2011-11-02 Miguel de Dios <miguel.dedios@artica.es>

* include/functions.php: added function "check_refererer" for check refererers in some places. * extensions/extension_uploader.php, extensions/dbmanager.php, operation/incidents/incident.php, operation/incidents/incident_detail.php, godmode/servers/recon_script.php, godmode/users/configure_user.php, godmode/tag/edit_tag.php: securized this files to XSS and CSRF attacks. git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@5107 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
2011-11-03 17:28:18 +00:00 · 2011-11-03 17:28:18 +00:00 · 1b86946aa5
parent 198b1abc30
commit 1b86946aa5
9 changed files with 107 additions and 14 deletions
--- a/pandora_console/ChangeLog
+++ b/pandora_console/ChangeLog
@ -1,3 +1,13 @@
+2011-11-02  Miguel de Dios  <miguel.dedios@artica.es>
+	
+	* include/functions.php: added function "check_refererer" for check
+	refererers in some places.
+	
+	* extensions/extension_uploader.php, extensions/dbmanager.php,
+	operation/incidents/incident.php, operation/incidents/incident_detail.php,
+	godmode/servers/recon_script.php, godmode/users/configure_user.php,
+	godmode/tag/edit_tag.php: securized this files to XSS and CSRF attacks. 
+
 2011-11-03 Juan Manuel Ramon <juanmanuel.ramon@artica.es>

 	* include/functions_reporting.php
--- a/pandora_console/extensions/dbmanager.php
+++ b/pandora_console/extensions/dbmanager.php
@ -88,6 +88,12 @@ function dbmgr_extension_main () {
 		require ("general/noaccess.php");
 		return;
 	}
+	
+	if (!check_refererer()) {
+		require ("general/noaccess.php");
+	
+		return;
+	}

 	$sql = (string) get_parameter ('sql');

--- a/pandora_console/extensions/extension_uploader.php
+++ b/pandora_console/extensions/extension_uploader.php
@ -17,6 +17,14 @@
 function extension_uploader_extensions() {
 	global $config;
 	
+	if (!check_acl($config['id_user'], 0, "PM")) {
+		db_pandora_audit("ACL Violation",
+				"Trying to access Group Management");
+		require ("general/noaccess.php");
+		
+		return;
+	}
+	
 	ui_print_page_header (__("Uploader extension"), "images/extensions.png", false, "", true, "");

 	$upload = (bool)get_parameter('upload', 0);
--- a/pandora_console/godmode/servers/recon_script.php
+++ b/pandora_console/godmode/servers/recon_script.php
@ -36,6 +36,12 @@ if (! check_acl ($config['id_user'], 0, "LM")) {
 	return;
 }

+if (!check_refererer()) {
+	require ("general/noaccess.php");
+
+	return;
+}
+
 $view = get_parameter ("view", "");
 $create = get_parameter ("create", "");

--- a/pandora_console/godmode/tag/edit_tag.php
+++ b/pandora_console/godmode/tag/edit_tag.php
@ -21,6 +21,7 @@ require_once ($config['homedir'].'/include/functions_tags.php');
 if (! check_acl ($config['id_user'], 0, "PM") && ! is_user_admin ($config['id_user'])) {
 	db_pandora_audit("ACL Violation", "Trying to access Edit Tag");
 	require ("general/noaccess.php");
+	
 	return;
 }

@ -31,6 +32,7 @@ $update_tag = (int) get_parameter ("update_tag", 0);
 $create_tag = (int) get_parameter ("create_tag", 0);
 $name_tag = (string) get_parameter ("name_tag", "");
 $description_tag = (string) get_parameter ("description_tag", "");
+$description_tag = io_safe_input(strip_tags(io_safe_output($description_tag)));
 $url_tag = (string) get_parameter ("url_tag", "");
 $tab = (string) get_parameter ("tab", "list");

--- a/pandora_console/godmode/users/configure_user.php
+++ b/pandora_console/godmode/users/configure_user.php
@ -41,9 +41,16 @@ if (! check_acl ($config['id_user'], 0, "UM")) {
 	db_pandora_audit("ACL Violation",
 		"Trying to access User Management");
 	require ("general/noaccess.php");
+	
 	return;
 }

