alexgheorghiu / diagramo-old Goto Github PK

Clicking on the settings icon causes:

Fatal error: Call to a member function settingsGetByKeyNative() on a non-object in D:!!web\diagramo\editor\header.php on line 2

At first I would like to thank you for sharing your source code!

And I would like to ask you about the algorithm for path creating between 2 draggable points. Is it your own algorithm in your solution or is it from some book or from page in internet? I have never seen something like this and if it is the second case (not your own algorithm), I would like to read a litle bit more about this algorithm.

Would you like to give me some link(s) or names for this algorithm?

Thank you again!

As a third bug, the same file direct spits out the request parameter figureID which allows someone to insert a < script > tag, leading to an XSS attack.

A fourth bug exists in editDiagram.php, which doesn't check that the request param diagramId is an integer. A string can be passed in, and it's passed along from function to function right into Delegate::getMultiple. Finally addslashes stops the SQL injection fun. By the way, SQLite3 specifically advises against using addslashes (which doesn't work as expected with some multibyte character sets) and to use SQLite3::escapeString instead.

My advice is to be anal about sanitizing user input. I would also use ctype_digit instead of is_numeric as is_numeric will allow passing things like -0123.45e6 where ctype_digit will accept digits only.

Please get back to me so I know these critical security issues have been addressed.

The first allows anyone to download any file on the server that the user running the PHP script has access to (usually www-data, apache, etc). The bug is in getImage.php. The url request parameter is not sanitized, which allows for url like this:

http://example.com/editor/getImage.php?url=../../../etc/passwd

which happily returns the contents of /etc/password. An appropriate number of ../ can be used to access any file.

Similar holes exist in other scripts. svg.php allows the inclusion of any .svg file, and png.php allows the inclusion of any .png file.

check box public/private don't work, diagrams are always public.

users can see diagrams from other users

The second bug is if the userimages directory has been created. This isn't done by default, but if it is, the upload.php allows the uploading of any file, including a PHP script:

curl -F "[email protected];filename=blah.php" http://example.com/editor/upload.php

which will return with the filename the attacker needs to call. This should be addressed before the upload of images is enabled.

all users can see and delete other users even admin.

Notice: Trying to get property of non-object in C:\Projects\diagramo\web\editor\login.php on line 26