Security fix: unauthorized access (#10091)

* Security fix: unauthorized access
Affects nginx users:
Moved php files outside of public html directory (Apache was protected by .htaccess)

Affects all users:
Some files did not check for authentication and could disclose some info.
Better checks before including files from user input

* git mv html/includes/ includes/html
git mv html/pages/ includes/html/

LibreNMS/Plugins.php

@@ -101,6 +101,7 @@ class Plugins
      */
     public static function load($file, $pluginName)
     {
+        chdir(Config::get('install_dir') . '/html');
         $plugin = self::getInstance($file, $pluginName);
 
         $class = get_class($plugin);
@@ -112,6 +113,8 @@ class Plugins
             }
         }
 
+        chdir(Config::get('install_dir'));
+
         return $plugin;
     }
 
@@ -173,12 +176,10 @@ class Plugins
      */
     public static function call($hook, $params = false)
     {
+        chdir(Config::get('install_dir') . '/html');
         self::start();
 
-        if (empty(self::$plugins[$hook])) {
-            return;
-        }
-
+        if (!empty(self::$plugins[$hook])) {
             foreach (self::$plugins[$hook] as $name) {
                 try {
                     if (!is_array($params)) {
@@ -191,6 +192,8 @@ class Plugins
                 }
             }
         }
+        chdir(Config::get('install_dir'));
+    }
 
     /**
      * Get count of hooks.

LibreNMS/Util/Graph.php

@@ -46,7 +46,7 @@ class Graph
         $types = [];
 
         // find the subtypes defined in files
-        foreach (glob(base_path("/html/includes/graphs/$type/*.inc.php")) as $file) {
+        foreach (glob(base_path("/includes/html/graphs/$type/*.inc.php")) as $file) {
             $type = basename($file, '.inc.php');
             if ($type != 'auth') {
                 $types[] = $type;

html/ajax_form.php

@@ -12,22 +12,19 @@
  * the source code distribution for details.
  */
 
-// FUA
-
 use LibreNMS\Authentication\LegacyAuth;
 
-$init_modules = array('web', 'auth', 'alerts', 'laravel');
+$init_modules = array('web', 'auth', 'alerts');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
+if (!LegacyAuth::check()) {
+    die('Unauthorized');
+}
+
 set_debug(isset($_REQUEST['debug']) ? $_REQUEST['debug'] : false);
 
-if (!LegacyAuth::check()) {
-    echo 'unauthenticated';
-    exit;
-}
-
 if (preg_match('/^[a-zA-Z0-9\-]+$/', $_POST['type']) == 1) {
-    if (file_exists('includes/forms/'.$_POST['type'].'.inc.php')) {
-        include_once 'includes/forms/'.$_POST['type'].'.inc.php';
+    if (file_exists('includes/html/forms/'.$_POST['type'].'.inc.php')) {
+        include_once 'includes/html/forms/'.$_POST['type'].'.inc.php';
     }
 }

html/ajax_list.php

@@ -19,18 +19,17 @@ $init_modules = array('web', 'auth');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
 if (!LegacyAuth::check()) {
-    echo "Unauthenticated\n";
-    exit;
+    die('Unauthorized');
 }
 
 set_debug($_REQUEST['debug']);
 
-$type = mres($_REQUEST['type']);
+$type = basename($_REQUEST['type']);
 
-if (isset($type) && file_exists("includes/list/$type.inc.php")) {
+if ($type && file_exists("includes/html/list/$type.inc.php")) {
     header('Content-type: application/json');
 
-    list($results, $more) = include "includes/list/$type.inc.php";
+    list($results, $more) = include "includes/html/list/$type.inc.php";
 
     die(json_encode([
         'results' => $results,

html/ajax_listports.php

@@ -15,13 +15,12 @@ use LibreNMS\Authentication\LegacyAuth;
 $init_modules = array('web', 'auth');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
-set_debug($_REQUEST['debug']);
-
 if (!LegacyAuth::check()) {
-    echo 'unauthenticated';
-    exit;
+    die('Unauthorized');
 }
 
