secure api-key generation, dns-record as well as ssl-certificate deletion, logo uploading, frame-inclusion and user/email enumeration via 'forgot password'

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
2022-12-02 09:22:08 +01:00
parent 0e703a4199
commit 4d454a3903
8 changed files with 257 additions and 210 deletions
--- a/api_keys.php
+++ b/api_keys.php
@@ -70,7 +70,7 @@ if ($action == 'delete') {
 			), $id);
 		}
 	}
-} elseif ($action == 'add') {
+} elseif ($action == 'add' && isset($_POST['send']) && $_POST['send'] == 'send') {
 	$ins_stmt = Database::prepare("
 		INSERT INTO `" . TABLE_API_KEYS . "` SET
 		`apikey` = :key, `secret` = :secret, `adminid` = :aid, `customerid` = :cid, `valid_until` = '-1', `allowed_from` = ''
@@ -92,6 +92,10 @@ if ($action == 'delete') {
 	$success_message = $lng['apikeys']['apikey_added'];
 } elseif ($action == 'jqEditApiKey') {
 	$keyid = isset($_POST['id']) ? (int) $_POST['id'] : 0;
+	if (empty($keyid)) {
+		echo json_encode(false);
+		exit;
+	}
 	$allowed_from = isset($_POST['allowed_from']) ? $_POST['allowed_from'] : "";
 	$valid_until = isset($_POST['valid_until']) ? (int) $_POST['valid_until'] : -1;