diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog index 699382294c..fe903851cc 100644 --- a/pandora_console/ChangeLog +++ b/pandora_console/ChangeLog @@ -1,3 +1,21 @@ +2008-10-27 Evi Vanoost + + * godmode/users/user_list.php: Rewrite to use print_table. Fixed + security hole where the acl check didn't call exit + + * godmode/users/configure_user.php: Fixed security hole with acl check + + * godmode/setup/setup.php, godmode/setup/news.php, + godmode/setup/links.php: Removed call to comprueba_login, made acl + checks exit and require_once config.php + + * godmode/reporting/reporting_builder.php, + godmode/reporting/map_builder.php, godmode/reporting/graph_builder.php: + Removed call to comprueba_login, made acl checks exit. + + * godmode/alerts/modify_alert.php, godmode/alerts/configure_alert.php: + Fixed acl check and removed call to comprueba_login. + 2008-10-24 Esteban Sanchez * operation/snmpconsole/snmp_alert.php: Fixed an error that doesn't diff --git a/pandora_console/godmode/alerts/configure_alert.php b/pandora_console/godmode/alerts/configure_alert.php index 9ad82046a0..eeaf5675b2 100644 --- a/pandora_console/godmode/alerts/configure_alert.php +++ b/pandora_console/godmode/alerts/configure_alert.php @@ -18,7 +18,7 @@ // Load global vars -require ("include/config.php"); +require_once ("include/config.php"); check_login (); @@ -26,7 +26,7 @@ if (! give_acl ($config['id_user'], 0, "LM")) { audit_db ($config['id_user'], $REMOTE_ADDR, "ACL Violation", "Trying to access Alert Management"); require ("general/noaccess.php"); - return; + exit; } // Var init $descripcion = ""; diff --git a/pandora_console/godmode/alerts/modify_alert.php b/pandora_console/godmode/alerts/modify_alert.php index 8f92756457..0cf1d24b7b 100644 --- a/pandora_console/godmode/alerts/modify_alert.php +++ b/pandora_console/godmode/alerts/modify_alert.php @@ -19,7 +19,7 @@ // Load global vars -require ("include/config.php"); +require_once ("include/config.php"); check_login (); @@ -27,13 +27,14 @@ if (! give_acl ($config['id_user'], 0, "LM")) { audit_db ($config['id_user'], $REMOTE_ADDR, "ACL Violation", "Trying to access Alert Management"); require ("general/noaccess.php"); - return; + exit; } if (isset($_POST["update_alerta"])){ // if modified any parameter $id_alerta = entrada_limpia($_POST["id_alerta"]); if ($id_alerta < 4){ audit_db ($config['id_user'], $REMOTE_ADDR, "ACL Violation", "Trying to access Alert Management"); require ("general/noaccess.php"); + exit; } $nombre = entrada_limpia($_POST["nombre"]); $comando = entrada_limpia($_POST["comando"]); @@ -64,6 +65,7 @@ if (isset($_GET["borrar_alerta"])){ // if delete alert if ($id_alerta < 4) { audit_db ($config['id_user'],$REMOTE_ADDR, "ACL Violation","Trying to access Alert Management"); require ("general/noaccess.php"); + exit; } $sql_delete= "DELETE FROM talerta WHERE id_alerta = ".$id_alerta; $result=mysql_query($sql_delete); diff --git a/pandora_console/godmode/reporting/graph_builder.php b/pandora_console/godmode/reporting/graph_builder.php index 38d8a680f4..5041d8f8da 100644 --- a/pandora_console/godmode/reporting/graph_builder.php +++ b/pandora_console/godmode/reporting/graph_builder.php @@ -18,7 +18,7 @@ // Login check -require ("include/config.php"); +require_once ("include/config.php"); check_login (); diff --git a/pandora_console/godmode/reporting/map_builder.php b/pandora_console/godmode/reporting/map_builder.php index 7f4b4831f1..ba49b13493 100644 --- a/pandora_console/godmode/reporting/map_builder.php +++ b/pandora_console/godmode/reporting/map_builder.php @@ -16,19 +16,17 @@ // along with this program; if not, write to the Free Software // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -if (comprueba_login () != 0) { - audit_db ($config['id_user'], $REMOTE_ADDR, "ACL Violation", "Trying to access map builder"); - include ("general/noaccess.php"); - exit; -} +require_once ("include/config.php"); + +check_login (); if (! give_acl ($config['id_user'], 0, "AW")) { audit_db ($config['id_user'], $REMOTE_ADDR, "ACL Violation", "Trying to access map builder"); - include ("general/noaccess.php"); + require ("general/noaccess.php"); exit; } -require ('include/functions_visual_map.php'); +require_once ('include/functions_visual_map.php'); $id_layout = (int) get_parameter ('id_layout'); $edit_layout = (bool) get_parameter ('edit_layout'); diff --git a/pandora_console/godmode/reporting/reporting_builder.php