+set_debug($_REQUEST['debug']);
+
 if (is_numeric($_GET['device_id'])) {
     foreach (dbFetch('SELECT * FROM ports WHERE device_id = ?', array($_GET['device_id'])) as $interface) {
         $interface  = cleanPort($interface);

html/ajax_ossuggest.php

@@ -21,7 +21,7 @@ $init_modules = array('web', 'auth');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
 if (!LegacyAuth::check()) {
-    die('Unauthorized.');
+    die('Unauthorized');
 }
 
 set_debug($_REQUEST['debug']);

html/ajax_output.php

@@ -23,14 +23,13 @@ if (isset($_SESSION['stage']) && $_SESSION['stage'] == 2) {
     require realpath(__DIR__ . '/..') . '/includes/init.php';
 
     if (!LegacyAuth::check()) {
-        echo "Unauthenticated\n";
-        exit;
+        die('Unauthorized');
     }
 }
 
 set_debug($_REQUEST['debug']);
-$id = str_replace('/', '', $_REQUEST['id']);
+$id = basename($_REQUEST['id']);
 
-if (isset($id)) {
-    require $config['install_dir'] . "/html/includes/output/$id.inc.php";
+if ($id && is_file($config['install_dir'] . "/includes/html/output/$id.inc.php")) {
+    require $config['install_dir'] . "/includes/html/output/$id.inc.php";
 }

html/ajax_rulesuggest.php

@@ -29,14 +29,14 @@ $init_modules = array('web', 'auth');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
 if (!LegacyAuth::check()) {
-    die('Unauthorized.');
+    die('Unauthorized');
 }
 
 set_debug($_REQUEST['debug']);
 
 /**
  * Levenshtein Sort
- * @param string $base Comparisson basis
+ * @param string $base Comparison basis
  * @param array  $obj  Object to sort
  * @return array
  */

html/ajax_search.php

@@ -5,13 +5,12 @@ use LibreNMS\Authentication\LegacyAuth;
 $init_modules = array('web', 'auth');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
-set_debug($_REQUEST['debug']);
-
 if (!LegacyAuth::check()) {
-    echo "Unauthenticated\n";
-    exit;
+    die('Unauthorized');
 }
 
+set_debug($_REQUEST['debug']);
+
 $device = array();
 $ports  = array();
 $bgp    = array();
@@ -24,7 +23,6 @@ if (isset($_REQUEST['search'])) {
         $found = 0;
 
         if ($_REQUEST['type'] == 'group') {
-            include_once '../includes/device-groups.inc.php';
             foreach (dbFetchRows("SELECT id,name FROM device_groups WHERE name LIKE ?", ["%$search%"]) as $group) {
                 if ($_REQUEST['map']) {
                     $results[] = array(

html/ajax_table.php

@@ -18,8 +18,7 @@ $init_modules = array('web', 'auth');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
 if (!LegacyAuth::check()) {
-    echo "Unauthenticated\n";
-    exit;
+    die('Unauthorized');
 }
 
 set_debug($_REQUEST['debug']);
@@ -34,13 +33,11 @@ if (isset($_REQUEST['sort']) && is_array($_POST['sort'])) {
     }
 }
 
-$searchPhrase = mres($_REQUEST['searchPhrase']);
-$id           = mres($_REQUEST['id']);
+$searchPhrase = $_REQUEST['searchPhrase'];
+$id           = basename($_REQUEST['id']);
 $response     = array();
 
-if (isset($id)) {
-    if (file_exists("includes/table/$id.inc.php")) {
+if ($id && file_exists("includes/html/table/$id.inc.php")) {
     header('Content-type: application/json');
-        include_once "includes/table/$id.inc.php";
-    }
+    include_once "includes/html/table/$id.inc.php";
 }

html/csv.php

@@ -12,20 +12,27 @@
  * the source code distribution for details.
  */
 
-$init_modules = array('web', 'auth');
+use LibreNMS\Authentication\LegacyAuth;
+use LibreNMS\Config;
+
+$init_modules = ['web', 'auth'];
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
+if (!LegacyAuth::check()) {
+    die('Unauthorized');
+}
+
 set_debug(strpos($_SERVER['PATH_INFO'], 'debug'));
 
-$report = mres($vars['report']);
-if (!empty($report) && file_exists("includes/reports/$report.csv.inc.php")) {
+$report = basename($vars['report']);
+if ($report && file_exists(Config::get('install_dir') . "/includes/html/reports/$report.csv.inc.php")) {
     if ($debug === false) {
         header('Content-Type: text/csv');
         header('Content-Disposition: attachment; filename="'.$report.'-'.date('Ymd').'.csv"');
     }
 
