tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ent-5690-Vulnerabilidad-critica-inyeccion-de-comandos-en-llamada-a-event-response' into 'develop' 

Ent 5690 vulnerabilidad critica inyeccion de comandos en llamada a event response

See merge request artica/pandorafms!3159
This commit is contained in:
Alejandro Fraguas 2020-04-15 15:50:08 +02:00
parent a4bd4a4c5d 8ae8ac45f5
commit 407b1b94c1
4 changed files with 42 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pandora_console/include/ajax/events.php
View File

@ -917,9 +917,11 @@ if ($get_response) {
if ($perform_event_response) {
global $config;
$command = get_parameter('target', '');
$response_id = get_parameter('response_id');
$event_id = (int) get_parameter('event_id');
$server_id = (int) get_parameter('server_id', 0);
$command = events_get_response_target($event_id, $response_id, $server_id);
$event_response = db_get_row('tevent_response', 'id', $response_id);
@ -1017,6 +1019,7 @@ if ($dialogue_event_response) {
$show_execute_again_btn = get_parameter('show_execute_again_btn');
$out_iterator = get_parameter('out_iterator');
$event_response = db_get_row('tevent_response', 'id', $response_id);
$server_id = get_parameter('server_id');
$event = db_get_row('tevento', 'id_evento', $event_id);
@ -1067,7 +1070,8 @@ if ($dialogue_event_response) {
echo "<br><div id='response_out' style='text-align:left'></div>";
echo "<br><div id='re_exec_command' style='display:none;'>";
html_print_button(__('Execute again'), 'btn_str', false, 'perform_response(\''.$command.'\', '.$response_id.');', "class='sub next'");
html_print_button(__('Execute again'), 'btn_str', false, "perform_response({'target':'".$command."','event_id':".$event_id.",'server_id':".$server_id.'}, '.$response_id.');', "class='sub next'");
echo '</div>';
}
break;

53
pandora_console/include/javascript/pandora_events.js
View File

@ -118,30 +118,26 @@ function execute_response(event_id, server_id) {
}
response["target"] = get_response_target(event_id, response_id, server_id);
response["event_id"] = event_id;
response["server_id"] = server_id;
switch (response["type"]) {
case "command":
show_response_dialog(event_id, response_id, response);
break;
case "url":
if (response["new_window"] == 1) {
window.open(response["target"], "_blank");
} else {
show_response_dialog(event_id, response_id, response);
}
break;
if (response["type"] == "url" && response["new_window"] == 1) {
window.open(response["target"], "_blank");
} else {
show_response_dialog(response_id, response);
}
}
//Show the modal window of an event response
function show_response_dialog(event_id, response_id, response) {
function show_response_dialog(response_id, response) {
var params = [];
params.push("page=include/ajax/events");
params.push("dialogue_event_response=1");
params.push("massive=0");
params.push("event_id=" + event_id);
params.push("event_id=" + response["event_id"]);
params.push("target=" + response["target"]);
params.push("response_id=" + response_id);
params.push("server_id=" + response["server_id"]);
jQuery.ajax({
data: params.join("&"),
@ -159,7 +155,7 @@ function show_response_dialog(event_id, response_id, response) {
draggable: true,
modal: false,
open: function() {
perform_response(response["target"], response_id);
perform_response(response, response_id);
},
width: response["modal_width"],
height: response["modal_height"]
@ -171,7 +167,6 @@ function show_response_dialog(event_id, response_id, response) {
//Show the modal window of event responses when multiple events are selected
function show_massive_response_dialog(
event_id,
response_id,
response,
out_iterator,
@ -183,13 +178,14 @@ function show_massive_response_dialog(
params.push("massive=1");
params.push("end=" + end);
params.push("out_iterator=" + out_iterator);
params.push("event_id=" + event_id);
params.push("event_id=" + response["event_id"]);
params.push("target=" + response["target"]);
params.push("response_id=" + response_id);
params.push("server_id=" + response["server_id"]);
jQuery.ajax({
data: params.join("&"),
response_tg: response["target"],
response_tg: response,
response_id: response_id,
out_iterator: out_iterator,
type: "POST",
@ -384,7 +380,7 @@ function get_response_target(
}
// Perform a response and put the output into a div
function perform_response(target, response_id) {
function perform_response(response, response_id) {
$("#re_exec_command").hide();
$("#response_loading_command").show();
$("#response_out").html("");
@ -392,8 +388,10 @@ function perform_response(target, response_id) {
var params = [];
params.push("page=include/ajax/events");
params.push("perform_event_response=1");
params.push("target=" + target);
params.push("target=" + response["target"]);
params.push("response_id=" + response_id);
params.push("event_id=" + response["event_id"]);
params.push("server_id=" + response["server_id"]);
jQuery.ajax({
data: params.join("&"),
@ -413,7 +411,7 @@ function perform_response(target, response_id) {
}
// Perform a response and put the output into a div
function perform_response_massive(target, response_id, out_iterator) {
function perform_response_massive(response, response_id, out_iterator) {
$("#re_exec_command").hide();
$("#response_loading_command_" + out_iterator).show();
$("#response_out_" + out_iterator).html("");
@ -421,8 +419,10 @@ function perform_response_massive(target, response_id, out_iterator) {
var params = [];
params.push("page=include/ajax/events");
params.push("perform_event_response=1");
params.push("target=" + target);
params.push("target=" + response["target"]);
params.push("response_id=" + response_id);
params.push("event_id=" + response["event_id"]);
params.push("server_id=" + response["server_id"]);
jQuery.ajax({
data: params.join("&"),
@ -916,17 +916,24 @@ function check_massive_response_event(
$(".chk_val:checked").each(function() {
var event_id = $(this).val();
var server_id = $("#hidden-server_id_" + event_id).val();
var meta = $("#hidden-meta").val();
var server_id = 0;
if (meta) {
server_id = $("#hidden-server_id_" + event_id).val();
}
response["target"] = get_response_target(
event_id,
response_id,
server_id,
response_command
);
response["server_id"] = server_id;
response["event_id"] = event_id;
if (total_checked - 1 === counter) end = 1;
show_massive_response_dialog(event_id, response_id, response, counter, end);
show_massive_response_dialog(response_id, response, counter, end);
counter++;
});

3
pandora_console/operation/events/events.build_table.php
View File

@ -1119,12 +1119,13 @@ if ($group_rep == 2) {
server_id,
response_command
);
response["server_id"] = server_id;
response["event_id"] = event_id;
if (total_checked-1 === counter)
end=1;
show_massive_response_dialog(
event_id,
response_id,
response,
counter,

3
pandora_console/operation/events/events.php
View File

@ -1765,6 +1765,9 @@ function process_datatables_item(item) {
evn += '('+item.event_rep+') ';
}
evn += item.evento+'</a>';
if(item.meta === true) {
evn += '<input id="hidden-server_id_'+item.id_evento+'" type="hidden" value="'+item.server_id+'">';
}
item.mini_severity = '<div class="event flex-row h100p nowrap">';
item.mini_severity += output;