I tried successfully a different approach, which - as far as I tested - ensures protection from mentioned exploits without any inconvenience concerning gallery functionality.
Basically, it relies on switching main form (editForm) in usermgr.php from GET to POST method, and then checking for $_POST instead of $_GET/$_REQUEST in delete.php when change_group or add_group action is triggered. This prevents from any request sent by query string to get executed.
When applying this patch to v. 1.4.21 and newer, you must restore previous version of bb_decode function in include/functions.inc.php, by replacing actual version with code below:
function bb_decode($text)
{
$text = nl2br($text);
static $bbcode_tpl = array();
static $patterns = array();
static $replacements = array();
// First: If there isn't a "[" and a "]" in the message, don't bother.
if ((strpos($text, "[") === false || strpos($text, "]") === false))
{
return $text;
}
// [b] and [/b] for bolding text.
$text = str_replace("[b]", '<b>', $text);
$text = str_replace("[/b]", '</b>', $text);
// [u] and [/u] for underlining text.
$text = str_replace("[u]", '<u>', $text);
$text = str_replace("[/u]", '</u>', $text);
// [i] and [/i] for italicizing text.
$text = str_replace("[i]", '<i>', $text);
$text = str_replace("[/i]", '</i>', $text);
// colours
$text = preg_replace("/\[color=(\#[0-9A-F]{6}|[a-z]+)\]/", '<span style="color:$1">', $text);
$text = str_replace("[/color]", '</span>', $text);
// [i] and [/i] for italicizing text.
//$text = str_replace("[i:$uid]", $bbcode_tpl['i_open'], $text);
//$text = str_replace("[/i:$uid]", $bbcode_tpl['i_close'], $text);
if (!count($bbcode_tpl)) {
// We do URLs in several different ways..
$bbcode_tpl['url'] = '<span class="bblink"><a href="{URL}" rel="external">{DESCRIPTION}</a></span>';
$bbcode_tpl['email']= '<span class="bblink"><a href="mailto:{EMAIL}">{EMAIL}</a></span>';
$bbcode_tpl['url1'] = str_replace('{URL}', '\\1\\2', $bbcode_tpl['url']);
$bbcode_tpl['url1'] = str_replace('{DESCRIPTION}', '\\1\\2', $bbcode_tpl['url1']);
$bbcode_tpl['url2'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']);
$bbcode_tpl['url2'] = str_replace('{DESCRIPTION}', '\\1', $bbcode_tpl['url2']);
$bbcode_tpl['url3'] = str_replace('{URL}', '\\1\\2', $bbcode_tpl['url']);
$bbcode_tpl['url3'] = str_replace('{DESCRIPTION}', '\\3', $bbcode_tpl['url3']);
$bbcode_tpl['url4'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']);
$bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\\2', $bbcode_tpl['url4']);
$bbcode_tpl['email'] = str_replace('{EMAIL}', '\\1', $bbcode_tpl['email']);
// [url]xxxx://www.phpbb.com[/url] code..
$patterns[1] = "#\[url\]([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/url\]#si";
$replacements[1] = $bbcode_tpl['url1'];
// [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).
$patterns[2] = "#\[url\]([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/url\]#si";
$replacements[2] = $bbcode_tpl['url2'];
// [url=xxxx://www.phpbb.com]phpBB[/url] code..
$patterns[3] = "#\[url=([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\](.*?)\[/url\]#si";
$replacements[3] = $bbcode_tpl['url3'];
// [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).
$patterns[4] = "#\[url=([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\](.*?)\[/url\]#si";
$replacements[4] = $bbcode_tpl['url4'];
// [email]user@domain.tld[/email] code..
$patterns[5] = "#\[email\]([a-z0-9\-_.]+?@[\w\-]+\.([\w\-\.]+\.)?[\w]+)\[/email\]#si";
$replacements[5] = $bbcode_tpl['email'];
// [img]xxxx://www.phpbb.com[/img] code..
$bbcode_tpl['img'] = '<img src="{URL}" alt="" />';
$bbcode_tpl['img'] = str_replace('{URL}', '\\1\\2', $bbcode_tpl['img']);
$patterns[6] = "#\[img\]([a-z]+?://){1}([a-z0-9\-\.,\?!%\*_\#:;~\\&$@\/=\+\(\)]+)\[/img\]#si";
$replacements[6] = $bbcode_tpl['img'];
}
$text = preg_replace($patterns, $replacements, $text);
return $text;
}
Is there in this perspective any security hole or operation fault I didn't notice? Anyway, here is the mod:
OPEN
usermgr.php
FIND
print '<form method="get" action="delete.php" name="editForm">'."\n";
CHANGE TO
print '<form method="post" action="delete.php" name="editForm">'."\n";
OPEN
delete.php
FIND
$user_id = str_replace('u', '', $_GET['id']);
CHANGE TO
$user_id = str_replace('u', '', $_POST['id']);
FIND (line 673)
// set this user's group
BEFORE, ADD
if (isset($_POST['group'])) {
FIND (5 times)
$_REQUEST['group']
CHANGE TO
$_POST['group']
FIND (line 678)
print '</b></td>';
REPLACE WITH
}
print '</td>';
SAVE AND CLOSE ALL FILES