UNTESTED admin.php protection against XSS and CSRF

Znote / ZnoteAAC

Developement repository for the Znote AAC project. A website portal to represent and manage your Open Tibia server.

MIT License

145 stars 127 forks source link

Closed divinity76 closed 5 years ago

divinity76 commented 5 years ago

note, UNTESTED, someone should TEST this before committing - but i think this should make it secure against CSRF and XSS (actually come to think of it, due to the $_POST filtering, maybe it was never vulnerable to XSS to begin with, i'm not sure, but it was definitely vulnerable to CSRF)

Znote commented 5 years ago

PHP Notice: Undefined variable: crypto_strong in /var/www/html/admin.php on line 35

PHP Warning: bin2hex() expects exactly 1 parameter, 2 given in /var/www/html/admin.php on line 35

PHP Notice: Undefined variable: crypt_strong in /var/www/html/admin.php on line 36

Tried to give a character GM: error: missing csrf token!

divinity76 commented 5 years ago

var_dump('POST',$_POST,'GET',$_GET); when trying to give a char GM? with the new patch applied

Znote commented 5 years ago

Success. No errors. Character Znotegm recieved the ingame position: God.