High severity7.5NVD Advisory· Published Nov 27, 2017· Updated May 13, 2026
CVE-2017-15054
CVE-2017-15054
Description
An arbitrary file upload vulnerability, present in TeamPass before 2.1.27.9, allows remote authenticated users to upload arbitrary files leading to Remote Command Execution. To exploit this vulnerability, an authenticated attacker has to tamper with parameters of a request to upload.files.php, in order to select the correct branch and be able to upload any arbitrary file. From there, it can simply access the file to execute code on the server.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nilsteampassnet/teampassPackagist | < 2.1.27.9 | 2.1.27.9 |
Affected products
1Patches
113 files changed · +294 −106
admin.settings.load.php+18 −7 modified@@ -252,7 +252,10 @@ function LaunchAdminActions(action, option) if (action === "admin_action_db_backup") { option = $("#result_admin_action_db_backup_key").val(); } else if (action === "admin_action_db_restore") { - $("#restore_bck_encryption_key_dialog_error").html("").hide(); + $("#restore_bck_encryption_key_dialog_error") + .html("<span class='fa fa-cog fa-spin fa'> </span><?php echo addslashes($LANG['please_wait']); ?>") + .attr("class","ui-corner-all ui-state-focus") + .show(); } else if (action === "admin_action_backup_decrypt") { option = $("#bck_script_decrypt_file").val(); } else if (action === "admin_action_change_salt_key") { @@ -293,6 +296,7 @@ function LaunchAdminActions(action, option) // convert to json string option = prepareExchangedData(JSON.stringify(option) , "encode", "<?php echo $_SESSION['key']; ?>"); } + //Lauchn ajax query $.post( "sources/admin.queries.php", @@ -309,7 +313,10 @@ function(data) { $("#result_admin_action_check_pf").html("<span class='fa fa-check mi-green'></span>").show(); } else if (data[0].result == "db_restore") { if (data[0].message !== "") { - $("#restore_bck_encryption_key_dialog_error").html(data[0].message).show(); + $("#restore_bck_encryption_key_dialog_error") + .html(data[0].message) + .attr("class","ui-corner-all ui-state-error") + .show(); } else { $("#restore_bck_encryption_key_dialog").dialog("close"); $("#result_admin_action_db_restore").html("<span class='fa fa-check mi-green'></span>").show(); @@ -834,6 +841,7 @@ function(data) { }); // SQL IMPORT FOR RESTORING + var restore_operation_id = ''; var uploader_restoreDB = new plupload.Uploader({ runtimes : "gears,html5,flash,silverlight,browserplus", browse_button : "pickfiles_restoreDB", @@ -876,17 +884,15 @@ function(data) { BeforeUpload: function (up, file) { $("#import_status_ajax_loader").show(); up.settings.multipart_params = { - "PHPSESSID":"'.$_SESSION['user_id'].'", + "PHPSESSID":"<?php echo $_SESSION['user_id']; ?>", "File":file.name, "type_upload":"restore_db", "user_token": $("#user_token").val() }; }, UploadComplete: function(up, files) { - $.each(files, function(i, file) { - $("#restore_bck_fileObj").val(file.name); - $("#restore_bck_encryption_key_dialog").dialog("open"); - }); + $("#restore_bck_fileObj").val(restore_operation_id); + $("#restore_bck_encryption_key_dialog").dialog("open"); } } }); @@ -905,6 +911,11 @@ function(data) { uploader_restoreDB.bind("+", function(up, file) { $("#" + file.id + " b").html("100%"); }); + uploader_restoreDB.bind('FileUploaded', function(upldr, file, object) { + var myData = prepareExchangedData(object.response, "decode", "<?php echo $_SESSION['key']; ?>"); + + restore_operation_id = myData.operation_id; + }); // Load CSV click $("#uploadfiles_restoreDB").click(function(e) { uploader_restoreDB.start();
