }
  74.  
  75.     global $ICONS;
  76.     $profileForm =<<<PREF
  77.  
  78.  
  79. <div class="cms-profile">
  80.         <fieldset>
  81.             <legend>{$ICONS['User Profile']['small']}  User Profile</legend>
  82.  
  83.             <table style="width:75%;">
  84.                 <tr>
  85.                 <td colspan=2 style="text-align:center">$profileimg</td>
  86.                 </tr>
  87.                 <tr>
  88.                     <td><label for="user_name" class="labelrequired">Name</label></td>
  89.                     <td>$userName</td>
  90.                 </tr>
  91.                 <tr>
  92.                     <td><label for="user_fullname" class="labelrequired">Full Name</label></td>
  93.                     <td>$userFullname</td>
  94.                 </tr>
  95.  
  96.                     $dynamicFields
  97. PREF;
  98.     if($userId==$accessUserId){
  99.         $profileForm .= "<tr>
  100.                     <td colspan=2 style='text-align:center'><a href=./+profile>{$ICONS['Edit']['small']} Edit Profile</a></td>
  101.                 </tr>";
  102.     }
  103.         $profileForm .= <<<PREF
  104.             </table>
  105.         </fieldset>
  106.     </form>
  107. </div>
  108. PREF;
  109.  
  110.     return  $profileForm."<br />".getProfileGroupsAndFormsList($userId);
  111. }
RAW Paste Data