mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Security fix: unauthorized access (#10091)

Browse Source 
* Security fix: unauthorized access
Affects nginx users:
Moved php files outside of public html directory (Apache was protected by .htaccess)

Affects all users:
Some files did not check for authentication and could disclose some info.
Better checks before including files from user input

* git mv html/includes/ includes/html
git mv html/pages/ includes/html/
This commit is contained in:
Tony Murray
2019-04-11 23:26:42 -05:00
committed by GitHub
parent b81af32ed2
commit 36431dd296
1301 changed files with 1443 additions and 1439 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
html/ajax_search.php
View File

@@ -5,13 +5,12 @@ use LibreNMS\Authentication\LegacyAuth;
$init_modules = array('web', 'auth');
require realpath(__DIR__ . '/..') . '/includes/init.php';
set_debug($_REQUEST['debug']);
if (!LegacyAuth::check()) {
echo "Unauthenticated\n";
exit;
die('Unauthorized');
}
set_debug($_REQUEST['debug']);
$device = array();
$ports = array();
$bgp = array();
@@ -24,7 +23,6 @@ if (isset($_REQUEST['search'])) {
$found = 0;
if ($_REQUEST['type'] == 'group') {
include_once '../includes/device-groups.inc.php';
foreach (dbFetchRows("SELECT id,name FROM device_groups WHERE name LIKE ?", ["%$search%"]) as $group) {
if ($_REQUEST['map']) {
$results[] = array(