security: Fix some reported security issues (#4807)

2024-10-07 16:52:45 +00:00 · 2016-10-15 20:45:18 +01:00
parent da0d04a5b6
commit a2f2ccfd2c
9 changed files with 34 additions and 12 deletions
--- a/html/ajax_dash.php
+++ b/html/ajax_dash.php
@@ -36,7 +36,7 @@ if ($type == 'placeholder') {
    $results_limit     = 10;
    $typeahead_limit   = $config['webui']['global_search_result_limit'];
    $no_form           = true;
-    $title             = ucfirst($type);
+    $title             = ucfirst(display($type));
    $unique_id         = str_replace(array("-","."), "_", uniqid($type, true));
    $widget_id         = mres($_POST['id']);
    $widget_settings   = json_decode(dbFetchCell('select settings from users_widgets where user_widget_id = ?', array($widget_id)), true);
@@ -47,7 +47,7 @@ if ($type == 'placeholder') {
    include 'includes/common/'.$type.'.inc.php';
    $output = implode('', $common_output);
    $status = 'ok';
-    $title  = $widget_settings['title'] ?: $title;
+    $title  = display($widget_settings['title']) ?: $title;
 }

 $response = array(
--- a/html/includes/authenticate.inc.php
+++ b/html/includes/authenticate.inc.php
@@ -37,10 +37,10 @@ if ($vars['page'] == 'logout' && $_SESSION['authenticated']) {

 // We are only interested in login details passed via POST.
 if (isset($_POST['username']) && isset($_POST['password'])) {
-    $_SESSION['username'] = mres($_POST['username']);
+    $_SESSION['username'] = clean($_POST['username']);
    $_SESSION['password'] = $_POST['password'];
 } elseif (isset($_GET['username']) && isset($_GET['password'])) {
-    $_SESSION['username'] = mres($_GET['username']);
+    $_SESSION['username'] = clean($_GET['username']);
    $_SESSION['password'] = $_GET['password'];
 }

--- a/html/includes/authentication/mysql.inc.php
+++ b/html/includes/authentication/mysql.inc.php
@@ -35,6 +35,8 @@ function authenticate($username, $password)

 function reauthenticate($sess_id, $token)
 {
+    $sess_id = clean($sess_id);
+    $token = clean($token);
    list($uname,$hash) = explode('|', $token);
    $session           = dbFetchRow("SELECT * FROM `session` WHERE `session_username` = '$uname' AND session_value='$sess_id'", array(), true);
    $hasher            = new PasswordHash(8, false);
--- a/html/includes/common/notes.inc.php
+++ b/html/includes/common/notes.inc.php
@@ -33,5 +33,5 @@ if (defined('SHOW_SETTINGS') || empty($widget_settings)) {
        </div>
    </form>';
 } else {
-    $common_output[] = stripslashes(nl2br($widget_settings['notes']));
+    $common_output[] = stripslashes(nl2br(htmlentities($widget_settings['notes'])));
 }
--- a/html/includes/vars.inc.php
+++ b/html/includes/vars.inc.php
@@ -7,7 +7,7 @@ foreach ($_GET as $key => $get_var) {
            $value = 'yes';
        }

-        $vars[$name] = $value;
+        $vars[$name] = clean($value);
    }
 }

@@ -34,9 +34,9 @@ foreach ($segments as $pos => $segment) {
 }

 foreach ($_GET as $name => $value) {
-    $vars[$name] = $value;
+    $vars[$name] = clean($value);
 }

 foreach ($_POST as $name => $value) {
-    $vars[$name] = $value;
+    $vars[$name] = clean($value);
 }
--- a/html/netcmd.php
+++ b/html/netcmd.php
@@ -34,8 +34,8 @@ if (!$_SESSION['authenticated']) {

 $output = '';
 if ($_GET['query'] && $_GET['cmd']) {
-    $host = $_GET['query'];
-    if (Net_IPv6::checkIPv6($host) || Net_IPv4::validateip($host) || filter_var('http://'.$host, FILTER_VALIDATE_URL)) {
+    $host = clean($_GET['query']);
+    if (filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) || filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) || filter_var('http://'.$host, FILTER_VALIDATE_URL)) {
        switch ($_GET['cmd']) {
            case 'whois':
                $cmd = $config['whois']." $host | grep -v \%";
--- a/html/pages/device/edit/device.inc.php
+++ b/html/pages/device/edit/device.inc.php
@@ -26,7 +26,7 @@ if ($_POST['editing']) {

        #FIXME needs more sanity checking! and better feedback

-        $param = array('purpose' => $_POST['descr'], 'type' => $_POST['type'], 'ignore' => $_POST['ignore'], 'disabled' => $_POST['disabled']);
+        $param = array('purpose' => $vars['descr'], 'type' => $vars['type'], 'ignore' => $vars['ignore'], 'disabled' => $vars['disabled']);

        $rows_updated = dbUpdate($param, 'devices', '`device_id` = ?', array($device['device_id']));

@@ -81,7 +81,7 @@ if ($updated && $update_message) {
    <div class="form-group">
        <label for="descr" class="col-sm-2 control-label">Description:</label>
        <div class="col-sm-6">
-            <textarea id="descr" name="descr" class="form-control"><?php echo($device['purpose']); ?></textarea>
+            <textarea id="descr" name="descr" class="form-control"><?php echo(display($device['purpose'])); ?></textarea>
        </div>
    </div>
    <div class="form-group">