sync: myaac improves (#52)

CHANGELOG.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## [0-8.14 - 29.11.2023]
+Security fixes.
+
+### Fixed
+* XSS vulnerability in bugtracker and  forum
+* Session Fixation
+* displaying ban info on account page
+
+### Changed
+* Clear some additional cache keys - like database cache
+
+## [0.8.13 - 29.11.2023]
+
+### Added
+* Add further new clients versions.
+* patching from develop - twig context for hooks
+
+### Fixed
+* fixed XSS vulnerability in some pages
+
 ## [0.8.12 - 07.08.2023]
 I've moved the repository back to my personal account. (Just so you know!)
 

VERSION

@@ -1 +1 @@
-0.8.12
+0.8.14

admin/pages/accounts.php

@@ -439,7 +439,8 @@ class="fa fa-remove"></i> Cancel</span></a>
         <div class="box-body">
             <form action="<?= $base; ?>" method="post">
                 <div class="input-group input-group-sm">
-                    <input type="text" class="form-control" name="search_name" value="<?= $search_account; ?>"
+                    <input type="text" class="form-control" name="search_name"
+                           value="<?= escapeHtml($search_account) ?>"
                            maxlength="32" size="32">
                     <span class="input-group-btn">
                           <button type="submit" type="button" class="btn btn-success"><i class="fa fa-search"></i> Search</button>

admin/pages/items.php

@@ -11,26 +11,24 @@
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Load items.xml';
 
-require LIBS . 'items.php';
-require LIBS . 'weapons.php';
+require_once LIBS . 'items.php';
+require_once LIBS . 'weapons.php';
 
 $twig->display('admin.items.html.twig');
 
 $reload = isset($_REQUEST['reload']) && (int)$_REQUEST['reload'] === 1;
 if ($reload) {
-	$items_start_time = microtime(true);
-	if (Items::loadFromXML(true)) {
-		success('Successfully loaded items (in ' . round(microtime(true) - $items_start_time, 4) . ' seconds).');
-	}
-	else {
-		error(Items::getError());
-	}
+    $items_start_time = microtime(true);
+    if (Items::loadFromXML(true)) {
+        success('Successfully loaded items (in ' . round(microtime(true) - $items_start_time, 4) . ' seconds).');
+    } else {
+        error(Items::getError());
+    }
 
-	$weapons_start_time = microtime(true);
-	if (Weapons::loadFromXML(true)) {
-		success('Successfully loaded weapons (in ' . round(microtime(true) - $weapons_start_time, 4) . ' seconds).');
-	}
-	else {
-		error(Weapons::getError());
-	}
+    $weapons_start_time = microtime(true);
+    if (Weapons::loadFromXML(true)) {
+        success('Successfully loaded weapons (in ' . round(microtime(true) - $weapons_start_time, 4) . ' seconds).');
+    } else {
+        error(Weapons::getError());
+    }
 }

admin/pages/players.php

@@ -777,7 +777,7 @@ class="slider form-control" id="look_feet" name="look_feet">
 			<div class="box-body">
 				<form action="<?php echo $base; ?>" method="post">
 					<div class="input-group input-group-sm">
-						<input type="text" class="form-control" name="search_name" value="<?php echo $search_name; ?>"
+						<input type="text" class="form-control" name="search_name" value="<?= escapeHtml($search_name) ?>"
 							   maxlength="32" size="32">
 						<span class="input-group-btn">
                           <button type="submit" type="button" class="btn btn-success"><i class="fa fa-search"></i> Search</button>

common.php

@@ -1,4 +1,5 @@
 <?php
+global $config;
 /**
  * Project: MyAAC
  *     Automatic Account Creator for Open Tibia Servers
@@ -27,7 +28,7 @@
 if (version_compare(phpversion(), '7.4', '<')) die('PHP version 7.4 or higher is required.');
 
 define('MYAAC', true);
-define('MYAAC_VERSION', '0.8.12');
+define('MYAAC_VERSION', '0.8.14');
 define('DATABASE_VERSION', 34);
 define('TABLE_PREFIX', 'myaac_');
 define('START_TIME', microtime(true));
@@ -102,6 +103,10 @@
 $basedir = str_replace(array('/admin', '/install', '/tools'), '', $basedir);
 define('BASE_DIR', $basedir);
 
