diff --git a/Admin/Templates/addUsers.tpl b/Admin/Templates/addUsers.tpl index 0d98f74e..01a81984 100644 --- a/Admin/Templates/addUsers.tpl +++ b/Admin/Templates/addUsers.tpl @@ -103,6 +103,7 @@ elseif(isset($_GET['g']) && $_GET['g']=='OK'){
+
diff --git a/Admin/Templates/editAccess.tpl b/Admin/Templates/editAccess.tpl index 0a8ad53b..fb63bae1 100644 --- a/Admin/Templates/editAccess.tpl +++ b/Admin/Templates/editAccess.tpl @@ -28,6 +28,7 @@ if(isset($_GET['uid'])) ?> + diff --git a/Admin/Templates/editAdditional.tpl b/Admin/Templates/editAdditional.tpl index 9366185a..10911e64 100644 --- a/Admin/Templates/editAdditional.tpl +++ b/Admin/Templates/editAdditional.tpl @@ -72,6 +72,7 @@ if(isset($id)) { + diff --git a/Admin/Templates/editHero.tpl b/Admin/Templates/editHero.tpl index cd9b94ac..ff5f4ac4 100644 --- a/Admin/Templates/editHero.tpl +++ b/Admin/Templates/editHero.tpl @@ -132,6 +132,7 @@ function go_url(url){ location=url; return false; } + diff --git a/Admin/Templates/editPassword.tpl b/Admin/Templates/editPassword.tpl index 9db195c6..1f9f11c2 100644 --- a/Admin/Templates/editPassword.tpl +++ b/Admin/Templates/editPassword.tpl @@ -75,6 +75,7 @@ function genPw(){ + diff --git a/Admin/Templates/editProtection.tpl b/Admin/Templates/editProtection.tpl index 2da994c3..08bc8c47 100644 --- a/Admin/Templates/editProtection.tpl +++ b/Admin/Templates/editProtection.tpl @@ -74,6 +74,7 @@ function setDays(d){ document.getElementById('protect').value = d; } + diff --git a/Admin/Templates/editSitter.tpl b/Admin/Templates/editSitter.tpl index f887690e..8b9ea3c4 100644 --- a/Admin/Templates/editSitter.tpl +++ b/Admin/Templates/editSitter.tpl @@ -69,6 +69,7 @@ function clearSitter(n){ document.getElementById('sit'+n).value = '0'; } + diff --git a/Admin/Templates/editUser.tpl b/Admin/Templates/editUser.tpl index dc296e32..21186b1d 100644 --- a/Admin/Templates/editUser.tpl +++ b/Admin/Templates/editUser.tpl @@ -84,6 +84,7 @@ select.dropdown { width:100%; }
+
@@ -96,6 +97,7 @@ select.dropdown { width:100%; } + diff --git a/GameEngine/Admin/Mods/addUsers.php b/GameEngine/Admin/Mods/addUsers.php index 3cd0705b..d90d8ed4 100755 --- a/GameEngine/Admin/Mods/addUsers.php +++ b/GameEngine/Admin/Mods/addUsers.php @@ -36,6 +36,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { die("Access Denied: You are not Admin!"); } +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + $wgarray = array(1=>1200,1700,2300,3100,4000,5000,6300,7800,9600,11800,14400,17600,21400,25900,31300,37900,45700,55100,66400,80000); foreach ($_POST as $key => $value) { diff --git a/GameEngine/Admin/Mods/additional.php b/GameEngine/Admin/Mods/additional.php index cb1238e9..0a7bf77d 100755 --- a/GameEngine/Admin/Mods/additional.php +++ b/GameEngine/Admin/Mods/additional.php @@ -21,6 +21,11 @@ include_once("../../Database.php"); if (!isset($_SESSION)) session_start(); if(($_SESSION['access']?? 0) < ADMIN) die("Access Denied: You are not Admin!"); +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + // --- INPUT --- $id = (int)($_POST['id']?? 0); $admid = (int)($_POST['admid']?? 0); diff --git a/GameEngine/Admin/Mods/editAccess.php b/GameEngine/Admin/Mods/editAccess.php index 207c5ff6..8c895081 100755 --- a/GameEngine/Admin/Mods/editAccess.php +++ b/GameEngine/Admin/Mods/editAccess.php @@ -10,6 +10,12 @@ ################################################################################# if (!isset($_SESSION)) session_start(); if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!"); + +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + include_once("../../config.php"); // go max 5 levels up - we don't have folders that go deeper than that diff --git a/GameEngine/Admin/Mods/editHero.php b/GameEngine/Admin/Mods/editHero.php index 2caea8ec..4bd8fd1d 100755 --- a/GameEngine/Admin/Mods/editHero.php +++ b/GameEngine/Admin/Mods/editHero.php @@ -18,6 +18,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { die("Access Denied: You are not Admin!"); } +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + // --------------------------------------------------------------------------- // Autoloader path // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/editPassword.php b/GameEngine/Admin/Mods/editPassword.php index 3858a8dc..0dced632 100755 --- a/GameEngine/Admin/Mods/editPassword.php +++ b/GameEngine/Admin/Mods/editPassword.php @@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { die("Access Denied: You are not Admin!"); } +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + include_once("../../config.php"); // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/editProtection.php b/GameEngine/Admin/Mods/editProtection.php index e678c00c..e0e149b3 100755 --- a/GameEngine/Admin/Mods/editProtection.php +++ b/GameEngine/Admin/Mods/editProtection.php @@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { die("Access Denied: You are not Admin!"); } +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + include_once("../../config.php"); // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/editSitter.php b/GameEngine/Admin/Mods/editSitter.php index 9646b74f..33eb0a47 100755 --- a/GameEngine/Admin/Mods/editSitter.php +++ b/GameEngine/Admin/Mods/editSitter.php @@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { die("Access Denied: You are not Admin!"); } +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + include_once("../../config.php"); // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/editUser.php b/GameEngine/Admin/Mods/editUser.php index 5377e72d..a79ee923 100755 --- a/GameEngine/Admin/Mods/editUser.php +++ b/GameEngine/Admin/Mods/editUser.php @@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { die("Access Denied: You are not Admin!"); } +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + include_once("../../config.php"); // --------------------------------------------------------------------------- diff --git a/GameEngine/Admin/Mods/editUsername.php b/GameEngine/Admin/Mods/editUsername.php index 3f7c1dca..18aa74ea 100755 --- a/GameEngine/Admin/Mods/editUsername.php +++ b/GameEngine/Admin/Mods/editUsername.php @@ -17,6 +17,11 @@ if (empty($_SESSION['access']) || $_SESSION['access'] < 9) { die("Access Denied: You are not Admin!"); } +// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token +// itself (it does not go through admin.php's central csrf_verify()). +require_once(__DIR__ . '/../csrf.php'); +csrf_verify(); + include_once("../../config.php"); // ---------------------------------------------------------------------------