From 6b07d6d99d0d3ce43aef019f1cfd2a8ddfa8d1b8 Mon Sep 17 00:00:00 2001 From: laf Date: Fri, 7 Oct 2016 08:46:32 +0000 Subject: [PATCH] fix some security issues --- html/ajax_dash.php | 4 ++-- html/includes/authenticate.inc.php | 6 +++--- html/includes/common/notes.inc.php | 2 +- html/netcmd.php | 4 ++-- includes/rewrites.php | 2 ++ 5 files changed, 10 insertions(+), 8 deletions(-) diff --git a/html/ajax_dash.php b/html/ajax_dash.php index 83d8e6a77a..aecbf0f2c8 100644 --- a/html/ajax_dash.php +++ b/html/ajax_dash.php @@ -36,7 +36,7 @@ if ($type == 'placeholder') { $results_limit = 10; $typeahead_limit = $config['webui']['global_search_result_limit']; $no_form = true; - $title = ucfirst($type); + $title = ucfirst(display($type)); $unique_id = str_replace(array("-","."), "_", uniqid($type, true)); $widget_id = mres($_POST['id']); $widget_settings = json_decode(dbFetchCell('select settings from users_widgets where user_widget_id = ?', array($widget_id)), true); @@ -47,7 +47,7 @@ if ($type == 'placeholder') { include 'includes/common/'.$type.'.inc.php'; $output = implode('', $common_output); $status = 'ok'; - $title = $widget_settings['title'] ?: $title; + $title = display($widget_settings['title']) ?: $title; } $response = array( diff --git a/html/includes/authenticate.inc.php b/html/includes/authenticate.inc.php index e869aa6ea6..b18b8c7c42 100644 --- a/html/includes/authenticate.inc.php +++ b/html/includes/authenticate.inc.php @@ -37,10 +37,10 @@ if ($vars['page'] == 'logout' && $_SESSION['authenticated']) { // We are only interested in login details passed via POST. if (isset($_POST['username']) && isset($_POST['password'])) { - $_SESSION['username'] = mres($_POST['username']); + $_SESSION['username'] = clean($_POST['username']); $_SESSION['password'] = $_POST['password']; } elseif (isset($_GET['username']) && isset($_GET['password'])) { - $_SESSION['username'] = mres($_GET['username']); + $_SESSION['username'] = clean($_GET['username']); $_SESSION['password'] = $_GET['password']; } @@ -58,7 +58,7 @@ if (file_exists('includes/authentication/'.$config['auth_mechanism'].'.inc.php') $auth_success = 0; if ((isset($_SESSION['username'])) || (isset($_COOKIE['sess_id'],$_COOKIE['token']))) { - if (reauthenticate($_COOKIE['sess_id'], $_COOKIE['token']) || authenticate($_SESSION['username'], $_SESSION['password'])) { + if (reauthenticate(clean($_COOKIE['sess_id']), clean($_COOKIE['token'])) || authenticate($_SESSION['username'], $_SESSION['password'])) { $_SESSION['userlevel'] = get_userlevel($_SESSION['username']); $_SESSION['user_id'] = get_userid($_SESSION['username']); if (!$_SESSION['authenticated']) { diff --git a/html/includes/common/notes.inc.php b/html/includes/common/notes.inc.php index 5e8c3f26c3..35b6896f47 100644 --- a/html/includes/common/notes.inc.php +++ b/html/includes/common/notes.inc.php @@ -33,5 +33,5 @@ if (defined('SHOW_SETTINGS') || empty($widget_settings)) { '; } else { - $common_output[] = stripslashes(nl2br($widget_settings['notes'])); + $common_output[] = stripslashes(nl2br(htmlentities($widget_settings['notes']))); } diff --git a/html/netcmd.php b/html/netcmd.php index 48013aedfb..a67204dde5 100644 --- a/html/netcmd.php +++ b/html/netcmd.php @@ -34,8 +34,8 @@ if (!$_SESSION['authenticated']) { $output = ''; if ($_GET['query'] && $_GET['cmd']) { - $host = $_GET['query']; - if (Net_IPv6::checkIPv6($host) || Net_IPv4::validateip($host) || filter_var('http://'.$host, FILTER_VALIDATE_URL)) { + $host = clean($_GET['query']); + if (filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) || filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) || filter_var('http://'.$host, FILTER_VALIDATE_URL)) { switch ($_GET['cmd']) { case 'whois': $cmd = $config['whois']." $host | grep -v \%"; diff --git a/includes/rewrites.php b/includes/rewrites.php index cf645ed4d6..ac5b100661 100644 --- a/includes/rewrites.php +++ b/includes/rewrites.php @@ -66,6 +66,8 @@ function ifLabel($interface, $device = null) { global $config; + $interface['ifAlias'] = display($interface['ifAlias']); + if (!$device) { $device = device_by_id_cache($interface['device_id']); }