AS1024
/
itflow
mirror of https://github.com/itflow-org/itflow
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix: Authenticated users can craft a POST request to delete any file on the webserver. Thank you @ 

bhopkins0
This commit is contained in:
johnnyq 2023-05-12 15:24:57 -04:00
parent 51ee479130
commit e67a75805c
7 changed files with 30 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
client_contact_edit_modal.php
View File

@ -16,7 +16,6 @@
<!-- End prevent undefined errors -->
<input type="hidden" name="contact_id" value="<?php echo $contact_id; ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="existing_file_name" value="<?php echo $contact_photo; ?>">
<div class="modal-body bg-white">
<ul class="nav nav-pills nav-justified mb-3">

2
client_location_edit_modal.php
View File

@ -10,7 +10,7 @@
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
<input type="hidden" name="location_id" value="<?php echo $location_id; ?>">
<input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
<input type="hidden" name="existing_file_name" value="<?php echo $location_photo; ?>">
<div class="modal-body bg-white">
<ul class="nav nav-pills nav-justified mb-3">

1
expense_edit_modal.php
View File

@ -10,7 +10,6 @@
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
<div class="modal-body bg-white">
<input type="hidden" name="expense_id" value="<?php echo $expense_id; ?>">
<input type="hidden" name="existing_file_name" value="<?php echo $expense_receipt; ?>">
<div class="form-row">

36
post.php
View File

@ -92,7 +92,11 @@ if(isset($_POST['edit_user'])){
$user_id = intval($_POST['user_id']);
$new_password = trim($_POST['new_password']);
$existing_file_name = sanitizeInput($_POST['existing_file_name']);
// Get current Avatar
$sql = mysqli_query($mysqli,"SELECT user_avatar FROM users WHERE user_id = $user_id");
$row = mysqli_fetch_array($sql);
$existing_file_name = sanitizeInput($row['user_avatar']);
$extended_log_description = '';
if(!empty($_POST['2fa'])) {
$two_fa = $_POST['2fa'];
@ -294,7 +298,11 @@ if(isset($_POST['edit_profile'])){
$name = sanitizeInput($_POST['name']);
$email = sanitizeInput($_POST['email']);
$new_password = trim($_POST['new_password']);
$existing_file_name = sanitizeInput($_POST['existing_file_name']);
$sql = mysqli_query($mysqli,"SELECT user_avatar FROM users WHERE user_id = $user_id");
$row = mysqli_fetch_array($sql);
$existing_file_name = sanitizeInput($row['user_avatar']);
$logout = false;
$extended_log_description = '';
@ -478,7 +486,9 @@ if(isset($_POST['edit_company'])){
validateAdminRole();
$existing_file_name = sanitizeInput($_POST['existing_file_name']);
$sql = mysqli_query($mysqli,"SELECT company_logo FROM companies WHERE company_id = 1");
$row = mysqli_fetch_array($sql);
$existing_file_name = sanitizeInput($row['company_logo']);
// Check to see if a file is attached
if($_FILES['file']['tmp_name'] != ''){
@ -2733,8 +2743,11 @@ if(isset($_POST['edit_expense'])){
require_once('models/expense.php');
$expense_id = intval($_POST['expense_id']);
$existing_file_name = sanitizeInput($_POST['existing_file_name']);
// Get old receipt
$sql = mysqli_query($mysqli,"SELECT expense_receipt FROM expenses WHERE expense_id = $expense_id");
$row = mysqli_fetch_array($sql);
$existing_file_name = sanitizeInput($row['expense_receipt']);
// Check for and process attachment
$extended_alert_description = '';
@ -4233,7 +4246,12 @@ if(isset($_POST['edit_contact'])){
require_once('models/contact.php');
$contact_id = intval($_POST['contact_id']);
$existing_file_name = sanitizeInput($_POST['existing_file_name']);
// Get Exisiting Contact Photo
$sql = mysqli_query($mysqli,"SELECT contact_photo FROM contacts WHERE contact_id = $contact_id");
$row = mysqli_fetch_array($sql);
$existing_file_name = sanitizeInput($row['contact_photo']);
if(!file_exists("uploads/clients/$client_id")) {
mkdir("uploads/clients/$client_id");
@ -4600,7 +4618,11 @@ if(isset($_POST['edit_location'])){
$location_id = intval($_POST['location_id']);
$existing_file_name = sanitizeInput($_POST['existing_file_name']);
// Get old location photo
$sql = mysqli_query($mysqli,"SELECT location_photo FROM locations WHERE location_id = $location_id");
$row = mysqli_fetch_array($sql);
$existing_file_name = sanitizeInput($row['location_photo']);
if(!file_exists("uploads/clients/$client_id")) {
mkdir("uploads/clients/$client_id");

1
settings_company.php
View File

@ -28,7 +28,6 @@ $company_initials = nullable_htmlentities(initials($company_name));
</div>
<div class="card-body">
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
<input type="hidden" name="existing_file_name" value="<?php echo $company_logo; ?>">
<div class="form-group">
<label>Name <strong class="text-danger">*</strong></label>

1
user_edit_modal.php
View File

@ -11,7 +11,6 @@
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<input type="hidden" name="user_id" value="<?php echo $user_id; ?>">
<input type="hidden" name="existing_file_name" value="<?php echo "$user_avatar"; ?>">
<div class="modal-body bg-white">
<center class="mb-3">

1
user_profile.php
View File

@ -23,7 +23,6 @@ $sql_recent_logs = mysqli_query($mysqli, "SELECT * FROM logs
<form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
<input type="hidden" name="existing_file_name" value="<?php echo nullable_htmlentities($session_avatar); ?>">
<center class="mb-3 px-5">
<?php if (empty($session_avatar)) { ?>