admin.settings.php+1 −1 modified@@ -1618,6 +1618,6 @@ <div id="restore_bck_encryption_key_dialog" style="display:none; text-align:center;"> <input id="restore_bck_encryption_key" name="restore_bck_encryption_key" type="text" value="" /> <br> - <div class=ui-state-error ui-corner-all" style="display:none;padding:5px;display:none;margin:2px;" id="restore_bck_encryption_key_dialog_error"></div> + <div class="ui-state-error ui-corner-all" style="display:none;padding:5px;display:none;margin:2px;" id="restore_bck_encryption_key_dialog_error"></div> </div>'; include "admin.settings.load.php";
api/functions.php+89 −26 modified@@ -188,16 +188,16 @@ function rest_delete() for ($i = count($array_category); $i > 0; $i--) { $slot = $i - 1; if (!$slot) { - $category_query .= "select id from ".prefix_table("nested_tree")." where title LIKE '".$array_category[$slot]."' AND parent_id = 0"; + $category_query .= "select id from ".prefix_table("nested_tree")." where title LIKE '".filter_var($array_category[$slot], FILTER_SANITIZE_STRING)."' AND parent_id = 0"; } else { - $category_query .= "select id from ".prefix_table("nested_tree")." where title LIKE '".$array_category[$slot]."' AND parent_id = ("; + $category_query .= "select id from ".prefix_table("nested_tree")." where title LIKE '".filter_var($array_category[$slot], FILTER_SANITIZE_STRING)."' AND parent_id = ("; } } for ($i = 1; $i < count($array_category); $i++) { $category_query .= ")"; } } elseif (count($array_category) == 1) { - $category_query = "select id from ".prefix_table("nested_tree")." where title LIKE '".$array_category[0]."' AND parent_id = 0"; + $category_query = "select id from ".prefix_table("nested_tree")." where title LIKE '".filter_var($array_category[0], FILTER_SANITIZE_STRING)."' AND parent_id = 0"; } else { rest_error('NO_CATEGORY'); } @@ -236,22 +236,22 @@ function rest_delete() for ($i = count($array_category); $i > 0; $i--) { $slot = $i - 1; if (!$slot) { - $category_query .= "select id from ".prefix_table("nested_tree")." where title LIKE '".$array_category[$slot]."' AND parent_id = 0"; + $category_query .= "select id from ".prefix_table("nested_tree")." where title LIKE '".filter_var($array_category[$slot], FILTER_SANITIZE_STRING)."' AND parent_id = 0"; } else { - $category_query .= "select id from ".prefix_table("nested_tree")." where title LIKE '".$array_category[$slot]."' AND parent_id = ("; + $category_query .= "select id from ".prefix_table("nested_tree")." where title LIKE '".filter_var($array_category[$slot], FILTER_SANITIZE_STRING)."' AND parent_id = ("; } } for ($i = 1; $i < count($array_category); $i++) { $category_query .= ")"; } } elseif (count($array_category) == 1) { - $category_query = "select id from ".prefix_table("nested_tree")." where title LIKE '".$array_category[0]."' AND parent_id = 0"; + $category_query = "select id from ".prefix_table("nested_tree")." where title LIKE '".filter_var($array_category[0], FILTER_SANITIZE_STRING)."' AND parent_id = 0"; } else { rest_error('NO_CATEGORY'); } // Delete item - $response = DB::delete(prefix_table("items"), "id_tree = (".$category_query.") and label LIKE '".$item."'"); + $response = DB::delete(prefix_table("items"), "id_tree = (".$category_query.") and label LIKE '".filter_var($item, FILTER_SANITIZE_STRING)."'"); $json['type'] = 'item'; $json['item'] = $item; $json['category'] = $GLOBALS['request'][2]; @@ -382,7 +382,12 @@ function rest_get() if (strcmp($username, "admin") == 0) { // forbid admin access } - $response = DB::query("SELECT fonction_id FROM ".prefix_table("users")." WHERE login='".