FIXED: Remote code execution vulnerability (reported by rgod)

FIXED: createItemLink / createMemberLink ignored their 'extra' parameter

git-svn-id: https://svn.sourceforge.jp/svnroot/nucleus-jp/nucleus-jp/branches/branch-3-2@143 1ca29b6e-896d-4ea0-84a5-967f57386b96

diff --git a/euc/install.sql b/euc/install.sql
index 982ee29..29f325b 100755 (executable)
--- a/euc/install.sql
+++ b/euc/install.sql
@@ -108,7 +108,7 @@ INSERT INTO `nucleus_config` VALUES ('BaseSkin', '5');
 INSERT INTO `nucleus_config` VALUES ('SkinsURL', 'http://localhost:8080/nucleus/skins/');\r
 INSERT INTO `nucleus_config` VALUES ('ActionURL', 'http://localhost:8080/nucleus/action.php');\r
 INSERT INTO `nucleus_config` VALUES ('URLMode', 'normal');\r
-INSERT INTO `nucleus_config` VALUES ('DatabaseVersion', '322');\r
+INSERT INTO `nucleus_config` VALUES ('DatabaseVersion', '323');\r
 \r
 CREATE TABLE `nucleus_item` (\r
   `inumber` int(11) NOT NULL auto_increment,\r

diff --git a/euc/nucleus/libs/PLUGINADMIN.php b/euc/nucleus/libs/PLUGINADMIN.php
index 47640ad..7fd41fb 100755 (executable)
--- a/euc/nucleus/libs/PLUGINADMIN.php
+++ b/euc/nucleus/libs/PLUGINADMIN.php
@@ -15,12 +15,13 @@
   *\r
  * @license http://nucleuscms.org/license.txt GNU General Public License\r
  * @copyright Copyright (C) 2002-2005 The Nucleus Group\r
- * @version $Id: PLUGINADMIN.php,v 1.3.2.1 2005-08-23 08:08:38 kimitake Exp $\r
- * @version $NucleusJP: PLUGINADMIN.php,v 1.3 2005/03/16 08:10:35 kimitake Exp $\r
+ * @version $Id: PLUGINADMIN.php,v 1.3.2.2 2006-05-23 20:38:39 kimitake Exp $\r
+ * @version $NucleusJP: PLUGINADMIN.php,v 1.3.2.1 2005/08/23 08:08:38 kimitake Exp $\r
   */\r
 \r
 global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES, $HTTP_SESSION_VARS;\r
-$aVarsToCheck = array('DIR_LIBS');\r
+$aVarsToCheck = array('HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_ENV_VARS', 'HTTP_SESSION_VARS', 'HTTP_POST_FILES', 'HTTP_SERVER_VARS', 'GLOBALS', 'argv', 'argc', '_GET', '_POST', '_COOKIE', '_ENV', '_SESSION', '_SERVER', '_FILES', 'DIR_LIBS');\r
+\r
 foreach ($aVarsToCheck as $varName)\r
 {\r
        if (phpversion() >= '4.1.0')\r
@@ -47,6 +48,8 @@ foreach ($aVarsToCheck as $varName)
        }\r
 }\r
 \r
+if (!isset($DIR_LIBS))\r
+       die('Sorry.');\r
 \r
 include($DIR_LIBS . 'ADMIN.php');\r
 \r