b/pandora_console/godmode/reporting/reporting_builder.php index 9b03d0e2d7..d9bccbbdb8 100644 --- a/pandora_console/godmode/reporting/reporting_builder.php +++ b/pandora_console/godmode/reporting/reporting_builder.php @@ -17,14 +17,14 @@ // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. // Login check -require ("include/config.php"); +require_once ("include/config.php"); check_login (); if (! give_acl ($config['id_user'], 0, "AW")) { audit_db ($config['id_user'], $REMOTE_ADDR, "ACL Violation", "Trying to access graph builder"); - include ("general/noaccess.php"); + require ("general/noaccess.php"); exit; } @@ -117,7 +117,7 @@ if ($delete_report) { if ($add_content) { if (! $id_report) { audit_db ($config['id_user'], $REMOTE_ADDR, "Hack attempt", "Parameter trash in report builder"); - include ("general/noaccess.php"); + require ("general/noaccess.php"); exit (); } $id_agent_module = (int) get_parameter ('id_module'); diff --git a/pandora_console/godmode/setup/links.php b/pandora_console/godmode/setup/links.php index 372968fdf2..1f4417b363 100644 --- a/pandora_console/godmode/setup/links.php +++ b/pandora_console/godmode/setup/links.php @@ -17,15 +17,14 @@ // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. // Load global vars -require("include/config.php"); +require_once ("include/config.php"); + +check_login (); -if (comprueba_login()) { - audit_db ($config['id_user'], $REMOTE_ADDR, "ACL Violation", "Trying to access Link Management"); - require ("general/noaccess.php"); -} if (! give_acl ($config['id_user'], 0, "PM") || ! dame_admin ($config['id_user'])) { audit_db ($config['id_user'], $REMOTE_ADDR, "ACL Violation", "Trying to access Link Management"); require ("general/noaccess.php"); + exit; } diff --git a/pandora_console/godmode/setup/news.php b/pandora_console/godmode/setup/news.php index 273bf628e9..e4b54dc173 100644 --- a/pandora_console/godmode/setup/news.php +++ b/pandora_console/godmode/setup/news.php @@ -25,7 +25,7 @@ if (! give_acl ($config['id_user'], 0, "PM")) { audit_db ($config['id_user'], $REMOTE_ADDR, "ACL Violation", "Trying to access Link Management"); require ("general/noaccess.php"); - return; + exit; } if (isset ($_POST["create"])) { // If create diff --git a/pandora_console/godmode/setup/setup.php b/pandora_console/godmode/setup/setup.php index 46c90ef07f..6edfe1d8b5 100644 --- a/pandora_console/godmode/setup/setup.php +++ b/pandora_console/godmode/setup/setup.php @@ -17,7 +17,7 @@ // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. // Load global vars -require("include/config.php"); +require_once ("include/config.php"); check_login (); diff --git a/pandora_console/godmode/users/configure_user.php b/pandora_console/godmode/users/configure_user.php index b9bd3aadfe..c18cbb930b 100644 --- a/pandora_console/godmode/users/configure_user.php +++ b/pandora_console/godmode/users/configure_user.php @@ -17,14 +17,15 @@ // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. // Load global vars -require("include/config.php"); +require_once ("include/config.php"); -check_login(); +check_login (); if (! give_acl ($config['id_user'], 0, "UM")) { - audit_db($config['id_user'], $REMOTE_ADDR, "ACL Violation", + audit_db ($config['id_user'], $REMOTE_ADDR, "ACL Violation", "Trying to access User Management"); require ("general/noaccess.php"); + exit; } // Init. vars diff --git a/pandora_console/godmode/users/user_list.php b/pandora_console/godmode/users/user_list.php index 6e07667280..8600759078 100644 --- a/pandora_console/godmode/users/user_list.php +++ b/pandora_console/godmode/users/user_list.php @@ -17,99 +17,101 @@ // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. // Load globar vars -require("include/config.php"); +require_once ("include/config.php"); check_login (); + if (! give_acl ($config['id_user'], 0, "UM")) { audit_db ($config['id_user'], $REMOTE_ADDR, "ACL Violation", "Trying to access User Management"); require ("general/noaccess.php"); + exit; } + if (isset($_GET["borrar_usuario"])) { // if delete user - $nombre= entrada_limpia($_GET["borrar_usuario"]); + $nombre = get_parameter_get ("borrar_usuario"); // Delete user // Delete cols from table tgrupo_usuario $sql = "DELETE FROM tgrupo_usuario WHERE usuario = '".$nombre."'"; - $result = mysql_query ($sql); + $result = process_sql ($sql); $sql = "DELETE FROM tusuario WHERE id_usuario = '".$nombre."'"; - $result = mysql_query ($sql); - if (! $result) - echo "