+if (!check_refererer()) {
+	require ("general/noaccess.php");
+	
+	return;	
+}
+
 $tab = get_parameter('tab', 'user');

 $buttons = array(
--- a/pandora_console/include/functions.php
+++ b/pandora_console/include/functions.php
@ -42,6 +42,28 @@ define("MIN_WIDTH",300);
 define("MIN_HEIGHT",120);
 define("MIN_WIDTH_CAPTION",420);

+function check_refererer() {
+	global $config;
+	
+	$referer = '';
+	if (isset($_SERVER['HTTP_REFERER'])) {
+		$referer = $_SERVER['HTTP_REFERER'];
+	}
+	
+	$url = 'http://';
+	if ($config['https']) {
+		$url = 'https://';
+	}
+	$url .= $_SERVER['SERVER_NAME'] . $config["homeurl"];
+	
+	if (strpos($referer, $url) === 0) {
+		return true;
+	}
+	else {
+		return false;
+	}
+}
+
 /**
 * Cleans an object or an array and casts all values as integers
 *
--- a/pandora_console/operation/incidents/incident.php
+++ b/pandora_console/operation/incidents/incident.php
@ -32,7 +32,8 @@ ui_print_page_header (__('Incident management'), "images/book_edit.png", false,
 // Offset adjustment
 if (isset($_GET["offset"])) {
 	$offset = get_parameter ("offset");
-} else {
+}
+else {
 	$offset = 0;
 }

@ -80,6 +81,7 @@ elseif ($action == "update") {
 	}
 	
 	$titulo = get_parameter ("titulo");
+	$titulo = io_safe_input(strip_tags(io_safe_output($titulo)));
 	$descripcion = get_parameter ("descripcion");
 	$origen = get_parameter ("origen_form");
 	$prioridad = get_parameter ("prioridad_form", 0);
@ -99,7 +101,8 @@ elseif ($action == "update") {
 		__('Successfully updated'),
 		__('Could not be updated'));
 	
-} elseif ($action == "insert") {
+}
+elseif ($action == "insert") {
 	//Create incident
 	$grupo = get_parameter ("grupo_form", 1);
 	
@ -110,7 +113,8 @@ elseif ($action == "update") {
 	}

 	// Read input variables
-	$titulo = get_parameter ("titulo"); 
+	$titulo = get_parameter ("titulo");
+	$titulo = io_safe_input(strip_tags(io_safe_output($titulo)));
 	$descripcion = get_parameter ("descripcion");
 	$origen = get_parameter ("origen_form");
 	$prioridad = get_parameter ("prioridad_form");
@ -170,7 +174,8 @@ $result = db_get_all_rows_sql ($sql);
 if (empty ($result)) {
 	$result = array ();
 	$count = 0;
-} else {
+}
+else {
 	$count = count ($result);
 }

--- a/pandora_console/operation/incidents/incident_detail.php
+++ b/pandora_console/operation/incidents/incident_detail.php
@ -86,14 +86,20 @@ if (isset ($_GET["id"])) {
 	}

 	// Delete file
-	if (((check_acl ($config["id_user"], $id_grupo, "IM")==1) OR ($id_owner == $config["id_user"])) AND isset ($_POST["delete_file"])) {
+	if (((check_acl ($config["id_user"], $id_grupo, "IM")==1) OR
+		($id_owner == $config["id_user"])) AND isset ($_POST["delete_file"])) {
 		$file_id = (int) get_parameter ("delete_file", 0);
 		$filename = db_get_value ("filename", "tattachment", "id_attachment", $file_id);
 		$sql = sprintf ("DELETE FROM tattachment WHERE id_attachment = %d",$file_id);
 		$result = db_process_sql ($sql);
 		
 		if (!empty ($result)) {
-			unlink ($config["attachment_store"]."/pand".$file_id."_".io_safe_output($filename));
+			if (file_exists($config['homedir'] . '/attachment/pand'.$row["id_attachment"].'_'.$row["filename"]. ".zip"))
+				unlink ($config["attachment_store"]."/pand".$file_id."_".io_safe_output($filename). ".zip");
+			else
+				unlink ($config["attachment_store"]."/pand".$file_id."_".io_safe_output($filename));
+			
+			
 			incidents_process_touch ($id_inc);
 		}
 		
