Skip to content

Commit ecfeb40

Browse files
ejosterbergejosterberg
committed
Security: Fix 69 reflected XSS vulnerabilities across 22 files
Fixes all 10 vulnerabilities from the security report plus 59 additional instances found via full codebase scan of 808 PHP files. Reported vulnerabilities (CVE candidates): 1. single_unit.php?id= — intval() 2. single.php?ticket_id= — intval() + htmlspecialchars() 3. add_note.php?ticket_id= — htmlspecialchars() 4. patient_JF.php?ticket_id — intval() 5. opena.php?frm_call= — htmlspecialchars() 6. add_facnote.php?ticket_id= — htmlspecialchars() 7. street_view.php?thelat=&thelng= — floatval() 8. routes_nm.php?ticket_id= — htmlspecialchars() 9. do_unit_mail.php?the_ticket= — intval() 10. search.php frm_query POST — htmlspecialchars() Additional fixes found via scan: - patient.php, patient_w.php: 14 instances in form actions/values - routes_nm.php, routes_i.php: 8 instances in hidden inputs - ICS forms (202, 205, 205a, 213, 213rr, 214): 6 instances - delete_module.php: 7 instances including $_SERVER['PHP_SELF'] - ticketsmdb_import.php: 20 instances in import form - os_watch.php: 6 instances in hidden inputs - db_loader.php: 6 instances - add.php, add_nm.php, circle.php, landb.php: 4 instances Also fixed: SQL injection in incs/mail_form.php line 536 (raw $_GET['ticket_id'] in SQL query — wrapped with intval()) Fix strategy by context: - Numeric IDs (ticket_id, id): intval() - Coordinates (lat, lng): floatval() - String values in HTML attributes: htmlspecialchars($val, ENT_QUOTES, 'UTF-8') - String values in JS: json_encode() or intval() All 34 verification tests pass.
1 parent 6cdc329 commit ecfeb40

29 files changed

Lines changed: 89 additions & 89 deletions

add.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -653,7 +653,7 @@ function updt_ticket($id) { /* 1/25/09 */
653653
<SPAN id='sub_but' class='plain text' style='float: none;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='document.to_main.submit();'>Main</SPAN><BR />
654654
<BR />
655655
<FORM NAME='to_routes' METHOD='get' ACTION='<?php print $_SESSION['routesfile'];?>'>
656-
<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print $_POST['ticket_id'];?>' />
656+
<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print intval($_POST['ticket_id']);?>' />
657657
</FORM>
658658
<SPAN id='sub_but' class='plain text' style='float: none;' onMouseover='do_hover(this.id);' onMouseout='do_plain(this.id);' onClick='document.to_routes.submit();'>Routes</SPAN>
659659
</CENTER>

add_facnote.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -137,7 +137,7 @@ function validate () {
137137
<TD class='td_data'><TEXTAREA NAME='frm_notes' tabindex=4 COLS=60 ROWS = 3><?php print $notes;?></TEXTAREA></TD>
138138
</TR>
139139
</TABLE>
140-
<INPUT TYPE = 'hidden' NAME = 'frm_ticket_id' VALUE='<?php print $_GET['ticket_id']; ?>' />
140+
<INPUT TYPE = 'hidden' NAME = 'frm_ticket_id' VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' />
141141
<INPUT TYPE = 'hidden' NAME = 'frm_existing' VALUE='<?php print $existing;?>' />
142142
</FORM>
143143
</DIV>

add_nm.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -344,7 +344,7 @@ function do_notify() {
344344

345345
var theAddresses = '<?php print implode("|", array_unique($addrs));?>'; // drop dupes
346346
var theText= "TICKET - New: ";
347-
var theId = '<?php print $_POST['ticket_id'];?>';
347+
var theId = '<?php print intval($_POST['ticket_id']);?>';
348348

349349
// mail_it ($to_str, $text, $theId, $text_sel=1;, $txt_only = FALSE)
350350

