2011-11-02 Miguel de Dios <miguel.dedios@artica.es>

* include/functions.php: added function "check_refererer" for check
	refererers in some places.
	
	* extensions/extension_uploader.php, extensions/dbmanager.php,
	operation/incidents/incident.php, operation/incidents/incident_detail.php,
	godmode/servers/recon_script.php, godmode/users/configure_user.php,
	godmode/tag/edit_tag.php: securized this files to XSS and CSRF attacks. 



git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@5107 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
This commit is contained in:
mdtrooper 2011-11-03 17:28:18 +00:00
parent 198b1abc30
commit 1b86946aa5
9 changed files with 107 additions and 14 deletions

View File

@ -1,3 +1,13 @@
2011-11-02 Miguel de Dios <miguel.dedios@artica.es>
* include/functions.php: added function "check_refererer" for check
refererers in some places.
* extensions/extension_uploader.php, extensions/dbmanager.php,
operation/incidents/incident.php, operation/incidents/incident_detail.php,
godmode/servers/recon_script.php, godmode/users/configure_user.php,
godmode/tag/edit_tag.php: securized this files to XSS and CSRF attacks.
2011-11-03 Juan Manuel Ramon <juanmanuel.ramon@artica.es>
* include/functions_reporting.php

View File

@ -89,6 +89,12 @@ function dbmgr_extension_main () {
return;
}
if (!check_refererer()) {
require ("general/noaccess.php");
return;
}
$sql = (string) get_parameter ('sql');
ui_print_page_header (__('Database interface'), "", false, false, true);

View File

@ -17,6 +17,14 @@
function extension_uploader_extensions() {
global $config;
if (!check_acl($config['id_user'], 0, "PM")) {
db_pandora_audit("ACL Violation",
"Trying to access Group Management");
require ("general/noaccess.php");
return;
}
ui_print_page_header (__("Uploader extension"), "images/extensions.png", false, "", true, "");
$upload = (bool)get_parameter('upload', 0);

View File

@ -36,6 +36,12 @@ if (! check_acl ($config['id_user'], 0, "LM")) {
return;
}
if (!check_refererer()) {
require ("general/noaccess.php");
return;
}
$view = get_parameter ("view", "");
$create = get_parameter ("create", "");

View File

@ -21,6 +21,7 @@ require_once ($config['homedir'].'/include/functions_tags.php');
if (! check_acl ($config['id_user'], 0, "PM") && ! is_user_admin ($config['id_user'])) {
db_pandora_audit("ACL Violation", "Trying to access Edit Tag");
require ("general/noaccess.php");
return;
}
@ -31,6 +32,7 @@ $update_tag = (int) get_parameter ("update_tag", 0);
$create_tag = (int) get_parameter ("create_tag", 0);
$name_tag = (string) get_parameter ("name_tag", "");
$description_tag = (string) get_parameter ("description_tag", "");
$description_tag = io_safe_input(strip_tags(io_safe_output($description_tag)));
$url_tag = (string) get_parameter ("url_tag", "");
$tab = (string) get_parameter ("tab", "list");

View File

@ -41,6 +41,13 @@ if (! check_acl ($config['id_user'], 0, "UM")) {
db_pandora_audit("ACL Violation",
"Trying to access User Management");
require ("general/noaccess.php");
return;
}
if (!check_refererer()) {
require ("general/noaccess.php");
return;
}

View File

@ -42,6 +42,28 @@ define("MIN_WIDTH",300);
define("MIN_HEIGHT",120);
define("MIN_WIDTH_CAPTION",420);
function check_refererer() {
global $config;
$referer = '';
if (isset($_SERVER['HTTP_REFERER'])) {
$referer = $_SERVER['HTTP_REFERER'];
}
$url = 'http://';
if ($config['https']) {
$url = 'https://';
}
$url .= $_SERVER['SERVER_NAME'] . $config["homeurl"];
if (strpos($referer, $url) === 0) {
return true;
}
else {
return false;
}
}
/**
* Cleans an object or an array and casts all values as integers
*

View File

@ -32,7 +32,8 @@ ui_print_page_header (__('Incident management'), "images/book_edit.png", false,
// Offset adjustment
if (isset($_GET["offset"])) {
$offset = get_parameter ("offset");
} else {
}
else {
$offset = 0;
}
@ -80,6 +81,7 @@ elseif ($action == "update") {
}
$titulo = get_parameter ("titulo");
$titulo = io_safe_input(strip_tags(io_safe_output($titulo)));
$descripcion = get_parameter ("descripcion");
$origen = get_parameter ("origen_form");
$prioridad = get_parameter ("prioridad_form", 0);
@ -99,7 +101,8 @@ elseif ($action == "update") {
__('Successfully updated'),
__('Could not be updated'));
} elseif ($action == "insert") {
}
elseif ($action == "insert") {
//Create incident
$grupo = get_parameter ("grupo_form", 1);
@ -111,6 +114,7 @@ elseif ($action == "update") {
// Read input variables
$titulo = get_parameter ("titulo");
$titulo = io_safe_input(strip_tags(io_safe_output($titulo)));
$descripcion = get_parameter ("descripcion");
$origen = get_parameter ("origen_form");
$prioridad = get_parameter ("prioridad_form");
@ -170,7 +174,8 @@ $result = db_get_all_rows_sql ($sql);
if (empty ($result)) {
$result = array ();
$count = 0;
} else {
}
else {
$count = count ($result);
}