+if (file_exists(BASE . 'config.local.php')) {
+    require BASE . 'config.local.php';
+}
+
 if (!IS_CLI) {
     if (isset($_SERVER['HTTP_HOST'][0])) {
         $baseHost = $_SERVER['HTTP_HOST'];
@@ -119,6 +124,8 @@
 
     //define('CURRENT_URL', BASE_URL . $_SERVER['REQUEST_URI']);
 
-    require SYSTEM . 'exception.php';
+    if (@$config['env'] === 'dev') {
+        require SYSTEM . 'exception.php';
+    }
 }
 require SYSTEM . 'autoload.php';

nginx-sample.conf

@@ -25,7 +25,7 @@ server {
     	}
 
 	location / {
-		try_files $uri $uri/ /index.php;
+		try_files $uri $uri/ /index.php?$query_string;
 	}
 
 	location ~ \.php$ {

system/clients.conf.php

@@ -106,4 +106,6 @@
     1316,
 	1320,
 	1321,
+    1322,
+    1330,
 ];

system/functions.php

@@ -1183,9 +1183,30 @@ function clearCache()
         if ($cache->fetch('failed_logins', $tmp))
             $cache->delete('failed_logins');
 
-        global $template_name;
-        if ($cache->fetch('template_ini' . $template_name, $tmp))
-            $cache->delete('template_ini' . $template_name);
+        foreach (get_templates() as $template) {
+            if ($cache->fetch('template_ini_' . $template, $tmp)) {
+                $cache->delete('template_ini_' . $template);
+            }
+        }
+
+        if ($cache->fetch('template_menus', $tmp)) {
+            $cache->delete('template_menus');
+        }
+        if ($cache->fetch('database_tables', $tmp)) {
+            $cache->delete('database_tables');
+        }
+        if ($cache->fetch('database_columns', $tmp)) {
+            $cache->delete('database_columns');
+        }
+        if ($cache->fetch('database_checksum', $tmp)) {
+            $cache->delete('database_checksum');
+        }
+        if ($cache->fetch('hooks', $tmp)) {
+            $cache->delete('hooks');
+        }
+        if ($cache->fetch('last_kills', $tmp)) {
+            $cache->delete('last_kills');
+        }
     }
 
     deleteDirectory(CACHE . 'signatures', ['index.html'], true);

system/login.php

@@ -90,6 +90,7 @@
             if ($account_logged->isLoaded() && encrypt(($config_salt_enabled ? $account_logged->getCustomField('salt') : '') . $login_password) == $account_logged->getPassword()
                 && (!isset($t) || $t['attempts'] < 5)
             ) {
+                session_regenerate_id();
                 setSession('account', $account_logged->getNumber());
                 setSession('password', encrypt(($config_salt_enabled ? $account_logged->getCustomField('salt') : '') . $login_password));
                 if ($remember_me) {

system/pages/bugtracker.php

@@ -55,7 +55,7 @@
                     $value = '<span style="color: blue">[NEW ANSWER]</span>';
 
                 echo '<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Bug Tracker</B></TD></TR>';
-                echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.$bug[2]['subject'].' '.$value.'</td></tr>';
+                echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.escapeHtml($bug[2]['subject']).' '.$value.'</td></tr>';
                 echo '<TR BGCOLOR="'.$light.'"><td><i><b>Posted by</b></i></td><td>';
 
                 foreach($players as $player)
@@ -184,7 +184,7 @@
                 echo '<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['vdarkborder'].'><TD COLSPAN=2 CLASS=white><B>Bug Tracker</B></TD></TR>';
                 echo '<TR BGCOLOR="'.$dark.'"><td width=40%><i><b>Subject</b></i></td><td>'.$tags[$bug[2]['tag']].' '.$bug[2]['subject'].' '.$value.'</td></tr>';
                 echo '<TR BGCOLOR="'.$light.'"><td colspan=2><i><b>Description</b></i></td></tr>';
-                echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br($bug[2]['text']).'</td></tr>';
+                echo '<TR BGCOLOR="'.$dark.'"><td colspan=2>'.nl2br(escapeHtml($bug[2]['text'])).'</td></tr>';
                 echo '</TABLE>';
 