-    $csv = array();
-    require $config['install_dir'] . "/html/includes/reports/$report.csv.inc.php";
+    $csv = [];
+    require Config::get('install_dir') . "/includes/html/reports/$report.csv.inc.php";
     foreach ($csv as $line) {
         echo implode(',', $line)."\n";
     }

html/data.php

@@ -19,18 +19,18 @@ if (is_numeric($_GET['id']) && ($config['allow_unauth_graphs'] || port_permitted
     $title  = generate_device_link($device);
     $title .= ' :: Port  '.generate_port_link($port);
     $auth   = true;
-}
 
-$in = snmp_get($device, 'ifHCInOctets.'.$port['ifIndex'], '-OUqnv', 'IF-MIB');
-if (empty($in)) {
+    $in = snmp_get($device, 'ifHCInOctets.'.$port['ifIndex'], '-OUqnv', 'IF-MIB');
+    if (empty($in)) {
         $in  = snmp_get($device, 'ifInOctets.'.$port['ifIndex'], '-OUqnv', 'IF-MIB');
-}
+    }
 
-$out = snmp_get($device, 'ifHCOutOctets.'.$port['ifIndex'], '-OUqnv', 'IF-MIB');
-if (empty($out)) {
+    $out = snmp_get($device, 'ifHCOutOctets.'.$port['ifIndex'], '-OUqnv', 'IF-MIB');
+    if (empty($out)) {
         $out = snmp_get($device, 'ifOutOctets.'.$port['ifIndex'], '-OUqnv', 'IF-MIB');
+    }
+
+    $time = time();
+
+    printf("%lf|%s|%s\n", time(), $in, $out);
 }
-
-$time = time();
-
-printf("%lf|%s|%s\n", time(), $in, $out);

html/graph.php

@@ -1,5 +1,4 @@
 <?php
-
 /**
  * LibreNMS
  *
@@ -10,17 +9,24 @@
  * @copyright  (C) 2006 - 2012 Adam Armstrong
  */
 
+use LibreNMS\Authentication\LegacyAuth;
 
 $start = microtime(true);
 
-$init_modules = array('web', 'graphs');
+$init_modules = array('web', 'graphs', 'auth');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
+$auth = LegacyAuth::check() || is_client_authorized($_SERVER['REMOTE_ADDR']);
+
+if (!$auth) {
+    die('Unauthorized');
+}
+
 set_debug(isset($_GET['debug']));
 
 rrdtool_initialize(false);
 
-require $config['install_dir'] . '/html/includes/graphs/graph.inc.php';
+require $config['install_dir'] . '/includes/html/graphs/graph.inc.php';
 
 rrdtool_close();
 

html/includes/.htaccess

@@ -1 +0,0 @@
-deny from all

html/includes/graphs/macaccounting/bits.inc.php

@@ -1,6 +0,0 @@
-<?php
-
-$ds_in  = 'IN';
-$ds_out = 'OUT';
-
-require 'includes/graphs/generic_data.inc.php';

html/legacy_api_v0.php

@@ -1,5 +1,4 @@
 <?php
-
 /*
  * LibreNMS
  *
@@ -12,10 +11,14 @@
  * the source code distribution for details.
  */
 
+use LibreNMS\Config;
+
 $init_modules = array('web', 'alerts');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
-use LibreNMS\Config;
+if (!Auth::check()) {
+    die('Unauthorized');
+}
 
 $app = new \Slim\Slim();
 
@@ -30,7 +33,7 @@ if (Config::get('api.cors.enabled') === true) {
     $app->add($cors);
 }
 
-require $config['install_dir'] . '/html/includes/api_functions.inc.php';
+require $config['install_dir'] . '/includes/html/api_functions.inc.php';
 $app->setName('api');
 
 $app->notFound(function () use ($app) {

html/legacy_index.php

@@ -28,6 +28,10 @@ $msg_box = array();
 $init_modules = array('web', 'auth');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
+if (!Auth::check()) {
+    die('Unauthorized');
+}
+
 set_debug(str_contains($_SERVER['REQUEST_URI'], 'debug'));
 
