Security fix: unauthorized access (#10091)

* Security fix: unauthorized access Affects nginx users: Moved php files outside of public html directory (Apache was protected by .htaccess) Affects all users: Some files did not check for authentication and could disclose some info. Better checks before including files from user input * git mv html/includes/ includes/html git mv html/pages/ includes/html/
2024-10-07 16:52:45 +00:00 · 2019-04-11 23:26:42 -05:00
parent b81af32ed2
commit 36431dd296
1301 changed files with 1443 additions and 1439 deletions
--- a/includes/html/forms/delete-service.inc.php
+++ b/includes/html/forms/delete-service.inc.php
@@ -0,0 +1,30 @@
+<?php
+/*
+ * LibreNMS
+ *
+ * Copyright (c) 2016 Aaron Daniels <aaron@daniels.id.au>
+ *
+ * This program is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation, either version 3 of the License, or (at your
+ * option) any later version.  Please see LICENSE.txt at the top level of
+ * the source code distribution for details.
+ */
+
+use LibreNMS\Authentication\LegacyAuth;
+
+if (!LegacyAuth::user()->hasGlobalAdmin()) {
+    $status = array('status' =>1, 'message' => 'ERROR: You need to be admin to delete services');
+} else {
+    if (!is_numeric($vars['service_id'])) {
+        $status = array('status' =>1, 'message' => 'No Service has been selected');
+    } else {
+        if (delete_service($vars['service_id'])) {
+            $status = array('status' =>0, 'message' => 'Service: <i>'.$vars['service_id'].', has been deleted.</i>');
+        } else {
+            $status = array('status' =>1, 'message' => 'Service: <i>'.$vars['service_id'].', has NOT been deleted.</i>');
+        }
+    }
+}
+header('Content-Type: application/json');
+echo _json_encode($status);