@@ -423,7 +423,7 @@ function do_notify() { // dummy
423423
</FORM>
424424

425425
<FORM NAME='to_routes' METHOD='get' ACTION='routes.php'>
426-
<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print $_POST['ticket_id'];?>' />
426+
<INPUT TYPE='hidden' NAME='ticket_id' VALUE='<?php print intval($_POST['ticket_id']);?>' />
427427
<INPUT TYPE='submit' VALUE='Routes' /></CENTER>
428428
</FORM>
429429
<?php

add_note.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -103,7 +103,7 @@ function set_signal(inval) {
103103
<B>Apply to</B>&nbsp;:&nbsp;&nbsp;
104104
Description &raquo; <INPUT TYPE = 'radio' NAME='frm_add_to' value='0' CHECKED />&nbsp;&nbsp;&nbsp;&nbsp;
105105
<?php print $disposition;?> &raquo; <INPUT TYPE = 'radio' NAME='frm_add_to' value='1' />
106-
<INPUT TYPE = 'hidden' NAME = 'frm_ticket_id' VALUE='<?php print $_GET['ticket_id']; ?>' />
106+
<INPUT TYPE = 'hidden' NAME = 'frm_ticket_id' VALUE='<?php print htmlspecialchars($_GET['ticket_id'], ENT_QUOTES, 'UTF-8'); ?>' />
107107
</FORM>
108108
</DIV>
109109
</DIV>

circle.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1342,7 +1342,7 @@ function toggle(the_value) {
13421342
<BODY onload = 'document.dummy.submit();'>
13431343
<FORM NAME='dummy' METHOD = 'post' ACTION = '<?php echo basename(__FILE__);?>'>
13441344
<INPUT TYPE = 'hidden' NAME = '_func' VALUE = 'r' />
1345-
<INPUT TYPE = 'hidden' NAME = 'id' VALUE = '<?php echo $_POST['frm_id'];?>' />
1345+
<INPUT TYPE = 'hidden' NAME = 'id' VALUE = '<?php echo intval($_POST['frm_id']);?>' />
13461346
</FORM></BODY></HTML>
13471347

13481348
<?php

db_loader.php

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -633,12 +633,12 @@ function confirm_delete() {
633633
</DIV>
634634
</DIV>
635635

636-
<INPUT name='ticketshost' type='hidden' VALUE='<?php print $_POST['ticketshost'];?>' />
637-
<INPUT name='ticketsdb' type='hidden' VALUE='<?php print $_POST['ticketsdb'];?>' />
638-
<INPUT name='ticketsuser' type='hidden' VALUE='<?php print $_POST['ticketsuser'];?>' />
639-
<INPUT name='ticketspassword' type='hidden' VALUE='<?php print $_POST['ticketspassword'];?>' />
640-
<INPUT name='ticketsprefix' type='hidden' VALUE='<?php print $_POST['ticketsprefix'];?>' />
641-
<INPUT name='db_schema' type='hidden' VALUE='<?php print $_POST['db_schema'];?>' />
636+
<INPUT name='ticketshost' type='hidden' VALUE='<?php print htmlspecialchars($_POST['ticketshost'], ENT_QUOTES, 'UTF-8');?>' />
637+
<INPUT name='ticketsdb' type='hidden' VALUE='<?php print htmlspecialchars($_POST['ticketsdb'], ENT_QUOTES, 'UTF-8');?>' />
638+
<INPUT name='ticketsuser' type='hidden' VALUE='<?php print htmlspecialchars($_POST['ticketsuser'], ENT_QUOTES, 'UTF-8');?>' />
639+
<INPUT name='ticketspassword' type='hidden' VALUE='<?php print htmlspecialchars($_POST['ticketspassword'], ENT_QUOTES, 'UTF-8');?>' />
640+
<INPUT name='ticketsprefix' type='hidden' VALUE='<?php print htmlspecialchars($_POST['ticketsprefix'], ENT_QUOTES, 'UTF-8');?>' />
641+
<INPUT name='db_schema' type='hidden' VALUE='<?php print htmlspecialchars($_POST['db_schema'], ENT_QUOTES, 'UTF-8');?>' />
642642
<INPUT name='page_background' type='hidden' VALUE='<?php print $page_background;?>' />
643643
<INPUT name='normal_text' type='hidden' VALUE='<?php print $normal_text;?>' />
644644
<INPUT name='form_input_background' type='hidden' VALUE='<?php print $form_input_background;?>' />

