mirror/php-monstra
1
0
Fork 0
mirror of https://github.com/monstra-cms/monstra.git synced 2025-08-05 12:48:00 +02:00
Code Issues Releases Wiki Activity

Plugins Manager Plugin: csrf vulnerability resolved

Browse Source
This commit is contained in:
Awilum
2012-10-03 15:04:02 +03:00
parent 831a4d8ecb
commit 582c469148
2 changed files with 56 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
plugins/box/plugins/plugins.admin.php Normal file → Executable file
View File

@@ -29,6 +29,8 @@
// ------------------------------------- // -------------------------------------
if (Request::get('delete_plugin')) { if (Request::get('delete_plugin')) {
if (Security::check(Request::get('token'))) {
// Nobody cant remove box plugins // Nobody cant remove box plugins
if ($installed_plugins[Text::lowercase(str_replace("Plugin", "", Request::get('delete_plugin')))]['privilege'] !== 'box') { if ($installed_plugins[Text::lowercase(str_replace("Plugin", "", Request::get('delete_plugin')))]['privilege'] !== 'box') {
@@ -47,6 +49,8 @@
// Redirect // Redirect
Request::redirect('index.php?id=plugins'); Request::redirect('index.php?id=plugins');
} }
} else { die('csrf detected!'); }
} }
@@ -54,6 +58,8 @@
// ------------------------------------- // -------------------------------------
if (Request::get('install')) { if (Request::get('install')) {
if (Security::check(Request::get('token'))) {
// Load plugin install xml file // Load plugin install xml file
$plugin_xml = XML::loadFile(PLUGINS . DS . basename(Text::lowercase(Request::get('install')), '.manifest.xml') . DS . 'install' . DS . Request::get('install')); $plugin_xml = XML::loadFile(PLUGINS . DS . basename(Text::lowercase(Request::get('install')), '.manifest.xml') . DS . 'install' . DS . Request::get('install'));
@@ -73,14 +79,22 @@
} }
Request::redirect('index.php?id=plugins'); Request::redirect('index.php?id=plugins');
} else { die('csrf detected!'); }
} }
// Delete plugin from server // Delete plugin from server
// ------------------------------------- // -------------------------------------
if (Request::get('delete_plugin_from_server')) { if (Request::get('delete_plugin_from_server')) {
if (Security::check(Request::get('token'))) {
Dir::delete(PLUGINS . DS . basename(Request::get('delete_plugin_from_server'), '.manifest.xml')); Dir::delete(PLUGINS . DS . basename(Request::get('delete_plugin_from_server'), '.manifest.xml'));
Request::redirect('index.php?id=plugins'); Request::redirect('index.php?id=plugins');
} else { die('csrf detected!'); }
} }

6
plugins/box/plugins/views/backend/index.view.php Normal file → Executable file
View File

@@ -42,7 +42,7 @@
</td> </td>
<td> <td>
<?php echo Html::anchor(__('Uninstall', 'plugins'), <?php echo Html::anchor(__('Uninstall', 'plugins'),
'index.php?id=plugins&delete_plugin='.$plugin['id'], 'index.php?id=plugins&delete_plugin='.$plugin['id'].'&token='.Security::token(),
array('class' => 'btn btn-actions', 'onclick' => "return confirmDelete('".__('Delete plugin :plugin', 'plugins', array(':plugin' => $plugin['id']))."')")); array('class' => 'btn btn-actions', 'onclick' => "return confirmDelete('".__('Delete plugin :plugin', 'plugins', array(':plugin' => $plugin['id']))."')"));
?> ?>
</td> </td>
@@ -81,9 +81,9 @@
<?php echo $plugin_xml->plugin_version; ?> <?php echo $plugin_xml->plugin_version; ?>
</td> </td>
<td> <td>
<?php echo Html::anchor(__('Install', 'plugins'), 'index.php?id=plugins&install='.$plug['plugin'], array('class' => 'btn btn-actions')); ?> <?php echo Html::anchor(__('Install', 'plugins'), 'index.php?id=plugins&install='.$plug['plugin'].'&token='.Security::token(), array('class' => 'btn btn-actions')); ?>
<?php echo Html::anchor(__('Delete', 'plugins'), <?php echo Html::anchor(__('Delete', 'plugins'),
'index.php?id=plugins&delete_plugin_from_server='.Text::lowercase(basename($plug['path'],'.manifest.xml')), 'index.php?id=plugins&delete_plugin_from_server='.Text::lowercase(basename($plug['path'],'.manifest.xml')).'&token='.Security::token(),
array('class' => 'btn btn-actions', 'onclick' => "return confirmDelete('".__('Delete plugin :plugin', 'plugins', array(':plugin' => Text::lowercase(basename($plug['path'],'.manifest.xml'))) )."')")); array('class' => 'btn btn-actions', 'onclick' => "return confirmDelete('".__('Delete plugin :plugin', 'plugins', array(':plugin' => Text::lowercase(basename($plug['path'],'.manifest.xml'))) )."')"));
?> ?>
</td> </td>