Security fix: unauthorized access (#10091)

* Security fix: unauthorized access
Affects nginx users:
Moved php files outside of public html directory (Apache was protected by .htaccess)

Affects all users:
Some files did not check for authentication and could disclose some info.
Better checks before including files from user input

* git mv html/includes/ includes/html
git mv html/pages/ includes/html/

includes/html/graphs/ipsectunnel/auth.inc.php

@@ -0,0 +1,15 @@
+<?php
+
+if (is_numeric($vars['id'])) {
+    $tunnel = dbFetchRow('SELECT * FROM `ipsec_tunnels` AS I, `devices` AS D WHERE I.tunnel_id = ? AND I.device_id = D.device_id', array($vars['id']));
+
+    if (is_numeric($tunnel['device_id']) && ($auth || device_permitted($tunnel['device_id']))) {
+        $device = device_by_id_cache($tunnel['device_id']);
+
+        $rrd_filename = rrd_name($device['hostname'], array('ipsectunnel', $tunnel['peer_addr']));
+
+        $title  = generate_device_link($device);
+        $title .= ' :: IPSEC Tunnel :: '.htmlentities($tunnel['peer_addr']);
+        $auth   = true;
+    }
+}

includes/html/graphs/ipsectunnel/bits.inc.php

@@ -0,0 +1,8 @@
+<?php
+
+$ds_in  = 'TunInOctets';
+$ds_out = 'TunOutOctets';
+
+$format = 'octets';
+
+require 'includes/html/graphs/generic_data.inc.php';

includes/html/graphs/ipsectunnel/pkts.inc.php

@@ -0,0 +1,17 @@
+<?php
+
+$ds_in  = 'TunInPkts';
+$ds_out = 'TunOutPkts';
+
+$colour_area_in  = 'AA66AA';
+$colour_line_in  = '330033';
+$colour_area_out = 'FFDD88';
+$colour_line_out = 'FF6600';
+
+$colour_area_in_max  = 'cc88cc';
+$colour_area_out_max = 'FFefaa';
+
+$graph_max = 1;
+$unit_text = 'Packets';
+
+require 'includes/html/graphs/generic_duplex.inc.php';