Security fix: unauthorized access (#10091)

* Security fix: unauthorized access Affects nginx users: Moved php files outside of public html directory (Apache was protected by .htaccess) Affects all users: Some files did not check for authentication and could disclose some info. Better checks before including files from user input * git mv html/includes/ includes/html git mv html/pages/ includes/html/
2024-10-07 16:52:45 +00:00 · 2019-04-11 23:26:42 -05:00
parent b81af32ed2
commit 36431dd296
1301 changed files with 1443 additions and 1439 deletions
--- a/includes/html/common/syslog.inc.php
+++ b/includes/html/common/syslog.inc.php
@ -0,0 +1,51 @@
+<?php
+/*
+ * This program is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation, either version 3 of the License, or (at your
+ * option) any later version.  Please see LICENSE.txt at the top level of
+ * the source code distribution for details.
+ *
+ * @package    LibreNMS
+ * @subpackage webui
+ * @link       http://librenms.org
+ * @copyright  2017 LibreNMS
+ * @author     LibreNMS Contributors
+*/
+
+$common_output[] = '
+<div class="table-responsive">
+    <table id="syslog" class="table table-hover table-condensed table-striped">
+        <thead>
+            <tr>
+                <th data-column-id="label"></th>
+                <th data-column-id="timestamp" data-order="desc">Timestamp</th>
+                <th data-column-id="level">Level</th>
+                <th data-column-id="device_id">Hostname</th>
+                <th data-column-id="program">Program</th>
+                <th data-column-id="msg">Message</th>
+                <th data-column-id="priority">Priority</th>
+            </tr>
+        </thead>
+    </table>
+</div>
+<script>
+
+var syslog_grid = $("#syslog").bootgrid({
+    ajax: true,
+    rowCount: [50, 100, 250, -1],
+    post: function ()
+    {
+        return {
+            device: "' . addcslashes($vars['device'], '"') . '",
+            program: "' . addcslashes($vars['program'], '"') . '",
+            priority: "' . addcslashes($vars['priority'], '"') . '",
+            to: "' . addcslashes($vars['to'], '"') . '",
+            from: "' . addcslashes($vars['from'], '"') . '",
+        };
+    },
+    url: "ajax/table/syslog"
+});
+
+</script>
+';