$username."'"); + $response = DB::query( + "SELECT fonction_id + FROM ".prefix_table("users")." + WHERE login = %s'", + $username + ); if (count($response) === 0) { rest_error('USER_NOT_EXISTS'); } @@ -392,7 +397,12 @@ function rest_get() $folder_arr = array(); $roles = explode(";", $role_str); foreach ($roles as $role) { - $response = DB::query("SELECT folder_id FROM ".prefix_table("roles_values")." WHERE role_id='".$role."'"); + $response = DB::query( + "SELECT folder_id + FROM ".prefix_table("roles_values")." + WHERE role_id = %i", + $role + ); foreach ($response as $data) { $folder_id = $data['folder_id']; if (!array_key_exists($folder_id, $folder_arr)) { @@ -456,7 +466,12 @@ function rest_get() if (strcmp($username, "admin") == 0) { // forbid admin access } - $response = DB::query("SELECT fonction_id FROM ".prefix_table("users")." WHERE login='".$username."'"); + $response = DB::query( + "SELECT fonction_id + FROM ".prefix_table("users")." + WHERE login = %s", + $username + ); if (count($response) === 0) { rest_error('USER_NOT_EXISTS'); } @@ -468,13 +483,23 @@ function rest_get() $roles = explode(";", $role_str); $inc = 0; foreach ($roles as $role) { - $response = DB::query("SELECT folder_id, type FROM ".prefix_table("roles_values")." WHERE role_id='".$role."'"); + $response = DB::query( + "SELECT folder_id, type + FROM ".prefix_table("roles_values")." + WHERE role_id = %i", + $role + ); foreach ($response as $data) { $folder_id = $data['folder_id']; if (!array_key_exists($folder_id, $folder_arr)) { array_push($folder_arr, $folder_id); - $response2 = DB::queryFirstRow("SELECT title, nlevel FROM ".prefix_table("nested_tree")." WHERE id='".$folder_id."'"); + $response2 = DB::queryFirstRow( + "SELECT title, nlevel + FROM ".prefix_table("nested_tree")." + WHERE id = %i", + $folder_id + ); if (!empty($response2['title'])) { $json[$folder_id]['id'] = $folder_id; @@ -667,7 +692,13 @@ function rest_get() // check if element doesn't already exist $item_duplicate_allowed = getSettingValue("duplicate_item"); if ($item_duplicate_allowed !== "1") { - DB::query("SELECT * FROM ".prefix_table("items")." WHERE label = %s AND inactif = %i", addslashes($item_label), "0"); + DB::query( + "SELECT * + FROM ".prefix_table("items")." + WHERE label = %s AND inactif = %i", + addslashes($item_label), + "0" + ); $counter = DB::count(); if ($counter != 0) { $itemExists = 1; @@ -804,8 +835,9 @@ function rest_get() } // Check if user already exists $data = DB::query( - "SELECT id, fonction_id, groupes_interdits, groupes_visibles FROM ".prefix_table("users")." - WHERE login LIKE %ss", + "SELECT id, fonction_id, groupes_interdits, groupes_visibles + FROM ".prefix_table("users")." + WHERE login LIKE %ss", mysqli_escape_string($link, stripslashes($login)) ); @@ -821,7 +853,9 @@ function rest_get() // get default language $lang = DB::queryFirstRow( - "SELECT `valeur` FROM ".prefix_table("misc")." WHERE type = %s AND intitule = %s", + "SELECT `valeur` + FROM ".prefix_table("misc")." + WHERE type = %s AND intitule = %s", "admin", "default_language" ); @@ -830,7 +864,9 @@ function rest_get() $rolesList = ""; foreach (explode(',', $roles) as $role) {//echo $role."