mirror of
https://github.com/Shadowss/TravianZ.git
synced 2026-07-08 13:46:09 +00:00
Email Header Injection in Invite Feature via Unsanitized POST Parameters
Email Header Injection in Invite Feature via Unsanitized POST Parameters Thanks @cybershubham06
This commit is contained in:
+30
-14
@@ -55,24 +55,40 @@ class Mailer
|
||||
* -------------------------------------------------------------------------
|
||||
* FIX: $username was undefined -> fallback safe value added
|
||||
*/
|
||||
function sendInvite($email, $uid, $text)
|
||||
{
|
||||
$subject = SERVER_NAME . " registration";
|
||||
function sendInvite($email, $uid, $text){
|
||||
|
||||
$email = trim($email);
|
||||
$uid = (int)$uid;
|
||||
$text = trim($text);
|
||||
|
||||
// FIX: prevent undefined variable notice
|
||||
$username = "User";
|
||||
// Protecție împotriva Email Header Injection
|
||||
if (
|
||||
strpos($email, "\r") !== false ||
|
||||
strpos($email, "\n") !== false ||
|
||||
!filter_var($email, FILTER_VALIDATE_EMAIL)
|
||||
) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$message =
|
||||
"Hello " . $username . "\n\n" .
|
||||
"Try the new " . SERVER_NAME . "!\n\n\n" .
|
||||
"Link: " . SERVER . "anmelden.php?id=ref" . $uid . "\n\n" .
|
||||
$text . "\n\n\n" .
|
||||
"Greetings,\n" .
|
||||
"Travian";
|
||||
// Curățăm textul
|
||||
$text = substr($text, 0, 2000);
|
||||
$text = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/', '', $text);
|
||||
|
||||
$headers = "From: " . ADMIN_EMAIL . "\r\n";
|
||||
$subject = SERVER_NAME . " registration";
|
||||
|
||||
@mail($email, $subject, $message, $headers);
|
||||
$username = "User";
|
||||
|
||||
$message =
|
||||
"Hello " . $username . "\n\n" .
|
||||
"Try the new " . SERVER_NAME . "!\n\n\n" .
|
||||
"Link: " . SERVER . "anmelden.php?id=ref" . $uid . "\n\n" .
|
||||
$text . "\n\n\n" .
|
||||
"Greetings,\n" .
|
||||
"Travian";
|
||||
|
||||
$headers = "From: " . ADMIN_EMAIL . "\r\n";
|
||||
|
||||
return @mail($email, $subject, $message, $headers);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -156,8 +156,23 @@ if($id == 15){
|
||||
if($id > 15){
|
||||
include ("Templates/Plus/3.tpl");
|
||||
}
|
||||
if(isset($_POST['mail'])){
|
||||
$mailer->sendInvite($_POST['mail'], $session->uid, $_POST['text']);
|
||||
if (isset($_POST['mail'])) {
|
||||
|
||||
$email = trim($_POST['mail']);
|
||||
$text = isset($_POST['text']) ? trim($_POST['text']) : '';
|
||||
|
||||
// Blocăm CRLF injection și validăm adresa
|
||||
if (
|
||||
strpos($email, "\r") === false &&
|
||||
strpos($email, "\n") === false &&
|
||||
filter_var($email, FILTER_VALIDATE_EMAIL)
|
||||
) {
|
||||
// Limităm dimensiunea și eliminăm caracterele de control
|
||||
$text = substr($text, 0, 2000);
|
||||
$text = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/', '', $text);
|
||||
|
||||
$mailer->sendInvite($email, $session->uid, $text);
|
||||
}
|
||||
}
|
||||
?>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user