".__('There was a problem deleting user')."

"; - else - echo "

".__('User successfully deleted')."

"; -} -?> - -

> -

- - - - - - - - - -"; - echo ""; - echo ""; } -echo "
"; - echo "".$name.""; - echo "".$fecha_registro; - echo ""; - if ($nivel == 1) - echo ""; - else - echo ""; - - $sql = 'SELECT * FROM tusuario_perfil WHERE id_usuario = "'.$name.'"'; - $result = mysql_query ($sql); - echo " "; - if (mysql_num_rows ($result)) { - while ($row = mysql_fetch_array ($result)) { - echo dame_perfil ($row["id_perfil"])."/ "; - echo dame_grupo ($row["id_grupo"])."
"; - } + $result = process_sql ($sql); + if ($result === false) { + echo '

'.__('There was a problem deleting user').'

'; } else { - echo __('This user doesn\'t have any assigned profile/group'); + echo '

'.__('User successfully deleted').'

'; } - echo ""; - - echo "		".substr ($real_name, 0, 16)."".$comments."
"; -echo ""; -echo "
"; -echo "
"; -echo ""; -echo "
"; -echo ""; +echo '

'.__('User management').' > '.__('Users defined in Pandora').'

'; + +$table->width = 700; +$table->cellpadding = 4; +$table->cellspacing = 4; +$table->class = "databox"; + +$table->head = array (); +$table->size = array (); +$table->data = array (); +$table->align = array (); + +$table->head[0] = __('User ID'); + +$table->head[1] = __('Last contact'); +$table->align[1] = "center"; + +$table->head[2] = __('Profile'); +$table->align[2] = "center"; + +$table->head[3] = __('Name'); +$table->align[3] = "center"; + +$table->head[4] = __('Description'); +$table->align[4] = "center"; + +$table->head[5] = __('Delete'); +$table->align[5] = "center"; + +$result = get_db_all_rows_in_table ('tusuario'); + +foreach ($result as $row) { + $data = array (); + + $data[0] = ''.$row["id_usuario"].''; + $data[1] = $row["fecha_registro"]; + if ($row["nivel"] == 1) { + $data[2] = ''; + } else { + $data[2] = ''; + } + + $data[2] .= ''; + $profiles = get_db_all_rows_field_filter ("tusuario_perfil", "id_usuario", $row["id_usuario"]); + if ($profiles === false) { + $data[2] .= __('This user doesn\'t have any assigned profile/group'); + $profiles = array (); + } + + foreach ($profiles as $profile) { + $data[2] .= dame_perfil ($profile["id_perfil"])." / "; + $data[2] .= dame_grupo ($profile["id_grupo"])."
"; + } + + $data[2] .= ""; + + $data[3] = substr ($row["nombre_real"], 0, 16); + $data[4] = $row["comentarios"]; + + $data[5] = ''; + $data[5] .= ''; + array_push ($table->data, $data); +} + +print_table ($table); +unset ($table); + +echo '
'; +print_submit_button (__('Create user'), "crt", false, 'class="sub next"'); +echo "
"; ?>