-"; $tmp = DB::queryFirstRow( - "SELECT `id` FROM ".prefix_table("roles_title")." WHERE title = %s", + "SELECT `id` + FROM ".prefix_table("roles_title")." + WHERE title = %s", $role ); if (empty($rolesList)) { @@ -944,7 +980,12 @@ function rest_get() ); // if valeur = 0 then duplicate folders not allowed if ($data === 0) { - DB::query("SELECT * FROM ".prefix_table("nested_tree")." WHERE title = %s", $params[0]); + DB::query( + "SELECT * + FROM ".prefix_table("nested_tree")." + WHERE title = %s", + $params[0] + ); $counter = DB::count(); if ($counter != 0) { rest_error('ALREADY_EXISTS'); @@ -1035,15 +1076,22 @@ function rest_get() } // Check Folder ID - DB::query("SELECT * FROM ".prefix_table("nested_tree")." WHERE id = %i", $params[3]); + DB::query( + "SELECT * + FROM ".prefix_table("nested_tree")." + WHERE id = %i", + $params[3] + ); $counter = DB::count(); if ($counter == 0) { rest_error('NOSUCHFOLDER'); } // check if item exists DB::query( - "SELECT * FROM ".prefix_table("items")." WHERE id = %i", + "SELECT * + FROM ".prefix_table("items")." + WHERE id = %i", $GLOBALS['request'][2] ); $counter = DB::count(); @@ -1094,7 +1142,9 @@ function rest_get() if (!empty($tag)) { // check if already exists DB::query( - "SELECT * FROM ".prefix_table("tags")." WHERE tag = %s AND item_id = %i", + "SELECT * + FROM ".prefix_table("tags")." + WHERE tag = %s AND item_id = %i", strtolower($tag), $GLOBALS['request'][2] ); @@ -1163,7 +1213,12 @@ function rest_get() } // check if folder exists and get folder data - $data_folder = DB::queryfirstrow("SELECT * FROM ".prefix_table("nested_tree")." WHERE id = %s", $GLOBALS['request'][2]); + $data_folder = DB::queryfirstrow( + "SELECT * + FROM ".prefix_table("nested_tree")." + WHERE id = %s", + $GLOBALS['request'][2] + ); $counter = DB::count(); if ($counter === 0) { rest_error('NO_DATA_EXIST'); @@ -1252,7 +1307,9 @@ function rest_get() if (isset($GLOBALS['request'][1]) && isset($GLOBALS['request'][2])) { // is user granted? $userData = DB::queryFirstRow( - "SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id` FROM ".$pre."users WHERE login = %s", + "SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id` + FROM ".$pre."users + WHERE login = %s", $GLOBALS['request'][3] ); @@ -1345,7 +1402,9 @@ function rest_get() // is user granted? //db::debugMode(true); $userData = DB::queryFirstRow( - "SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id`, `encrypted_psk` FROM ".$pre."users WHERE login = %s", + "SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id`, `encrypted_psk` + FROM ".$pre."users + WHERE login = %s", $GLOBALS['request'][2] ); @@ -1463,7 +1522,9 @@ function rest_get() if (isset($GLOBALS['request'][1]) && isset($GLOBALS['request'][2]) && isset($GLOBALS['request'][3])) { // is user granted? $userData = DB::queryFirstRow( - "SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id` FROM ".$pre."users WHERE login = %s", + "SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id` + FROM ".$pre."users + WHERE login = %s", $GLOBALS['request'][4] ); if (DB::count() == 0) { @@ -1596,7 +1657,9 @@ function rest_get() if (isset($GLOBALS['request'][1])) { // is user granted? $userData = DB::queryFirstRow( - "SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id`, `encrypted_psk` FROM ".$pre."users WHERE login = %s", + "SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id`, `encrypted_psk` + FROM ".$pre."users + WHERE login = %s", $GLOBALS['request'][2] ); if (DB::count() == 0) {
changelog.md+2 −0 modified@@ -7,6 +7,8 @@ > a user could potentially act on Items he should not have access to Securized script.backup.php by adding a security key Fixed some other security failures (credit to security at Amossys) + Improved security regarding uploading files + Fixed issue while restoring DB from administration page #1945 Cannot delete items #1944 File upload results in error #1941 Visualisation problems