diff --git a/euc/nucleus/libs/globalfunctions.php b/euc/nucleus/libs/globalfunctions.php
index 935efda..4865ff7 100755 (executable)
--- a/euc/nucleus/libs/globalfunctions.php
+++ b/euc/nucleus/libs/globalfunctions.php
@@ -13,19 +13,19 @@
 /**\r
  * @license http://nucleuscms.org/license.txt GNU General Public License\r
  * @copyright Copyright (C) 2002-2005 The Nucleus Group\r
- * @version $Id: globalfunctions.php,v 1.6.2.3 2005-08-23 08:08:38 kimitake Exp $\r
- * @version $NucleusJP: globalfunctions.php,v 1.6.2.2 2005/07/01 06:36:16 kimitake Exp $\r
+ * @version $Id: globalfunctions.php,v 1.6.2.4 2006-05-23 20:38:39 kimitake Exp $\r
+ * @version $NucleusJP: globalfunctions.php,v 1.6.2.3 2005/08/23 08:08:38 kimitake Exp $\r
   */\r
 \r
 // needed if we include globalfunctions from install.php\r
 global $nucleus, $CONF, $DIR_LIBS, $DIR_LANG, $manager, $member; \r
 \r
 \r
-checkVars(array('nucleus', 'CONF', 'DIR_LIBS', 'MYSQL_HOST', 'MYSQL_USER', 'MYSQL_PASSWORD', 'MYSQL_DATABASE', 'DIR_LANG', 'DIR_PLUGINS'));\r
+checkVars(array('nucleus', 'CONF', 'DIR_LIBS', 'MYSQL_HOST', 'MYSQL_USER', 'MYSQL_PASSWORD', 'MYSQL_DATABASE', 'DIR_LANG', 'DIR_PLUGINS', 'HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_ENV_VARS', 'HTTP_SESSION_VARS', 'HTTP_POST_FILES', 'HTTP_SERVER_VARS', 'GLOBALS', 'argv', 'argc', '_GET', '_POST', '_COOKIE', '_ENV', '_SESSION', '_SERVER', '_FILES'));\r
 \r
 $CONF['debug'] = 0;\r
 \r
-$nucleus['version'] = 'v3.22';\r
+$nucleus['version'] = 'v3.23';\r
 if (getNucleusPatchLevel() > 0)\r
 {\r
        $nucleus['version'] .= '/' . getNucleusPatchLevel();\r
@@ -52,7 +52,7 @@ $CONF['alertOnSecurityRisk'] = 1;
   * returns the currently used version (100 = 1.00, 101 = 1.01, etc...)\r
   */\r
 function getNucleusVersion() {\r
-       return 322;\r
+       return 323;\r
 }\r
 \r
 /**\r
@@ -977,10 +977,10 @@ if (      ($CONF['URLMode'] == 'pathinfo')
   * Centralisation of the functions that generate links\r
   */\r
 function createItemLink($itemid, $extra = '') {\r
-       return createLink('item', array('itemid' => $itemid));\r
+       return createLink('item', array('itemid' => $itemid, 'extra' => $extra) );\r
 }\r
 function createMemberLink($memberid, $extra = '') {\r
-       return createLink('member', array('memberid' => $memberid));\r
+       return createLink('member', array('memberid' => $memberid, 'extra' => $extra) );\r
 }\r
 function createCategoryLink($catid, $extra = '') {\r
        return createLink('category', array('catid' => $catid, 'extra' => $extra));\r

diff --git a/utf8/install.sql b/utf8/install.sql
index 91e8948..b399987 100755 (executable)
--- a/utf8/install.sql
+++ b/utf8/install.sql
@@ -108,7 +108,7 @@ INSERT INTO `nucleus_config` VALUES ('BaseSkin', '5');
 INSERT INTO `nucleus_config` VALUES ('SkinsURL', 'http://localhost:8080/nucleus/skins/');\r
 INSERT INTO `nucleus_config` VALUES ('ActionURL', 'http://localhost:8080/nucleus/action.php');\r
 INSERT INTO `nucleus_config` VALUES ('URLMode', 'normal');\r
-INSERT INTO `nucleus_config` VALUES ('DatabaseVersion', '322');\r
+INSERT INTO `nucleus_config` VALUES ('DatabaseVersion', '323');\r
 \r
 CREATE TABLE `nucleus_item` (\r
   `inumber` int(11) NOT NULL auto_increment,\r

diff --git a/utf8/nucleus/documentation/history.html b/utf8/nucleus/documentation/history.html
index 568d9cf..fe12f8f 100755 (executable)
--- a/utf8/nucleus/documentation/history.html
+++ b/utf8/nucleus/documentation/history.html
@@ -1,8 +1,8 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">\r
 <html xmlns="http://www.w3.org/1999/xhtml" lang="ja-JP" xml:lang="ja-JP">\r
 <head>\r
-       <!-- $Id: history.html,v 1.3.2.2 2005-09-09 07:34:11 kimitake Exp $ -->\r
-       <!-- $NucleusJP: history.html,v 1.3.2.1 2005/06/30 21:13:23 kimitake Exp $ -->\r
+       <!-- $Id: history.html,v 1.3.2.3 2006-05-23 20:38:40 kimitake Exp $ -->\r
+       <!-- $NucleusJP: history.html,v 1.3.2.2 2005/09/09 07:34:11 kimitake Exp $ -->\r
        <title>Nucleus - History</title>\r
        <link rel="stylesheet" type="text/css" href="styles/manual.css" />\r
 </head>\r
@@ -16,6 +16,12 @@
 \r
 <ul>\r
        <li>\r
+               <b>Nucleus v3.23 (May 23, 2006)</b>\r
+               <ul>\r
+                       <li>FIXED: Remote code execution vulnerability (reported by rgod).</li>\r
+               </ul>\r
+       </li>\r
+       <li>\r
                <b>Nucleus v3.22 (August 21, 2005)</b>\r
                <ul>\r
                        <li>FIXED: Major security vulnerability in the phpxmlrpc library.</li>\r