delete_module.php

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -63,15 +63,15 @@ function mod_table_exists($tablename) { //check if mysql table exists, if it's
6363
<TR><TH class='heading'>Module Deletion - Confirmation</TH></TR>
6464
<TR><TD>&nbsp;</TD></TR>
6565
<TR><TD>&nbsp;</TD></TR>
66-
<FORM NAME="delete_2" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
67-
<TR><TD style='font-size: 14px; font-weight: bold; background-color: #AEAEAE; text-align: center;'>Selected Module: <?php print $_POST['module_choice'];?></TD></TR>
66+
<FORM NAME="delete_2" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, 'UTF-8'); ?>" method="post">
67+
<TR><TD style='font-size: 14px; font-weight: bold; background-color: #AEAEAE; text-align: center;'>Selected Module: <?php print htmlspecialchars($_POST['module_choice'], ENT_QUOTES, 'UTF-8');?></TD></TR>
6868
<TR><TD>&nbsp;</TD></TR>
6969
<TR><TD>&nbsp;</TD></TR>
7070
<TR><TD>&nbsp;</TD></TR>
7171
<TR><TD CLASS="td_label">Click Submit to confirm module deletion or Cancel to abort</TD></TR>
7272
<TR><TD>&nbsp;</TD></TR>
7373
<TR><TD>&nbsp;</TD></TR>
74-
<INPUT TYPE='hidden' NAME='confirmation' VALUE='<?php print $_POST['module_choice'];?>'>
74+
<INPUT TYPE='hidden' NAME='confirmation' VALUE='<?php print htmlspecialchars($_POST['module_choice'], ENT_QUOTES, 'UTF-8');?>'>
7575
<INPUT TYPE='hidden' NAME='flag' VALUE='Confirmation Received'>
7676
<TR><TD ALIGN="center"><INPUT TYPE="button" VALUE="Cancel" onClick="window.location.href='config.php'" >&nbsp;&nbsp;<input type="submit" name="submit" value="Submit" /></TD></TR>
7777
</FORM></TABLE>
@@ -102,8 +102,8 @@ function rmdir_recurse($path) {
102102

103103
?>
104104
<DIV style='background-color:#CECECE; position: absolute; width: 60%; height: 60%; left: 20%; top: 10%; border:2px inset #FFF2BF; display: block; text-align: center'>
105-
<BR /><BR /><BR /><BR /><?php print $_POST['flag'];?><BR /><BR />
106-
Deleting Tickets Module........<?php print $_POST['confirmation'];?><BR /><BR />
105+
<BR /><BR /><BR /><BR /><?php print htmlspecialchars($_POST['flag'], ENT_QUOTES, 'UTF-8');?><BR /><BR />
106+
Deleting Tickets Module........<?php print htmlspecialchars($_POST['confirmation'], ENT_QUOTES, 'UTF-8');?><BR /><BR />
107107
Dropping Table........<?php print $table;?>...........
108108
<?php
109109
$query = "DROP table `{$GLOBALS['mysql_prefix']}" . $table ."`";
@@ -115,7 +115,7 @@ function rmdir_recurse($path) {
115115
}
116116
?>
117117

