From 0d00adb2cbceac10d9261f04aa3a9ba818a4e1a0 Mon Sep 17 00:00:00 2001 From: Daniel Winzen Date: Sat, 19 Dec 2015 20:05:59 +0100 Subject: [PATCH] Fix XSS vulnerability in change nickname + make it available for registered users only --- CHANGELOG | 3 +++ chat.php | 19 +++++++++++-------- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index b68006b..246d643 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,6 @@ +Version 1.15.1 - Dec. 19, 2015 +Fix XSS vulnerability in change nickname + make it available for registered users only + Version 1.15 - Dec. 17, 2015 Made code reading easier for newbies Removed inefficient memcached caching of members and ignored diff --git a/chat.php b/chat.php index cfedbe6..d168bd0 100755 --- a/chat.php +++ b/chat.php @@ -1721,13 +1721,13 @@ function send_profile($arg=''){ echo " $I[confirmpass]"; echo ''; thr(); + echo ""; + echo '
$I[changenickname]
'; + echo ""; + echo ""; + echo '
 $I[newnickname]
 $I[newpass]
'; + thr(); } - echo ""; - echo '
$I[changenickname]
'; - echo ""; - echo ""; - echo '
 $I[newnickname]
 $I[newpass]
'; - thr(); echo ''.submit($I['savechanges'])."
$H[backtochat]"; print_end(); } @@ -2432,7 +2432,7 @@ function save_profile(){ $stmt=$db->prepare("INSERT INTO $C[prefix]ignored (ign, ignby) VALUES (?, ?);"); $stmt->execute(array($_REQUEST['ignore'], $U['nickname'])); } - if(!empty($_REQUEST['newnickname'])){ + if($U['status']>1 && !empty($_REQUEST['newnickname'])){ set_new_nickname(); } if(!empty($_REQUEST['newpass']) && !valid_pass($_REQUEST['newpass'])){ @@ -2446,6 +2446,9 @@ function set_new_nickname(){ if(!isSet($_REQUEST['new_pass']) || !valid_pass($_REQUEST['new_pass'])){ send_profile(sprintf($I['nopass'], get_setting('minpass'))); } + if(!valid_nick($_REQUEST['newnickname'])){ + send_profile(sprintf($I['invalnick'], get_setting('maxname'))); + } $U['passhash']=md5(sha1(md5($_REQUEST['newnickname'].$_REQUEST['new_pass']))); $stmt=$db->prepare("SELECT id FROM $C[prefix]sessions WHERE nickname=? UNION SELECT id FROM $C[prefix]members WHERE nickname=?;"); $stmt->execute(array($_REQUEST['newnickname'], $_REQUEST['newnickname'])); @@ -3369,7 +3372,7 @@ function load_lang(){ function load_config(){ global $C; $C=array( - 'version' =>'1.15', // Script version + 'version' =>'1.15.1', // Script version 'dbversion' =>14, // Database version 'keeplimit' =>3, // Amount of messages to keep in the database (multiplied with max messages displayed) - increase if you have many private messages 'msgencrypted' =>false, // Store messages encrypted in the database to prevent other database users from reading them - true/false - visit the setup page after editing!