From debc6736b5f380d6a023389f3151fe5a2cb144cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20T=C3=A4nzer?= <neo@nhng.de>
Date: Thu, 1 May 2014 01:05:17 +0200
Subject: bug 1138: Avoid double escaping of $_SESSION['_config']['OU'] and fix
 XSS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Michael Tänzer <neo@nhng.de>
---
 includes/account.php | 8 ++++----
 pages/account/16.php | 2 +-
 pages/account/21.php | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/includes/account.php b/includes/account.php
index 9f5946f..bf503ec 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -1436,7 +1436,7 @@ function buildSubjectFromSession() {
 				$_SESSION['_config']['emails'][] = $val;
 		}
 		$_SESSION['_config']['name'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['name'])));
-		$_SESSION['_config']['OU'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['OU'])));
+		$_SESSION['_config']['OU'] = stripslashes(trim($_REQUEST['OU']));
 
 		$_SESSION['_config']['description']= trim(stripslashes($_REQUEST['description']));
 	}
@@ -1503,7 +1503,7 @@ function buildSubjectFromSession() {
 			if($_SESSION['_config']['name'] != "")
 				$emails .= "commonName = ".$_SESSION['_config']['name']."\n";
 			if($_SESSION['_config']['OU'])
-				$emails .= "organizationalUnitName = ".$_SESSION['_config']['OU']."\n";
+				$emails .= "organizationalUnitName = ".mysql_real_escape_string($_SESSION['_config']['OU'])."\n";
 			if($org['O'])
 				$emails .= "organizationName = ".$org['O']."\n";
 			if($org['L'])
@@ -2436,7 +2436,7 @@ function buildSubjectFromSession() {
 		else
 			$masteracc = $_SESSION['_config'][masteracc] = 0;
 		$_REQUEST['email'] = $_SESSION['_config']['email'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['email'])));
-		$OU = $_SESSION['_config']['OU'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['OU'])));
+		$_SESSION['_config']['OU'] = stripslashes(trim($_REQUEST['OU']));
 		$comments = $_SESSION['_config']['comments'] = mysql_real_escape_string(stripslashes(trim($_REQUEST['comments'])));
 		$res = mysql_query("select * from `users` where `email`='".$_REQUEST['email']."' and `deleted`=0");
 		if(mysql_num_rows($res) <= 0)
@@ -2458,7 +2458,7 @@ function buildSubjectFromSession() {
 						set `memid`='".intval($row['id'])."',
 							`orgid`='".intval($_SESSION['_config']['orgid'])."',
 							`masteracc`='$masteracc',
-							`OU`='$OU',
+							`OU`='".mysql_real_escape_string($_SESSION['_config']['OU'])."',
 							`comments`='$comments'");
 			}
 		}
diff --git a/pages/account/16.php b/pages/account/16.php
index 564463e..db8a8f5 100644
--- a/pages/account/16.php
+++ b/pages/account/16.php
@@ -42,7 +42,7 @@
   </tr>
   <tr>
     <td class="DataTD"><?=_("Department")?>:</td>
-    <td class="DataTD"><input type="text" name="OU" value="<?=array_key_exists('OU',$_SESSION['_config'])?($_SESSION['_config']['OU']):''?>"/></td>
+    <td class="DataTD"><input type="text" name="OU" value="<?=array_key_exists('OU',$_SESSION['_config'])?(sanitizeHTML($_SESSION['_config']['OU'])):''?>"/></td>
   </tr>
   <tr>
     <td class="DataTD" colspan="2" align="left">
diff --git a/pages/account/21.php b/pages/account/21.php
index 75827fb..c5832b9 100644
--- a/pages/account/21.php
+++ b/pages/account/21.php
@@ -41,7 +41,7 @@ if (is_array($_SESSION['_config']['altrows'])) {
 }
 
 echo _("Organisation"), ": {$org['O']}<br>\n";
-echo _("Org. Unit"), ": {$_SESSION['_config']['OU']}<br>\n";
+echo _("Org. Unit"), ": ", sanitizeHTML($_SESSION['_config']['OU']), "<br>\n";
 echo _("Location"), ": {$org['L']}<br>\n";
 echo _("State/Province"), ": {$org['ST']}<br>\n";
 echo _("Country"), ": {$org['C']}<br>\n";
@@ -52,7 +52,7 @@ echo _("Country"), ": {$org['C']}<br>\n";
 		<input type="submit" name="process" value="<?=_("Submit")?>">
 		<input type="hidden" name="oldid" value="<?=$id?>">
 	</p>
-	
+
 	<?
 	if ($_SESSION['profile']['admin'] == 1) {
 		?>
-- 
cgit v1.2.1