@ -123,15 +129,27 @@ if (isset ($_GET["id"])) {
 		}
 		
 		$sql = sprintf ("INSERT INTO tattachment (id_incidencia, id_usuario, filename, description, size) 
-			VALUES (%d, '%s', '%s', '%s', %d)", $id_inc, $config["id_user"],$filename,$description,$filesize);
+			VALUES (%d, '%s', '%s', '%s', %d)", $id_inc, $config["id_user"], $filename, $description, $filesize);

 		$id_attachment = db_process_sql ($sql,"insert_id");

 		// Copy file to directory and change name
 		if ($id_attachment !== false) {
-			$nombre_archivo = $config["attachment_store"]."/pand".$id_attachment."_".$_FILES['userfile']['name'];
-			$result = copy ($_FILES['userfile']['tmp_name'], $nombre_archivo);
-		} else {
+			$nombre_archivo = $config["attachment_store"]
+				. "/pand" . $id_attachment . "_" . $_FILES['userfile']['name'];
+			
+			
+			$zip = new ZipArchive;
+			
+			if ($zip->open($nombre_archivo.".zip", ZIPARCHIVE::CREATE) === true) {
+				$zip->addFile($_FILES['userfile']['tmp_name'], io_safe_output($filename));
+				$zip->close();
+			}
+			
+			
+			//$result = copy ($_FILES['userfile']['tmp_name'], $nombre_archivo);
+		}
+		else {
 			echo '<h3 class="error">'.__('File could not be saved due to database error').'</h3>';
 			$result = false;
 		}
@ -139,7 +157,8 @@ if (isset ($_GET["id"])) {
 		if ($result !== false) {
 			unlink ($_FILES['userfile']['tmp_name']);
 			incidents_process_touch ($id_inc);
-		} else {
+		}
+		else {
 			db_process_sql ("DELETE FROM tattachment WHERE id_attachment = ".$id_attachment);
 		}
 		
@ -169,7 +188,8 @@ elseif (isset ($_GET["insert_form"])) {
 	}
 	$prioridad = 0;
 	$id_grupo = 0;
-} else {
+}
+else {
 	db_pandora_audit("HACK","Trying to get to incident details in an unusual way");
 	require ("general/noaccess.php");
 	exit;
@ -373,12 +393,19 @@ if (isset ($id_inc)) {
 	$table->align[3] = "center";

 	foreach ($result as $row) {
-		$data[0] = html_print_image("images/disk.png", true, array("border" => '0', "align" => "top")) . '&nbsp;&nbsp;<a target="_new" href="attachment/pand'.$row["id_attachment"].'_'.$row["filename"].'"><b>'.$row["filename"].'</b></a>';
+		if (file_exists($config['homedir'] . '/attachment/pand'.$row["id_attachment"].'_'.io_safe_output($row["filename"]). ".zip"))
+			$url = 'attachment/pand'.$row["id_attachment"].'_'.io_safe_output($row["filename"]). ".zip";
+		else
+			$url = 'attachment/pand'.$row["id_attachment"].'_'.io_safe_output($row["filename"]);
+				
+		$data[0] = html_print_image("images/disk.png", true, array("border" => '0', "align" => "top")) .
+			'&nbsp;&nbsp;<a target="_new" href="' . $url . '"><b>'.$row["filename"].'</b></a>';
 		$data[1] = $row["description"];
 		$data[2] = format_for_graph ($row["size"])."B";
 		if ((check_acl ($config["id_user"], $id_grupo, "IM") == 1) OR ($usuario == $config["id_user"])) {
 			$data[3] = html_print_input_image ("delete_file", "images/cross.png", $row["id_attachment"], 'border:0px;" onClick="if (!confirm(\' '.__('Are you sure?').'\')) return false;', true);
-		} else {
+		}
+		else {
 			$data[3] = '';
 		}
 		array_push ($table->data, $data);