From 39f632697cd5f303b513a720594e3c3dc8b69c8b Mon Sep 17 00:00:00 2001
From: trichimtrich <trichimtrich@gmail.com>
Date: Wed, 26 Jul 2017 17:58:33 +0800
Subject: [PATCH 1/2] fix Abitrary File Read

https://github.com/slims/slims8_akasia/issues/48
---
 admin/help.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/admin/help.php b/admin/help.php
index e59fad1c..af1dfef4 100644
--- a/admin/help.php
+++ b/admin/help.php
@@ -38,7 +38,7 @@
 
 
 if(isset($_GET['url']) && !empty($_GET['url'])) {		
-	$file_path = HELP.'/'.$sysconf['default_lang'].'/'.$_GET['url'];
+	$file_path = HELP.'/'.$sysconf['default_lang'].'/'.basename($_GET['url']);
 	if(!file_exists($file_path)) {
 		echo __('File Not Found');
 	} else {

From 25f806c89b37b18027c23af6c21d27c70eff08a5 Mon Sep 17 00:00:00 2001
From: "trichimtrich@gmail.com" <trichimtrich@gmail.com>
Date: Wed, 26 Jul 2017 19:00:01 +0800
Subject: [PATCH 2/2] fix table_name, table_field sql injection

---
 admin/AJAX_check_id.php           |  7 ++++++-
 admin/AJAX_lookup_handler.php     | 12 ++++++++----
 admin/AJAX_vocabolary_control.php | 12 ++++++++----
 3 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/admin/AJAX_check_id.php b/admin/AJAX_check_id.php
index d78028ee..9aca9d46 100755
--- a/admin/AJAX_check_id.php
+++ b/admin/AJAX_check_id.php
@@ -15,6 +15,11 @@
 
 $table_name = $dbs->escape_string(trim($_POST['tableName']));
 $table_fields = $dbs->escape_string(trim($_POST['tableFields']));
+
+// clear all backticks in user input and append them later in sql query
+$table_name = str_replace('`', '', $table_name);
+$table_fields = str_replace('`', '', $table_fields);
+
 if (isset($_POST['id']) AND !empty($_POST['id'])) {
   $id = $dbs->escape_string(trim($_POST['id']));
 } else {
@@ -22,7 +27,7 @@
 }
 
 // sql string
-$sql_string = "SELECT $table_fields FROM $table_name WHERE $table_fields='$id' LIMIT 1";
+$sql_string = "SELECT `$table_fields` FROM `$table_name` WHERE `$table_fields`='$id' LIMIT 1";
 
 // send query to database
 $query = $dbs->query($sql_string);
diff --git a/admin/AJAX_lookup_handler.php b/admin/AJAX_lookup_handler.php
index ff23b85c..9d91b801 100755
--- a/admin/AJAX_lookup_handler.php
+++ b/admin/AJAX_lookup_handler.php
@@ -38,6 +38,10 @@
 $table_name = $dbs->escape_string(trim($_POST['tableName']));
 $table_fields = trim($_POST['tableFields']);
 
+// clear all backticks in user input and append them later in sql query
+$table_name = str_replace('`', '', $table_name);
+$table_fields = str_replace('`', '', $table_fields);
+
 if (isset($_POST['keywords']) AND !empty($_POST['keywords'])) {
   $keywords = $dbs->escape_string(urldecode(ltrim($_POST['keywords'])));
 } else {
@@ -45,19 +49,19 @@
 }
 
 // explode table fields data
-$fields = str_replace(':', ', ', $table_fields);
+$fields = str_replace(':', '`, `', $table_fields);
 // set where criteria
 $criteria = '';
 foreach (explode(':', $table_fields) as $field) {
-    $criteria .= " $field LIKE '%$keywords%' OR";
+    $criteria .= " `$field` LIKE '%$keywords%' OR";
 }
 // remove the last OR
 $criteria = substr_replace($criteria, '', -2);
 
-$sql_string = "SELECT $fields ";
+$sql_string = "SELECT `$fields` ";
 
 // append table name
-$sql_string .= " FROM $table_name ";
+$sql_string .= " FROM `$table_name` ";
 if ($criteria) { $sql_string .= " WHERE $criteria LIMIT $limit"; }
 
 // send query to database
diff --git a/admin/AJAX_vocabolary_control.php b/admin/AJAX_vocabolary_control.php
index 5d2d7551..5f46431c 100755
--- a/admin/AJAX_vocabolary_control.php
+++ b/admin/AJAX_vocabolary_control.php
@@ -39,6 +39,10 @@
 $table_name = $dbs->escape_string(trim($_POST['tableName']));
 $table_fields = trim($_POST['tableFields']);
 
+// clear all backticks in user input and append them later in sql query
+$table_name = str_replace('`', '', $table_name);
+$table_fields = str_replace('`', '', $table_fields);
+
 if (isset($_POST['keywords']) AND !empty($_POST['keywords'])) {
   $keywords = $dbs->escape_string(urldecode(ltrim($_POST['keywords'])));
 } else {
@@ -46,19 +50,19 @@
 }
 
 // explode table fields data
-$fields = str_replace(':', ', ', $table_fields);
+$fields = str_replace(':', '`, `', $table_fields);
 // set where criteria
 $criteria = '';
 foreach (explode(':', $table_fields) as $field) {
-    $criteria .= " $field LIKE '%$keywords%' OR";
+    $criteria .= " `$field` LIKE '%$keywords%' OR";
 }
 // remove the last OR
 $criteria = substr_replace($criteria, '', -2);
 
-$sql_string = "SELECT $fields ";
+$sql_string = "SELECT `$fields` ";
 
 // append table name
-$sql_string .= " FROM $table_name ";
+$sql_string .= " FROM `$table_name` ";
 if ($criteria) { $sql_string .= " WHERE $criteria LIMIT $limit"; }
 
 // send query to database