                 $answers = $db->query('SELECT * FROM '.$db->tableName('myaac_bugtracker').' where `account` = '.$account_logged->getId().' and `id` = '.$id.' and `type` = 2 order by `reply`');
@@ -275,7 +275,7 @@
                         $bgcolor = $light;
                     }
 
-                    echo '<TR BGCOLOR="'.$bgcolor.'"><td width=75%><a href="?subtopic=bugtracker&id='.$report['id'].'">'.$tags[$report['tag']].' '.$report['subject'].'</a></td><td>'.$value.'</td></tr>';
+                    echo '<TR BGCOLOR="'.$bgcolor.'"><td width=75%><a href="?subtopic=bugtracker&id='.$report['id'].'">'.$tags[$report['tag']].' '.escapeHtml($report['subject']).'</a></td><td>'.$value.'</td></tr>';
 
                     $showed=true;
                 }

system/pages/forum/edit_post.php

@@ -33,6 +33,9 @@
                 $post_topic = stripslashes(trim($_REQUEST['topic']));
                 $smile = isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0;
                 $html = isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0;
+                if (!superAdmin()) {
+                    $html = 0;
+                }
                 $length = strlen($post_topic);
                 if (($length < 1 || $length > 60) && $thread['id'] == $thread['first_post'])
                     $errors[] = "Too short or too long topic (Length: $length letters). Minimum 1 letter, maximum 60 letters.";

system/pages/forum/new_post.php

@@ -30,6 +30,9 @@
         $smile = (int)$_REQUEST['smile'] ?? 0;
         $html = (int)$_REQUEST['html'] ?? 0;
         $saved = false;
+        if (!superAdmin()) {
+            $html = 0;
+        }
         if (isset($_REQUEST['quote'])) {
             $quoted_post = $db->query("SELECT `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`post_text`, `" . FORUM_TABLE_PREFIX . "forum`.`post_date` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`id` = " . (int)$quote)->fetchAll();
             if (isset($quoted_post[0]['name']))

system/pages/forum/new_thread.php

@@ -25,6 +25,9 @@
             $post_topic = isset($_REQUEST['topic']) ? stripslashes($_REQUEST['topic']) : '';
             $smile = (isset($_REQUEST['smile']) ? (int)$_REQUEST['smile'] : 0);
             $html = (isset($_REQUEST['html']) ? (int)$_REQUEST['html'] : 0);
+            if (!superAdmin()) {
+                $html = 0;
+            }
             $saved = false;
             if (isset($_REQUEST['save'])) {
                 $length = strlen($post_topic);

templates/tibiacom/account.management.html.twig

@@ -5,7 +5,7 @@
         <img src="{{ template_path }}/images/content/headline-bracer-left.gif"/>
       </td>
       <td
-        style="text-align:center;vertical-align:middle;horizontal-align:center;font-size:17px;font-weight:bold;">{{ welcome_message }}
+        style="text-align:center;vertical-align:middle;horizontal-align:center;font-size:17px;font-weight:bold;">{{ welcome_message|raw }}
       </td>
       <td><img src="{{ template_path }}/images/content/headline-bracer-right.gif"/></td>
     </tr>

templates/tibiacom/index.php

@@ -52,7 +52,7 @@ function CollapseTable(a_ID) {
         <?php
         if (PAGE !== 'news') {
             if (strpos(URI, 'subtopic=') !== false) {
-                $tmp = $_REQUEST['subtopic'];
+                $tmp = escapeHtml($_REQUEST['subtopic']);
                 if ($tmp === 'accountmanagement') {
                     $tmp = 'accountmanage';
                 }