A couple of security issues fixed.

diff --git a/access/logout.php b/access/logout.php
index 3a8831a198b6d3ca6415f2dde26bde6c605192ba..0e28a56db7c16434d63c99879c3f2dc88918291e 100644 (file)
--- a/access/logout.php
+++ b/access/logout.php
@@ -9,6 +9,9 @@
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  
     See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
 ***********************************************************************/
+
+define("FA_LOGOUT_PHP_FILE","");
+
 $page_security = 'SA_OPEN';
 $path_to_root="..";
 include($path_to_root . "/includes/session.inc");

diff --git a/admin/create_coy.php b/admin/create_coy.php
index 128da260f70bc4df96bd2cf6b1e9e47a73264f8c..db276a063fa5b0627a704966204fe9d40b45a6b5 100644 (file)
--- a/admin/create_coy.php
+++ b/admin/create_coy.php
@@ -25,11 +25,11 @@ $comp_subdirs = array('images', 'pdf_files', 'backup','js_cache', 'reporting', '
 //---------------------------------------------------------------------------------------------
 if (isset($_GET['selected_id']))
 {
-       $selected_id = $_GET['selected_id'];
+       $selected_id = (int)$_GET['selected_id'];
 }
 elseif (isset($_POST['selected_id']))
 {
-       $selected_id = $_POST['selected_id'];
+       $selected_id = (int)$_POST['selected_id'];
 }
 else
        $selected_id = -1;
@@ -172,7 +172,7 @@ function handle_delete()
 {
        global $def_coy, $db_connections, $comp_subdirs, $path_to_root;
 
-       $id = $_GET['id'];
+       $id = (int)$_GET['id'];
 
        // First make sure all company directories from the one under removal are writable. 
        // Without this after operation we end up with changed per-company owners!

diff --git a/admin/db/users_db.inc b/admin/db/users_db.inc
index 267029c96f2c2bd685fbbd60f6b5bd5d316c82de..767dad30339d1363a6d1b2e1d3797683b457c036 100644 (file)
--- a/admin/db/users_db.inc
+++ b/admin/db/users_db.inc
@@ -197,7 +197,7 @@ function show_users_online()
                }
 
                // Add user to database
-               db_query("INSERT INTO ".TB_PREF."useronline (timestamp, ip, file) VALUES ('". $timestamp ."','". $ip ."','". $_SERVER['PHP_SELF'] ."')");
+               db_query("INSERT INTO ".TB_PREF."useronline (timestamp, ip, file) VALUES ('". $timestamp ."',". db_escape($ip) .",". db_escape($_SERVER['PHP_SELF']) .")");
                //Remove users that were not online within $timeoutseconds.
                db_query("DELETE FROM ".TB_PREF."useronline WHERE timestamp<". $timeout);
 
@@ -210,4 +210,4 @@ function show_users_online()
        return "$users ".($users == 1 ? _("user online") : _("users online"));
 
 }
-?>
\ No newline at end of file
+?>

diff --git a/includes/current_user.inc b/includes/current_user.inc
index 76d52f2f126f5228c4b74e6a1d2e406de14e4106..7c7592e8139fa4da2c06e21941ae30305635c2d8 100644 (file)
--- a/includes/current_user.inc
+++ b/includes/current_user.inc
@@ -54,7 +54,7 @@ class current_user
 
        function set_company($company)
        {
-               $this->company = $company;
+               $this->company = (int)$company;
        }
 
        function login($company, $loginname, $password)

diff --git a/includes/session.inc b/includes/session.inc
index 0089095be1fd341a3b9dc02f19e4b0cc3944ed0e..869ce9a805820d5ee5ccb4145b72e07ebf850f00 100644 (file)
--- a/includes/session.inc
+++ b/includes/session.inc
@@ -412,7 +412,7 @@ html_cleanup($_SERVER);
 
 // logout.php is the only page we should have always 
 // accessable regardless of access level and current login status.
-if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
+if (!defined('FA_LOGOUT_PHP_FILE')){
 
        login_timeout();
 
@@ -481,4 +481,4 @@ $SysPrefs = &$_SESSION['SysPrefs'];
 // We quote all values later with db_escape() before db update.
 $_POST = strip_quotes($_POST);
 
-?>
\ No newline at end of file
+?>

diff --git a/inventory/includes/db/items_db.inc b/inventory/includes/db/items_db.inc
index de6ce056ccd7376d6594a92a74e283f2c459e6fa..b4666edbd184063ac21d8793c176664e1fe183ac 100644 (file)
--- a/inventory/includes/db/items_db.inc
+++ b/inventory/includes/db/items_db.inc
@@ -29,10 +29,10 @@ function update_item($stock_id, $description, $long_description, $category_id,
                editable=".db_escape($editable);
 
        if ($units != '')
-               $sql .= ", units='$units'";
+               $sql .= ", units=".db_escape($units);
 
        if ($mb_flag != '')
-               $sql .= ", mb_flag='$mb_flag'";
+               $sql .= ", mb_flag=".db_escape($mb_flag);
 
        $sql .= " WHERE stock_id=".db_escape($stock_id);
 
@@ -158,4 +158,4 @@ function item_in_foreign_codes($stock_id)
        }
        return $msg;
 }
-?>
\ No newline at end of file
+?>

diff --git a/taxes/db/tax_types_db.inc b/taxes/db/tax_types_db.inc
index f42470eff9b5b3134a02d70e9520ad44e211510f..a9325b60b10fd8b561beffc2ff19394e0e5da2d6 100644 (file)
--- a/taxes/db/tax_types_db.inc
+++ b/taxes/db/tax_types_db.inc
@@ -83,7 +83,7 @@ function delete_tax_type($type_id)
        db_query($sql, "could not delete tax type");
 
        // also delete any item tax exemptions associated with this type
-       $sql = "DELETE FROM ".TB_PREF."item_tax_type_exemptions WHERE tax_type_id=$type_id";
+       $sql = "DELETE FROM ".TB_PREF."item_tax_type_exemptions WHERE tax_type_id=".db_escape($type_id);
 
        db_query($sql, "could not delete item tax type exemptions");
 
@@ -127,4 +127,4 @@ function is_tax_account($account_code)
 }
 
 
-?>
\ No newline at end of file
+?>