View File

@ -86,14 +86,20 @@ if (isset ($_GET["id"])) {
}
// Delete file
if (((check_acl ($config["id_user"], $id_grupo, "IM")==1) OR ($id_owner == $config["id_user"])) AND isset ($_POST["delete_file"])) {
if (((check_acl ($config["id_user"], $id_grupo, "IM")==1) OR
($id_owner == $config["id_user"])) AND isset ($_POST["delete_file"])) {
$file_id = (int) get_parameter ("delete_file", 0);
$filename = db_get_value ("filename", "tattachment", "id_attachment", $file_id);
$sql = sprintf ("DELETE FROM tattachment WHERE id_attachment = %d",$file_id);
$result = db_process_sql ($sql);
if (!empty ($result)) {
if (file_exists($config['homedir'] . '/attachment/pand'.$row["id_attachment"].'_'.$row["filename"]. ".zip"))
unlink ($config["attachment_store"]."/pand".$file_id."_".io_safe_output($filename). ".zip");
else
unlink ($config["attachment_store"]."/pand".$file_id."_".io_safe_output($filename));
incidents_process_touch ($id_inc);
}
@ -123,15 +129,27 @@ if (isset ($_GET["id"])) {
}
$sql = sprintf ("INSERT INTO tattachment (id_incidencia, id_usuario, filename, description, size)
VALUES (%d, '%s', '%s', '%s', %d)", $id_inc, $config["id_user"],$filename,$description,$filesize);
VALUES (%d, '%s', '%s', '%s', %d)", $id_inc, $config["id_user"], $filename, $description, $filesize);
$id_attachment = db_process_sql ($sql,"insert_id");
// Copy file to directory and change name
if ($id_attachment !== false) {
$nombre_archivo = $config["attachment_store"]."/pand".$id_attachment."_".$_FILES['userfile']['name'];
$result = copy ($_FILES['userfile']['tmp_name'], $nombre_archivo);
} else {
$nombre_archivo = $config["attachment_store"]
. "/pand" . $id_attachment . "_" . $_FILES['userfile']['name'];
$zip = new ZipArchive;
if ($zip->open($nombre_archivo.".zip", ZIPARCHIVE::CREATE) === true) {
$zip->addFile($_FILES['userfile']['tmp_name'], io_safe_output($filename));
$zip->close();
}
//$result = copy ($_FILES['userfile']['tmp_name'], $nombre_archivo);
}
else {
echo '<h3 class="error">'.__('File could not be saved due to database error').'</h3>';
$result = false;
}
@ -139,7 +157,8 @@ if (isset ($_GET["id"])) {
if ($result !== false) {
unlink ($_FILES['userfile']['tmp_name']);
incidents_process_touch ($id_inc);
} else {
}
else {
db_process_sql ("DELETE FROM tattachment WHERE id_attachment = ".$id_attachment);
}
@ -169,7 +188,8 @@ elseif (isset ($_GET["insert_form"])) {
}
$prioridad = 0;
$id_grupo = 0;
} else {
}
else {
db_pandora_audit("HACK","Trying to get to incident details in an unusual way");
require ("general/noaccess.php");
exit;
@ -373,12 +393,19 @@ if (isset ($id_inc)) {
$table->align[3] = "center";
foreach ($result as $row) {
$data[0] = html_print_image("images/disk.png", true, array("border" => '0', "align" => "top")) . '&nbsp;&nbsp;<a target="_new" href="attachment/pand'.$row["id_attachment"].'_'.$row["filename"].'"><b>'.$row["filename"].'</b></a>';
if (file_exists($config['homedir'] . '/attachment/pand'.$row["id_attachment"].'_'.io_safe_output($row["filename"]). ".zip"))
$url = 'attachment/pand'.$row["id_attachment"].'_'.io_safe_output($row["filename"]). ".zip";
else
$url = 'attachment/pand'.$row["id_attachment"].'_'.io_safe_output($row["filename"]);
$data[0] = html_print_image("images/disk.png", true, array("border" => '0', "align" => "top")) .
'&nbsp;&nbsp;<a target="_new" href="' . $url . '"><b>'.$row["filename"].'</b></a>';
$data[1] = $row["description"];
$data[2] = format_for_graph ($row["size"])."B";
if ((check_acl ($config["id_user"], $id_grupo, "IM") == 1) OR ($usuario == $config["id_user"])) {
$data[3] = html_print_input_image ("delete_file", "images/cross.png", $row["id_attachment"], 'border:0px;" onClick="if (!confirm(\' '.__('Are you sure?').'\')) return false;', true);
} else {
}
else {
$data[3] = '';
}
array_push ($table->data, $data);