 LibreNMS\Plugins::start();
@@ -169,7 +173,7 @@ if (empty($_SESSION['screen_width']) && empty($_SESSION['screen_height'])) {
 
 if ((isset($vars['bare']) && $vars['bare'] != "yes") || !isset($vars['bare'])) {
     if (Auth::check()) {
-        require 'includes/print-menubar.php';
+        require 'includes/html/print-menubar.php';
     }
 } else {
     echo "<style>body { padding-top: 0px !important;
@@ -191,15 +195,15 @@ if (isset($devel) || isset($vars['devel'])) {
     echo("</pre>");
 }
 
-if (isset($vars['page']) && !strstr("..", $vars['page']) &&  is_file("pages/" . $vars['page'] . ".inc.php")) {
-    require "pages/" . $vars['page'] . ".inc.php";
+$vars['page'] = basename($vars['page'] ?? '');
+if ($vars['page'] && is_file("includes/html/pages/" . $vars['page'] . ".inc.php")) {
+    require "includes/html/pages/" . $vars['page'] . ".inc.php";
+} elseif (Config::has('front_page') && is_file('includes/html/' . Config::get('front_page'))) {
+    require 'includes/html/' . Config::get('front_page');
 } else {
-    if (isset($config['front_page']) && is_file($config['front_page'])) {
-        require $config['front_page'];
-    } else {
-        require 'pages/front/default.php';
-    }
+    require 'includes/html/pages/front/default.php';
 }
+
 ?>
     </div>
   </div>

html/network-map.php

@@ -18,6 +18,10 @@ $links = 1;
 $init_modules = array('web', 'auth');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
+if (!LegacyAuth::check()) {
+    die('Unauthorized');
+}
+
 $options = getopt('d::');
 
 if (set_debug(isset($options['d']))) {

html/pages/.htaccess

@@ -1 +0,0 @@
-deny from all

html/pages/plugin.inc.php

@@ -1,16 +0,0 @@
-<?php
-
-$link_array = array('page' => 'plugin');
-
-$pagetitle[] = 'Plugin';
-
-if ($vars['view'] == 'admin') {
-    include_once 'pages/plugin/admin.inc.php';
-} else {
-    $plugin = dbFetchRow("SELECT `plugin_name` FROM `plugins` WHERE `plugin_name` = '".$vars['p']."' AND `plugin_active`='1'");
-    if (!empty($plugin)) {
-        include 'plugins/'.$plugin['plugin_name'].'/'.$plugin['plugin_name'].'.inc.php';
-    } else {
-        print_error('This plugin is either disabled or not available.');
-    }
-}

html/pdf.php

@@ -12,9 +12,15 @@
  * the source code distribution for details.
  */
 
+use LibreNMS\Authentication\LegacyAuth;
+
 $init_modules = array('web', 'auth');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 
+if (!LegacyAuth::check()) {
+    die('Unauthorized');
+}
+
 set_debug(strpos($_SERVER['PATH_INFO'], 'debug'));
 
 $pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);
@@ -37,7 +43,7 @@ $pdf->setTextShadow(array('enabled' => false, 'depth_w' => 0.2, 'depth_h' => 0.2
 if (isset($_GET['report']) && !empty($_GET['report'])) {
     $report = mres($_GET['report']);
     $pdf->SetHeaderData('../../../../../html/'.$config['title_image'], 40, ucfirst($report), $config['project_name'], array(0, 0, 0), array(0, 64, 128));
-    include_once "includes/reports/$report.pdf.inc.php";
+    include_once "includes/html/reports/$report.pdf.inc.php";
 } else {
     $report = 'report';
 }

includes/common.php

@@ -760,10 +760,11 @@ function get_graph_subtypes($type, $device = null)
 {
     global $config;
 
+    $type = basename($type);
     $types = array();
 
     // find the subtypes defined in files
-    if ($handle = opendir($config['install_dir'] . "/html/includes/graphs/$type/")) {
+    if ($handle = opendir($config['install_dir'] . "/includes/html/graphs/$type/")) {
         while (false !== ($file = readdir($handle))) {
             if ($file != "." && $file != ".." && $file != "auth.inc.php" && strstr($file, ".inc.php")) {
                 $types[] = str_replace(".inc.php", "", $file);