118-
Removing Directory and files /modules/<?php print $_POST['confirmation'];?>..........
118+
Removing Directory and files /modules/<?php print htmlspecialchars($_POST['confirmation'], ENT_QUOTES, 'UTF-8');?>..........
119119
<?php
120120
$directory = $tickets_dir . "/modules/" . $module_name;
121121
$rem_dir = rmdir_recurse($directory);
@@ -162,7 +162,7 @@ function rmdir_recurse($path) {
162162
<DIV style='background-color:#CECECE; position: absolute; width: 40%; height: 20%; left: 5%; top: 10%; border:2px inset #FFF2BF; display: block'>
163163
<TABLE BORDER="0">
164164
<TH COLSPAN="2">Delete a Tickets Module<BR /></TH>
165-
<FORM NAME="delete_1" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
165+
<FORM NAME="delete_1" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, 'UTF-8'); ?>" method="post">
166166
<TR CLASS="even"><TD CLASS="td_label">Module: </TD><TD><?php print $choice;?></TD>
167167
<TR CLASS="even"><TD COLSPAN="2" ALIGN="center"><input type="submit" name="submit" value="Submit" /></TD></TR>
168168
</FORM></TABLE>

do_unit_mail.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,7 @@ function subval_sort($a,$subkey) {
6666
} elseif((!(empty($_GET))) && (array_key_exists('the_ticket', $_GET)) && $_GET['the_ticket'] == "doselect") { // 10/23/12
6767
$step = 1;
6868
} elseif((!(empty($_GET))) && (array_key_exists('the_ticket', $_GET)) && $_GET['the_ticket'] != "undefined" && $_GET['the_ticket'] != "doselect") { // 10/23/12
69-
$tik_id = $_GET['the_ticket'];
69+
$tik_id = intval($_GET['the_ticket']);
7070
$step = (((integer) $_GET['the_ticket'])==0)? 0 : 2 ;
7171
} else {
7272
// dump(__LINE__);

icons/buttons/landb.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -632,7 +632,7 @@ function waiter() {
632632
</SCRIPT>
633633
</HEAD>
634634
<BODY onLoad = "waiter();">
635-
<DIV align="center" ID = 'c_id'><BR /><BR /><BR/><H3>'<?php echo $_POST['frm_name'];?>' added</H3></DIV>
635+
<DIV align="center" ID = 'c_id'><BR /><BR /><BR/><H3>'<?php echo htmlspecialchars($_POST['frm_name'], ENT_QUOTES, 'UTF-8');?>' added</H3></DIV>
636636
</BODY></HTML>
637637
<?php
638638
break; // end case "c"
@@ -979,14 +979,14 @@ function toggle(the_value) {
979979
<SCRIPT>
980980
function waiter() {
981981
document.navform._func.value="r";
982-
document.navform.id.value=<?php echo $_POST['frm_id'];?>
982+
document.navform.id.value=<?php echo intval($_POST['frm_id']);?>
983983
// fade("up_id;")
984984
setTimeout("document.navform.submit()",2000);
985985
}
986986
</SCRIPT>
987987
</HEAD>
988988
<BODY onLoad = "waiter();">
989-
<DIV align="center" ID = 'up_id'><BR /><BR /><BR/><H3>'<?php echo $_POST['frm_name'];?>' update complete</H3></DIV>
989+
<DIV align="center" ID = 'up_id'><BR /><BR /><BR/><H3>'<?php echo htmlspecialchars($_POST['frm_name'], ENT_QUOTES, 'UTF-8');?>' update complete</H3></DIV>
990990
</BODY>
991991
</HTML>
992992
<?php

ics202.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -219,7 +219,7 @@ function in_check( $name, $tabindex, $value, $ischecked) { // <input type=text
219219
echo template_ics ($item); // fills form with default $item entries
220220
?>
221221
<input type = 'hidden' name = 'step' value = 2 />
222-
<input type = 'hidden' name = 'frm_add_str' value = '<?php echo $_POST['frm_add_str'];?>'/>
222+
<input type = 'hidden' name = 'frm_add_str' value = '<?php echo htmlspecialchars($_POST['frm_add_str'], ENT_QUOTES, 'UTF-8');?>'/>
223223
</form>
224224
<script>
225225
function validate(our_form) { // ics form name check

0 commit comments

Comments
 (0)