diff --git a/utf8/nucleus/libs/PLUGINADMIN.php b/utf8/nucleus/libs/PLUGINADMIN.php
index a7ae332..ad12081 100755 (executable)
--- a/utf8/nucleus/libs/PLUGINADMIN.php
+++ b/utf8/nucleus/libs/PLUGINADMIN.php
@@ -15,12 +15,13 @@
   *\r
  * @license http://nucleuscms.org/license.txt GNU General Public License\r
  * @copyright Copyright (C) 2002-2005 The Nucleus Group\r
- * @version $Id: PLUGINADMIN.php,v 1.3.2.1 2005-08-25 07:04:14 kimitake Exp $\r
- * @version $NucleusJP$\r
+ * @version $Id: PLUGINADMIN.php,v 1.3.2.2 2006-05-23 20:38:40 kimitake Exp $\r
+ * @version $NucleusJP: PLUGINADMIN.php,v 1.3.2.1 2005/08/25 07:04:14 kimitake Exp $\r
   */\r
 \r
 global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_ENV_VARS, $HTTP_POST_FILES, $HTTP_SESSION_VARS;\r
-$aVarsToCheck = array('DIR_LIBS');\r
+$aVarsToCheck = array('HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_ENV_VARS', 'HTTP_SESSION_VARS', 'HTTP_POST_FILES', 'HTTP_SERVER_VARS', 'GLOBALS', 'argv', 'argc', '_GET', '_POST', '_COOKIE', '_ENV', '_SESSION', '_SERVER', '_FILES', 'DIR_LIBS');\r
+\r
 foreach ($aVarsToCheck as $varName)\r
 {\r
        if (phpversion() >= '4.1.0')\r
@@ -47,6 +48,8 @@ foreach ($aVarsToCheck as $varName)
        }\r
 }\r
 \r
+if (!isset($DIR_LIBS))\r
+       die('Sorry.');\r
 \r
 include($DIR_LIBS . 'ADMIN.php');\r
 \r

diff --git a/utf8/nucleus/libs/globalfunctions.php b/utf8/nucleus/libs/globalfunctions.php
index 793d0b7..3098b12 100755 (executable)
--- a/utf8/nucleus/libs/globalfunctions.php
+++ b/utf8/nucleus/libs/globalfunctions.php
@@ -13,19 +13,19 @@
 /**\r
  * @license http://nucleuscms.org/license.txt GNU General Public License\r
  * @copyright Copyright (C) 2002-2005 The Nucleus Group\r
- * @version $Id: globalfunctions.php,v 1.5.2.3 2005-08-25 07:04:14 kimitake Exp $\r
- * @version $NucleusJP: globalfunctions.php,v 1.5.2.2 2005/07/01 06:39:49 kimitake Exp $\r
+ * @version $Id: globalfunctions.php,v 1.5.2.4 2006-05-23 20:38:40 kimitake Exp $\r
+ * @version $NucleusJP: globalfunctions.php,v 1.5.2.3 2005/08/25 07:04:14 kimitake Exp $\r
   */\r
 \r
 // needed if we include globalfunctions from install.php\r
 global $nucleus, $CONF, $DIR_LIBS, $DIR_LANG, $manager, $member; \r
 \r
 \r
-checkVars(array('nucleus', 'CONF', 'DIR_LIBS', 'MYSQL_HOST', 'MYSQL_USER', 'MYSQL_PASSWORD', 'MYSQL_DATABASE', 'DIR_LANG', 'DIR_PLUGINS'));\r
+checkVars(array('nucleus', 'CONF', 'DIR_LIBS', 'MYSQL_HOST', 'MYSQL_USER', 'MYSQL_PASSWORD', 'MYSQL_DATABASE', 'DIR_LANG', 'DIR_PLUGINS', 'HTTP_GET_VARS', 'HTTP_POST_VARS', 'HTTP_COOKIE_VARS', 'HTTP_ENV_VARS', 'HTTP_SESSION_VARS', 'HTTP_POST_FILES', 'HTTP_SERVER_VARS', 'GLOBALS', 'argv', 'argc', '_GET', '_POST', '_COOKIE', '_ENV', '_SESSION', '_SERVER', '_FILES'));\r
 \r
 $CONF['debug'] = 0;\r
 \r
-$nucleus['version'] = 'v3.22';\r
+$nucleus['version'] = 'v3.23';\r
 if (getNucleusPatchLevel() > 0)\r
 {\r
        $nucleus['version'] .= '/' . getNucleusPatchLevel();\r
@@ -52,7 +52,7 @@ $CONF['alertOnSecurityRisk'] = 1;
   * returns the currently used version (100 = 1.00, 101 = 1.01, etc...)\r
   */\r
 function getNucleusVersion() {\r
-       return 322;\r
+       return 323;\r
 }\r
 \r
 /**\r
@@ -978,10 +978,10 @@ if (      ($CONF['URLMode'] == 'pathinfo')
   * Centralisation of the functions that generate links\r
   */\r
 function createItemLink($itemid, $extra = '') {\r
-       return createLink('item', array('itemid' => $itemid));\r
+       return createLink('item', array('itemid' => $itemid, 'extra' => $extra) );\r
 }\r
 function createMemberLink($memberid, $extra = '') {\r
-       return createLink('member', array('memberid' => $memberid));\r
+       return createLink('member', array('memberid' => $memberid, 'extra' => $extra) );\r
 }\r
 function createCategoryLink($catid, $extra = '') {\r
        return createLink('category', array('catid' => $catid, 'extra' => $extra));\r