items.import.php+10 −20 modified@@ -223,10 +223,8 @@ function(data) { }; }, UploadComplete: function(up, files) { - $.each(files, function(i, file) { - ImportCSV(csv_filename); - up.splice(); // clear the file queue - }); + ImportCSV(csv_filename); + up.splice(); // clear the file queue } } }); @@ -248,13 +246,9 @@ function(data) { $("#" + file.id + " b").html("100%"); }); uploader_csv.bind('FileUploaded', function(upldr, file, object) { - var myData; - try { - myData = eval(object.response); - } catch(err) { - myData = eval('(' + object.response + ')'); - } - csv_filename = myData.newfilename; + var myData = prepareExchangedData(object.response, "decode", "<?php echo $_SESSION['key']; ?>"); + + csv_filename = myData.operation_id; }); // Load CSV click @@ -337,13 +331,9 @@ function(data) { $("#" + file.id + " b").html("100%"); }); uploader_kp.bind('FileUploaded', function(upldr, file, object) { - var myData; - try { - myData = eval(object.response); - } catch(err) { - myData = eval('(' + object.response + ')'); - } - kp_filename = myData.newfilename; + var myData = prepareExchangedData(object.response, "decode", "<?php echo $_SESSION['key']; ?>"); + + kp_filename = myData.operation_id; }); // Load CSV click @@ -483,11 +473,11 @@ function(data) { $("#kp_import_information").html(data[0].message + "<?php echo '<br><br><b>'.$LANG['alert_page_will_reload'].'</b>'; ?>"); $("#import_information").show().html("<i class='fa fa-exclamation-circle'></i> <?php echo $LANG['alert_message_done']; ?>").attr("class","ui-state-highlight"); // Reload page - $(this).delay(2000).queue(function() { + /*$(this).delay(2000).queue(function() { $("#import_information").effect( "fade", "slow" ); document.location = "index.php?page=items"; $(this).dequeue(); - }); + });*/ }, "json" );
items.load.php+2 −2 modified@@ -3361,7 +3361,7 @@ function() { ?> init: { BeforeUpload: function (up, file) { - $("#item_upload_wait").show(); + $("#item_upload_wait").removeClass("hidden"); if ($("#random_id").val() == "") { var post_id = CreateRandomString(9,"num_no_0"); @@ -3470,7 +3470,7 @@ function(data) { ?> init: { BeforeUpload: function (up, file) { - $("#item_edit_upload_wait").show(); + $("#item_edit_upload_wait").removeClass("hidden"); up.setOption('multipart_params', { PHPSESSID : "<?php echo $_SESSION['user_id']; ?>",
items.php+2 −2 modified@@ -549,7 +549,7 @@ <div id="tabs-03"> <div id="item_upload"> <div id="item_upload_list"></div><br /> - <div id="item_upload_wait" class="ui-state-focus ui-corner-all" style="display:none;padding:2px;margin:5px 0 5px 0;">'.$LANG['please_wait'].'...</div> + <div id="item_upload_wait" class="ui-state-focus ui-corner-all hidden" style="padding:2px;margin:5px 0 5px 0;">'.$LANG['please_wait'].'...</div> <a id="item_attach_pickfiles" href="#" class="button">'.$LANG['select'].'</a> <a id="item_attach_uploadfiles" href="#" class="button">'.$LANG['start_upload'].'</a> <input type="hidden" id="files_number" value="0" /> @@ -743,7 +743,7 @@ </div> <div id="item_edit_upload"> <div id="item_edit_upload_list"></div><br /> - <div id="item_edit_upload_wait" class="ui-state-focus ui-corner-all" style="display:none;padding:2px;margin:5px 0 5px 0;">'.$LANG['please_wait'].'...</div> + <div id="item_edit_upload_wait" class="ui-state-focus ui-corner-all hidden" style="padding:2px;margin:5px 0 5px 0;">'.$LANG['please_wait'].'...</div> <a id="item_edit_attach_pickfiles" href="#" class="button">'.$LANG['select'].'</a> <a id="item_edit_attach_uploadfiles" href="#sd" class="button">'.$LANG['start_upload'].'</a> <input type="hidden" id="edit_files_number" value="0" />