includes/html/api_functions.inc.php

@@ -161,7 +161,7 @@ function get_graph_by_port_hostname()
     check_port_permission($vars['id'], $device_id);
     $app->response->headers->set('Content-Type', get_image_type());
     rrdtool_initialize(false);
-    include 'includes/graphs/graph.inc.php';
+    include 'includes/html/graphs/graph.inc.php';
     rrdtool_close();
     if ($vars['output'] === 'base64') {
         api_success(['image' => $base64_output, 'content-type' => get_image_type()], 'image');
@@ -245,7 +245,7 @@ function get_graph_generic_by_hostname()
     $vars['device'] = dbFetchCell('SELECT `D`.`device_id` FROM `devices` AS `D` WHERE `D`.`hostname`=?', array($hostname));
     $app->response->headers->set('Content-Type', get_image_type());
     rrdtool_initialize(false);
-    include 'includes/graphs/graph.inc.php';
+    include 'includes/html/graphs/graph.inc.php';
     rrdtool_close();
 
     if ($vars['output'] === 'base64') {
@@ -670,7 +670,7 @@ function get_graph_by_portgroup()
     $vars['id']   = $if_list;
     $app->response->headers->set('Content-Type', get_image_type());
     rrdtool_initialize(false);
-    include 'includes/graphs/graph.inc.php';
+    include 'includes/html/graphs/graph.inc.php';
     rrdtool_close();
     if ($vars['output'] === 'base64') {
         api_success(['image' => $base64_output, 'content-type' => get_image_type()], 'image');
@@ -1440,7 +1440,7 @@ function get_bill_graph()
     $vars['height'] = $_GET['height'] ?: 300;
 
     $app->response->headers->set('Content-Type', 'image/png');
-    include 'includes/graphs/graph.inc.php';
+    include 'includes/html/graphs/graph.inc.php';
 }
 
 function get_bill_graphdata()
@@ -1532,7 +1532,7 @@ function get_bill_history_graph()
     $vars['height'] = $_GET['height'] ?: 300;
 
     $app->response->headers->set('Content-Type', 'image/png');
-    include 'includes/graphs/graph.inc.php';
+    include 'includes/html/graphs/graph.inc.php';
 }
 
 function get_bill_history_graphdata()

includes/html/collectd/functions.php

@@ -16,7 +16,7 @@
  * 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
 
-require 'includes/collectd/CollectdColor.php';
+require 'includes/html/collectd/CollectdColor.php';
 
 use LibreNMS\CollectdColor;
 

includes/html/common/alerts.inc.php

@@ -13,8 +13,6 @@
  * @author     LibreNMS Contributors
 */
 
-require_once $config['install_dir'] . '/includes/device-groups.inc.php';
-
 /* FIXME: is there a central place we can put this? */
 
 $alert_states = array(

includes/html/common/availability-map.inc.php

@@ -143,7 +143,7 @@ if (defined('SHOW_SETTINGS')) {
         </div>
     </form>';
 } else {
-    require_once 'includes/object-cache.inc.php';
+    require_once 'includes/html/object-cache.inc.php';
 
     $host_up_count = 0;
     $host_warn_count = 0;

includes/html/common/device-summary-horiz.inc.php

@@ -1,5 +1,5 @@
 <?php
-require_once 'includes/object-cache.inc.php';
+require_once 'includes/html/object-cache.inc.php';
 
 $temp_output = '
 <div class="panel panel-default panel-condensed table-responsive">

includes/html/common/device-summary-vert.inc.php

@@ -1,5 +1,5 @@
 <?php
-require_once 'includes/object-cache.inc.php';
+require_once 'includes/html/object-cache.inc.php';
 
 $temp_output = '
 <div class="panel panel-default panel-condensed table-responsive">

includes/html/common/worldmap.inc.php

@@ -27,7 +27,6 @@ use LibreNMS\Config;
 
 $install_dir = Config::get('install_dir');
 require_once $install_dir . '/includes/alerts.inc.php';
-require_once $install_dir . '/includes/device-groups.inc.php';
 
 if (Config::get('map.engine', 'leaflet') == 'leaflet') {
     $temp_output = '

includes/html/forms/create-device-group.inc.php

@@ -18,8 +18,6 @@ if (!LegacyAuth::user()->hasGlobalAdmin()) {
     die('ERROR: You need to be admin');
 }
 
-require_once '../includes/device-groups.inc.php';
-
 $pattern  = $_POST['patterns'];
 $group_id = $_POST['group_id'];
 $name     = mres($_POST['name']);