# Author: Nicolas Roudaire <nikrou77@gmail.com>
# Bug: http://piwigo.org/bugs/view.php?id=1848,1849,1856
# Description: Fix vulnerabilities (http://www.exploit-db.com/exploits/14973/)

--- piwigo.orig/admin/profile.php
+++ piwigo/admin/profile.php
@@ -25,8 +25,12 @@
 
 $edit_user = build_user( $_GET['user_id'], false );
 
-include_once(PHPWG_ROOT_PATH.'profile.php');
+if (!empty($_POST))
+{
+  check_pwg_token();
+}
 
+include_once(PHPWG_ROOT_PATH.'profile.php');
 
 $errors = array();
 if ( !is_adviser() )
--- piwigo.orig/include/ws_core.inc.php
+++ piwigo/include/ws_core.inc.php
@@ -477,7 +477,7 @@
 
     if ( $method==null )
     {
-      return new PwgError(WS_ERR_INVALID_METHOD, 'Method name "'.$methodName.'" is not valid');
+      return new PwgError(WS_ERR_INVALID_METHOD, 'Method name is not valid');
     }
 
     // parameter check and data coercion !
--- piwigo.orig/admin/themes/default/template/profile_content.tpl
+++ piwigo/admin/themes/default/template/profile_content.tpl
@@ -103,6 +103,7 @@
   </fieldset>
 
   <p class="bottomButtons">
+    <input type="hidden" name="pwg_token" value="{$PWG_TOKEN}">
     <input class="submit" type="submit" name="validate" value="{'Submit'|@translate}">
     <input class="submit" type="reset" name="reset" value="{'Reset'|@translate}">
   </p>
--- piwigo.orig/include/section_init.inc.php
+++ piwigo/include/section_init.inc.php
@@ -61,6 +61,10 @@
     $rewritten = $key;
     break;
   }
+  
+  // the $_GET keys are not protected in include/common.inc.php, only the values
+  $rewritten = pwg_db_real_escape_string($rewritten);
+  
   $page['root_path'] = PHPWG_ROOT_PATH;
 }
 