profile.php+6 −10 modified@@ -260,6 +260,7 @@ ); } ?> +<script type="text/javascript" src="includes/js/functions.js"></script> <script type="text/javascript"> $(function() { $(".tip").tooltipster({multiple: true}); @@ -424,7 +425,6 @@ function(data) { up.settings.multipart_params = { "PHPSESSID":"<?php echo $_SESSION['user_id']; ?>", - "newFileName":"user<?php echo $_SESSION['user_id']; ?>"+tmp, "type_upload":"upload_profile_photo", "user_token": $("#profile_user_token").val() }; @@ -450,12 +450,10 @@ function(data) { // get response uploader_photo.bind("FileUploaded", function(up, file, object) { - var myData; - try { - myData = eval(object.response); - } catch(err) { - myData = eval('(' + object.response + ')'); - } + // Decode returned data + var myData = prepareExchangedData(object.response, "decode", "<?php echo $_SESSION['key']; ?>"); + + // update form $("#profile_photo").html('<img src="includes/avatars/'+myData.filename+'" />'); $("#user_avatar_thumb").attr('src', 'includes/avatars/'+myData.filename_thumb); $("#filelist_photo").html('').hide(); @@ -718,7 +716,5 @@ function(data){ } } ); - - } - </script> \ No newline at end of file +</script>
sources/admin.queries.php+19 −2 modified@@ -392,6 +392,23 @@ $file = htmlspecialchars($dataPost[0]); $key = htmlspecialchars($dataPost[1]); + // Get filename from database + $data = DB::queryFirstRow( + "SELECT valeur + FROM ".$pre."misc + WHERE increment_id = %i", + $file + ); + + $file = $data['valeur']; + + // Delete operation id + DB::delete( + prefix_table('misc'), + "increment_id = %i", + $file + ); + // Undecrypt the file if (empty($key) === false) { // Decrypt the file @@ -432,7 +449,7 @@ fileDelete($file); //Show done - echo '[{"result":"db_restore"}]'; + echo '[{"result":"db_restore" , "message":""}]'; break; ########################################################### @@ -483,7 +500,7 @@ } //Show done - echo '[{"result":"db_optimize"}]'; + echo '[{"result":"db_optimize" , "message":""}]'; break; ###########################################################
sources/import.queries.php+42 −3 modified@@ -105,9 +105,26 @@ function sanitiseString($str, $crLFReplacement) //load full tree $tree->rebuild(); $tree = $tree->getDescendants(); + // Init post variable + $post_operation_id = filter_input(INPUT_POST, 'file', FILTER_SANITIZE_NUMBER_INT); + + // Get filename from database + $data = DB::queryFirstRow( + "SELECT valeur + FROM ".$pre."misc + WHERE increment_id = %i", + $post_operation_id + ); + + // Delete operation id + DB::delete( + prefix_table('misc'), + "increment_id = %i", + $post_operation_id + ); // do some initializations - $file = $SETTINGS['path_to_files_folder']."/".filter_input(INPUT_POST, 'file', FILTER_SANITIZE_STRING); + $file = $SETTINGS['path_to_files_folder']."/".$data['valeur']; $size = 4096; $separator = ","; $enclosure = '"'; @@ -237,6 +254,7 @@ function sanitiseString($str, $crLFReplacement) // Show results to user. echo '[{"error":"no" , "output" : "'.$display.'"}]'; } + break; //Insert into DB the items the user has selected @@ -376,10 +394,31 @@ function sanitiseString($str, $crLFReplacement) $logFileName = "/keepassImport_".date('YmdHis').".log"; $cacheLogFile = fopen($SETTINGS['path_to_files_folder'].