/************************************************************************/
/* DUNE by NPDS                                                         */
/* ===========================                                          */
/*                                                                      */
/* Patch sécurité ghostform                                             */
/* For NPDS REvolution 13, REvolution 16 à 16.2                         */
/*                                                                      */
/* NPDS Copyright (c) 2001-2021 by Philippe Brunier                     */
/*                                                                      */
/* This program is free software. You can redistribute it and/or modify */
/* it under the terms of the GNU General Public License as published by */
/* the Free Software Foundation; either version 3 of the License.       */
/*                                                                      */
/* 06/03/2021 : by @nicolas2 @jpb @npdstesteur                          */
/************************************************************************/

Problème :
sécurité 

Description :
faille permettant la création d'utilisateur hors de tout contrôle voire attaque xss !

Versions concernées :
de 13 à 16.2 et très probablement toutes les versions antiques ...

Niveau :
sérieux

Fichier concerné :
user.php

Application du patch :

REvolution 13
sélectionner les lignes 209 et 210

    global $NPDS_Prefix;
    global $makepass, $system, $adminmail, $sitename, $AutoRegUser, $memberpass, $gmt;

=> Remplacer par :

   global $NPDS_Prefix, $makepass, $system, $adminmail, $sitename, $AutoRegUser, $memberpass, $gmt, $NPDS_Key, $nuke_url;

   if(!isset($_SERVER['HTTP_REFERER'])) {
      Ecr_Log('security','Ghost form in user.php registration. => NO REFERER','');
      L_spambot('',"false");
      include('admin/die.php');
      die();
   }
   else if ($_SERVER['HTTP_REFERER'].$NPDS_Key !== $nuke_url.'/user.php'.$NPDS_Key) {
      Ecr_Log('security','Ghost form in user.php registration. => '.$_SERVER["HTTP_REFERER"],'');
      L_spambot('',"false");
      include('admin/die.php');
      die();
   }
   
REvolution 16 toutes versions

=> Trouver et sélectionner les lignes

function finishNewUser($uname, $name, $email, $user_avatar, $user_occ, $user_from, $user_intrest, $user_sig, $user_viewemail, $pass,$user_lnl, $C1,$C2,$C3,$C4,$C5,$C6,$C7,$C8,$M1,$M2,$T1,$T2,$B1) {
   global $NPDS_Prefix;
   global $makepass, $system, $adminmail, $sitename, $AutoRegUser, $memberpass, $gmt;

=> Remplacer par :

function finishNewUser($uname, $name, $email, $user_avatar, $user_occ, $user_from, $user_intrest, $user_sig, $user_viewemail, $pass,$user_lnl, $C1,$C2,$C3,$C4,$C5,$C6,$C7,$C8,$M1,$M2,$T1,$T2,$B1) {
   global $NPDS_Prefix, $makepass, $system, $adminmail, $sitename, $AutoRegUser, $memberpass, $gmt, $NPDS_Key, $nuke_url;

   if(!isset($_SERVER['HTTP_REFERER'])) {
      Ecr_Log('security','Ghost form in user.php registration. => NO REFERER','');
      L_spambot('',"false");
      include('admin/die.php');
      die();
   }
   else if ($_SERVER['HTTP_REFERER'].$NPDS_Key !== $nuke_url.'/user.php'.$NPDS_Key) {
      Ecr_Log('security','Ghost form in user.php registration. => '.$_SERVER["HTTP_REFERER"],'');
      L_spambot('',"false");
      include('admin/die.php');
      die();
   }