From 271aa93be2e31bf9d1850532ff6c5ac083694919 Mon Sep 17 00:00:00 2001 From: Bram <33527907+bram1000@users.noreply.github.com> Date: Thu, 6 Jul 2023 22:31:29 +0200 Subject: [PATCH 1/5] Fix CVE-2023-36994 --- install/process.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/install/process.php b/install/process.php index b7925e41..814ece82 100644 --- a/install/process.php +++ b/install/process.php @@ -12,6 +12,10 @@ // don't let SQL time out when 30-500 seconds (depending on php.ini) is not enough @set_time_limit(0); +if (file_exists("../var/installed")) { + die("ERROR!
Installation appears to have been completed.
If this is an error remove /var/installed file in install directory."); +} + class Process { function __construct() { From 78b2bddde4f574fc73fc4704958d0864750bf22e Mon Sep 17 00:00:00 2001 From: Bram <33527907+bram1000@users.noreply.github.com> Date: Thu, 6 Jul 2023 22:34:03 +0200 Subject: [PATCH 2/5] Fix CVE-2023-36993 --- GameEngine/Generator.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GameEngine/Generator.php b/GameEngine/Generator.php index 2b8ed1e8..c7ce83e9 100755 --- a/GameEngine/Generator.php +++ b/GameEngine/Generator.php @@ -18,7 +18,7 @@ class MyGenerator { public function generateRandStr($length){ $randstr = ""; for($i = 0; $i < $length; $i++){ - $randnum = mt_rand(0, 61); + $randnum = random_int(0, 61); if($randnum < 10) $randstr .= chr($randnum + 48); else if($randnum < 36) $randstr .= chr($randnum + 55); else $randstr .= chr($randnum + 61); From e39ca488a9fd2409dbc212d625b518cc9e1c9e67 Mon Sep 17 00:00:00 2001 From: nixpc Date: Thu, 6 Jul 2023 23:02:00 +0200 Subject: [PATCH 3/5] Fix CVE-2023-36995 --- GameEngine/Admin/database.php | 1 + GameEngine/Database.php | 2 ++ GameEngine/Ranking.php | 6 +++--- Templates/Profile/preference.tpl | 4 ++-- login.php | 2 +- 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/GameEngine/Admin/database.php b/GameEngine/Admin/database.php index 8c123eeb..82da6a73 100755 --- a/GameEngine/Admin/database.php +++ b/GameEngine/Admin/database.php @@ -82,6 +82,7 @@ class adm_DB { $bcrypted = false; } + $username = htmlspecialchars($username); if($pwOk) { // update password to bcrypt, if correct if (!$dbarray['is_bcrypt'] && !$bcrypted) { diff --git a/GameEngine/Database.php b/GameEngine/Database.php index e244372e..3d150f0f 100755 --- a/GameEngine/Database.php +++ b/GameEngine/Database.php @@ -3109,6 +3109,8 @@ class MYSQLi_DB implements IDbConnection { *****************************************/ function createAlliance($tag, $name, $uid, $max) { list($tag, $name, $uid, $max) = $this->escape_input($tag, $name, (int) $uid, (int) $max); + $tag = $this->RemoveXSS($tag); + $name = $this->RemoveXSS($name); $q = "INSERT into " . TB_PREFIX . "alidata values (0,'$name','$tag',$uid,0,0,0,'','',$max,0,0,0,0,0,0,0,0,0)"; mysqli_query($this->dblink,$q); diff --git a/GameEngine/Ranking.php b/GameEngine/Ranking.php index c5727e86..e8b1f9a9 100755 --- a/GameEngine/Ranking.php +++ b/GameEngine/Ranking.php @@ -163,7 +163,7 @@ private function getStart($search) { $multiplier = 1; if(!is_numeric($search)) { - $_SESSION['search'] = $search; + $_SESSION['search'] = htmlspecialchars($search); } else { if($search > count($this->rankarray)) { $search = count($this->rankarray) - 1; @@ -172,8 +172,8 @@ $multiplier += 1; } $start = 20 * $multiplier - 19 - 1; - $_SESSION['search'] = $search; - $_SESSION['start'] = $start; + $_SESSION['search'] = htmlspecialchars($search); + $_SESSION['start'] = htmlspecialchars($start); } } diff --git a/Templates/Profile/preference.tpl b/Templates/Profile/preference.tpl index a612e45d..bf3b13e0 100644 --- a/Templates/Profile/preference.tpl +++ b/Templates/Profile/preference.tpl @@ -36,12 +36,12 @@ if($_POST) { if(substr($key, 0, 8) == 'linkname') { $i = substr($key, 8); - $links[$i]['linkname'] = mysqli_real_escape_string($database->dblink, $value); + $links[$i]['linkname'] = htmlspecialchars(mysqli_real_escape_string($database->dblink, $value)); } if(substr($key, 0, 8) == 'linkziel') { $i = substr($key, 8); - $links[$i]['linkziel'] = mysqli_real_escape_string($database->dblink, $value); + $links[$i]['linkziel'] = htmlspecialchars(mysqli_real_escape_string($database->dblink, $value)); } } diff --git a/login.php b/login.php index a461bd57..3c12625e 100644 --- a/login.php +++ b/login.php @@ -186,7 +186,7 @@ Element.implement({ - " maxlength="30" autocomplete='off' /> getError("user"); ?> + " maxlength="30" autocomplete='off' /> getError("user"); ?> From 1549f830aa4246480e7bb7090c9d394b54bf280b Mon Sep 17 00:00:00 2001 From: nixpc Date: Thu, 6 Jul 2023 23:13:22 +0200 Subject: [PATCH 4/5] Fix CVE-2023-36995 name change alliance --- GameEngine/Database.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/GameEngine/Database.php b/GameEngine/Database.php index 3d150f0f..ea50e18e 100755 --- a/GameEngine/Database.php +++ b/GameEngine/Database.php @@ -3016,6 +3016,8 @@ class MYSQLi_DB implements IDbConnection { function setAlliName($aid, $name, $tag) { list($aid, $name, $tag) = $this->escape_input((int) $aid, $name, $tag); + $name = $this->RemoveXSS($name); + $name = $this->RemoveXSS($tag); $q = "UPDATE " . TB_PREFIX . "alidata set name = '$name', tag = '$tag' where id = $aid"; return mysqli_query($this->dblink,$q); From de804b95671d5b7850abca4ff84294cdffcd724d Mon Sep 17 00:00:00 2001 From: nixpc Date: Thu, 6 Jul 2023 23:14:27 +0200 Subject: [PATCH 5/5] Whoops! --- GameEngine/Database.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GameEngine/Database.php b/GameEngine/Database.php index ea50e18e..290a2a14 100755 --- a/GameEngine/Database.php +++ b/GameEngine/Database.php @@ -3017,7 +3017,7 @@ class MYSQLi_DB implements IDbConnection { function setAlliName($aid, $name, $tag) { list($aid, $name, $tag) = $this->escape_input((int) $aid, $name, $tag); $name = $this->RemoveXSS($name); - $name = $this->RemoveXSS($tag); + $tag = $this->RemoveXSS($tag); $q = "UPDATE " . TB_PREFIX . "alidata set name = '$name', tag = '$tag' where id = $aid"; return mysqli_query($this->dblink,$q);