$logFileName, 'w'); + // Init post variable + $post_operation_id = filter_input(INPUT_POST, 'file', FILTER_SANITIZE_STRING); + + // Get filename from database + $data = DB::queryFirstRow( + "SELECT valeur + FROM ".$pre."misc + WHERE increment_id = %i", + $post_operation_id + ); + + // Delete operation id + DB::delete( + prefix_table('misc'), + "increment_id = %i", + $post_operation_id + ); + + // do some initializations + $file = $data['valeur']; + //read xml file - if (file_exists("'".$SETTINGS['path_to_files_folder']."/".filter_input(INPUT_POST, 'file', FILTER_SANITIZE_STRING))."'") { + if (file_exists($SETTINGS['path_to_files_folder']."/".$file)) { $xml = simplexml_load_file( - $SETTINGS['path_to_files_folder']."/".filter_input(INPUT_POST, 'file', FILTER_SANITIZE_STRING) + $SETTINGS['path_to_files_folder']."/".$file ); }
sources/items.queries.php+6 −2 modified@@ -452,8 +452,10 @@ break; } - // Update CACHE table - updateCacheTable("add_value", $newID); + // Add item to CACHE table if new item has been created + if (isset($newID) === true) { + updateCacheTable("add_value", $newID); + } // Encrypt data to return echo prepareExchangedData($returnValues, "encode"); @@ -3387,8 +3389,10 @@ "id = %i", $item_id ); + // log logItems($item_id, $dataSource['label'], $_SESSION['user_id'], 'at_delete', $_SESSION['login']); + // Update CACHE table updateCacheTable("delete_value", $item_id); }
sources/main.functions.php+5 −2 modified@@ -1286,7 +1286,7 @@ function prepareExchangedData($data, $type) //load ClassLoader require_once $SETTINGS['cpassman_dir'].'/sources/SplClassLoader.php'; //Load AES - $aes = new SplClassLoader('Encryption\Crypt', '../includes/libraries'); + $aes = new SplClassLoader('Encryption\Crypt', $SETTINGS['cpassman_dir'].'/includes/libraries'); $aes->register(); if ($type == "encode") { @@ -1372,8 +1372,11 @@ function prefix_table($table) */ function GenerateCryptKey($size = "", $secure = false, $numerals = false, $capitalize = false, $ambiguous = false, $symbols = false) { + global $SETTINGS; + require_once $SETTINGS['cpassman_dir'].'/sources/SplClassLoader.php'; + // load library - $pwgen = new SplClassLoader('Encryption\PwGen', '../includes/libraries'); + $pwgen = new SplClassLoader('Encryption\PwGen', $SETTINGS['cpassman_dir'].'/includes/libraries'); $pwgen->register(); $pwgen = new Encryption\PwGen\pwgen();
sources/upload/upload.files.php+92 −29 modified@@ -73,7 +73,7 @@ prefix_table('tokens'), array( 'end_timestamp' => time() + 10 - ), + ), "user_id = %i AND token = %s", $_SESSION['user_id'], $post_user_token @@ -310,31 +310,81 @@ die(); } +// generate file name +$newFileName = GenerateCryptKey(40, false, true, true, false, false); + +//Connect to mysql server +require_once '../../includes/config/settings.php'; +require_once $SETTINGS['cpassman_dir'].'/includes/libraries/Database/Meekrodb/db.class.php'; +$pass = defuse_return_decrypted($pass); +DB::$host = $server; +DB::$user = $user; +DB::$password = $pass; +DB::$dbName = $database; +DB::$port = $port; +DB::$encoding = $encoding; +DB::$error_handler = true; +$link = mysqli_connect($server, $user, $pass, $database, $port); +$link->set_charset($encoding); if (null !== ($post_type_upload) && empty($post_type_upload) === false && $post_type_upload === "import_items_from_csv" ) { - $newFileName = time()."_".$_SESSION['user_id']; rename( $filePath, - $targetDir.DIRECTORY_SEPARATOR.$newFileName + $targetDir.DIRECTORY_SEPARATOR.$newFileName.".".$ext + ); + + // Add in DB + DB::insert( + prefix_table("misc"), + array( + 'type' => "temp_file", + 'intitule' => "filename", + 'valeur' => $newFileName.".".