SHARE
TWEET

Patch for SQL injection vulnerability in Pragyan CMS v.3

a guest Feb 3rd, 2015 860 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. /*
  3.  * Patch for https://github.com/delta/pragyan/issues/206
  4.  * Author: Steffen Rösemann
  5.  *
  6.  * Patches are marked with PATCHED!
  7.  *
  8.  * Use at your own risk! I am not responsible for anything!
  9.  */
  10.  
  11. if(!defined('__PRAGYAN_CMS'))
  12. {
  13.         header($_SERVER['SERVER_PROTOCOL'].' 403 Forbidden');
  14.         echo "<h1>403 Forbidden<h1><h4>You are not authorized to access the page.</h4>";
  15.         echo '<hr/>'.$_SERVER['SERVER_SIGNATURE'];
  16.         exit(1);
  17. }
  18. /**
  19.  * @package pragyan
  20.  * @author Boopathi Rajaa, balanivash
  21.  * @copyright (c) 2011 Pragyan Team
  22.  * @license http://www.gnu.org/licenses/ GNU Public License
  23.  * For more details, see README
  24.  */
  25.  
  26.  
  27. function generatePublicProfile($userProfileId,$accessUserId) {
  28.         /*
  29.          * PATCHED: integer casting via intval() for $userProfileId
  30.          */
  31.         $userId=intval($userProfileId);
  32.         global $urlRequestRoot, $moduleFolder, $cmsFolder,$sourceFolder, $templateFolder;
  33.         require_once("$sourceFolder/$moduleFolder/form/registrationformsubmit.php");
  34.         require_once("$sourceFolder/$moduleFolder/form/viewregistrants.php");
  35.         require_once("$sourceFolder/upload.lib.php");
  36.         require_once ("$sourceFolder/profile.lib.php");
  37.         $profileQuery = 'SELECT `user_name`, `user_fullname`, `user_email` FROM `' . MYSQL_DATABASE_PREFIX . 'users` WHERE `user_id` = \'' .$userId."'";
  38.         $profileResult = mysql_query($profileQuery);
  39.         if(!$profileResult) {
  40.                 /*
  41.                  * PATCHED: Surpressed displaying of internal database errors (database querys) directly to the user.
  42.                  *          It is not recommended in a productive environment.
  43.                  */
  44.                 displayerror('An error occurred while trying to process your request.<br />');
  45.                 return '';
  46.         }
  47.         if(mysql_num_rows($profileResult)==0){
  48.                 displayerror("The Requested user is not found." );
  49.                 return "Click <a href='".$urlRequestRoot."'>here </a> to return to the home page";
  50.         }
  51.         $profileRow = mysql_fetch_row($profileResult);
  52.         $userName = $profileRow[0];
  53.         $userFullname = $profileRow[1];
  54.         $userEmail = $profileRow[2];
  55.         $fakeModuleComponentId=$userId;
  56.         $profileimgname = getUploadedFiles($fakeModuleComponentId,'profile');
  57.         if($profileimgname==NULL)
  58.         {
  59.                 $profileimgname = "$urlRequestRoot/$cmsFolder/$templateFolder/common/images/no-img.jpg";
  60.         }
  61.         else
  62.         {
  63.                 $profileimgname = "./+profile&fileget={$profileimgname[0]['upload_filename']}&mcid={$userId}";
  64.         }
  65.  
  66.        
  67.         $profileimg= "<img id=profileimg src='$profileimgname' alt='Profile Image' title='Profile Image' height=120 width=100><br/>";
  68.        
  69.         $dynamicFields = getFormElementsHtmlAsArrayForView(0, $userId);
  70.         $dynamicFields = join($dynamicFields, "</tr>\n<tr>");
  71.         if($dynamicFields != '') {
  72.                 $dynamicFields = "<tr>$dynamicFields</tr>";
  73.         }
  74.  
  75.         global $ICONS;
  76.         $profileForm =<<<PREF
  77.  
  78.  
  79. <div class="cms-profile">
  80.                 <fieldset>
  81.                         <legend>{$ICONS['User Profile']['small']}  User Profile</legend>
  82.  
  83.                         <table style="width:75%;">
  84.                                 <tr>
  85.                                 <td colspan=2 style="text-align:center">$profileimg</td>
  86.                                 </tr>
  87.                                 <tr>
  88.                                         <td><label for="user_name" class="labelrequired">Name</label></td>
  89.                                         <td>$userName</td>
  90.                                 </tr>
  91.                                 <tr>
  92.                                         <td><label for="user_fullname" class="labelrequired">Full Name</label></td>
  93.                                         <td>$userFullname</td>
  94.                                 </tr>
  95.  
  96.                                         $dynamicFields
  97. PREF;
  98.         if($userId==$accessUserId){
  99.                 $profileForm .= "<tr>
  100.                                         <td colspan=2 style='text-align:center'><a href=./+profile>{$ICONS['Edit']['small']} Edit Profile</a></td>
  101.                                 </tr>";
  102.         }
  103.                 $profileForm .= <<<PREF
  104.                         </table>
  105.                 </fieldset>
  106.         </form>
  107. </div>
  108. PREF;
  109.  
  110.         return  $profileForm."<br />".getProfileGroupsAndFormsList($userId);
  111. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top