$ext + ) ); + + // return info + echo prepareExchangedData( + array( + "operation_id" => DB::insertId() + ), + "encode" + ); + + exit(); } elseif (null !== ($post_type_upload) && $post_type_upload === "import_items_from_keypass" ) { - $newFileName = time()."_".$_SESSION['user_id']; rename( $filePath, - $targetDir.DIRECTORY_SEPARATOR.$newFileName + $targetDir.DIRECTORY_SEPARATOR.$newFileName.".".$ext + ); + + // Add in DB + DB::insert( + prefix_table("misc"), + array( + 'type' => "temp_file", + 'intitule' => "filename", + 'valeur' => $newFileName.".".$ext + ) ); + + // return info + echo prepareExchangedData( + array( + "operation_id" => DB::insertId() + ), + "encode" + ); + + exit(); } elseif (null !== ($post_type_upload) && $post_type_upload === "upload_profile_photo" ) { - // sanitize the new file name - $newFileName = preg_replace('/[^\w\._]+/', '_', htmlentities($post_newFileName, ENT_QUOTES)); - $newFileName = preg_replace('/[^'.$valid_chars_regex.'\.]/', '', strtolower(basename($newFileName))); - // get file extension $ext = pathinfo($filePath, PATHINFO_EXTENSION); @@ -351,20 +401,6 @@ 40 ); - //Connect to mysql server - require_once '../../includes/config/settings.php'; - require_once $SETTINGS['cpassman_dir'].'/includes/libraries/Database/Meekrodb/db.class.php'; - $pass = defuse_return_decrypted($pass); -DB::$host = $server; - DB::$user = $user; - DB::$password = $pass; - DB::$dbName = $database; - DB::$port = $port; - DB::$encoding = $encoding; - DB::$error_handler = true; - $link = mysqli_connect($server, $user, $pass, $database, $port); - $link->set_charset($encoding); - // get current avatar and delete it $data = DB::queryFirstRow("SELECT avatar, avatar_thumb FROM ".$pre."users WHERE id=%i", $_SESSION['user_id']); fileDelete($targetDir.DIRECTORY_SEPARATOR.$data['avatar']); @@ -382,18 +418,45 @@ $_SESSION['user_avatar'] = $newFileName.'.'.$ext; $_SESSION['user_avatar_thumb'] = $newFileName."_thumb".'.'.$ext; - echo '{"filename" : "'.htmlentities($_SESSION['user_avatar'], ENT_QUOTES).'" , "filename_thumb" : "'.htmlentities($_SESSION['user_avatar_thumb'], ENT_QUOTES).'"}'; + // return info + echo prepareExchangedData( + array( + "filename" => htmlentities($_SESSION['user_avatar'], ENT_QUOTES), + "filename_thumb" => htmlentities($_SESSION['user_avatar_thumb'], ENT_QUOTES) + ), + "encode" + ); + exit(); -} else { - $newFileName = time()."_".$_SESSION['user_id']; +} elseif (null !== ($post_type_upload) + && $post_type_upload === "restore_db" +) { rename( $filePath, - $targetDir.DIRECTORY_SEPARATOR.$newFileName + $targetDir.DIRECTORY_SEPARATOR.$newFileName.".".$ext + ); + + // Add in DB + DB::insert( + prefix_table("misc"), + array( + 'type' => "temp_file", + 'intitule' => "filename", + 'valeur' => $newFileName.".".$ext + ) ); + + // return info + echo prepareExchangedData( + array( + "operation_id" => DB::insertId() + ), + "encode" + ); + + exit(); } -// Return JSON-RPC response -die('{"jsonrpc" : "2.0", "result" : null, "id" : "id" , "newfilename" : "'.$newFileName.'"}'); /* Handles the error output. */
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/nilsteampassnet/TeamPass/commit/9811c9d453da4bd1101ff7033250d1fbedf101fcnvdPatchWEB
- blog.amossys.fr/teampass-multiple-cve-01.htmlnvdExploitTechnical DescriptionThird Party AdvisoryWEB
- github.com/advisories/GHSA-rm3q-qfrm-frrvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-15054ghsaADVISORY
News mentions
0No linked articles in our index yet.