Merge branch '3228-Vulnerabilidad' into 'develop'

3228 vulnerabilidad

See merge request artica/pandorafms!2062

Former-commit-id: 10c836e36c74c39ce40af8b4cc8547ea81850898

pandora_console/godmode/admin_access_logs.php

@@ -228,11 +228,11 @@ foreach ($result as $row) {
 	$rowPair = !$rowPair;
 	
 	$data = array();
-	$data[0] = $row["id_usuario"];
+	$data[0] = io_safe_output($row["id_usuario"]);
 	$data[1] = ui_print_session_action_icon($row["accion"], true) . $row["accion"];
 	$data[2] = ui_print_help_tip(date($config["date_format"], $row["utimestamp"]), true)
 		. ui_print_timestamp($row["utimestamp"], true);
-	$data[3] = $row["ip_origen"];
+	$data[3] = io_safe_output($row["ip_origen"]);
 	$data[4] = io_safe_output($row["descripcion"]);
 	
 	if ($enterprise_include !== ENTERPRISE_NOT_HOOK) {

pandora_console/godmode/agentes/configurar_agente.php

@@ -924,9 +924,8 @@ if ($update_agent) { // if modified some agent paramenter
 
 			enterprise_hook ('update_agent', array ($id_agente));
 			ui_print_success_message (__('Successfully updated'));
-			$unsafe_alias = io_safe_output($alias);
 			db_pandora_audit("Agent management",
-				"Updated agent $unsafe_alias", false, false, $info);
+				"Updated agent $alias", false, false, $info);
 
 		}
 	}
@@ -1427,7 +1426,7 @@ if ($update_module) {
 		$edit_module = true;
 		
 		db_pandora_audit("Agent management",
-			"Fail to try update module '".io_safe_output($name)."' for agent " . io_safe_output($agent["alias"]));
+			"Fail to try update module '$name' for agent " . $agent["alias"]);
 	}
 	else {
 		if ($prediction_module == 3) {
@@ -1445,7 +1444,7 @@ if ($update_module) {
 		$agent = db_get_row ('tagente', 'id_agente', $id_agente);
 		
 		db_pandora_audit("Agent management",
-			"Updated module '".io_safe_output($name)."' for agent ". io_safe_output($agent["alias"]), false, false, io_json_mb_encode($values));
+			"Updated module '$name' for agent ".$agent["alias"], false, false, io_json_mb_encode($values));
 	}
 }
 
@@ -1586,7 +1585,7 @@ if ($create_module) {
 		$edit_module = true;
 		$moduletype = $id_module;
 		db_pandora_audit("Agent management",
-			"Fail to try added module '".io_safe_output($name)."' for agent ".io_safe_output($agent["alias"]));
+			"Fail to try added module '$name' for agent ".$agent["alias"]);
 	}
 	else {
 		if ($prediction_module == 3) {
@@ -1604,7 +1603,7 @@ if ($create_module) {
 		
 		$agent = db_get_row ('tagente', 'id_agente', $id_agente);
 		db_pandora_audit("Agent management",
-			"Added module '".io_safe_output($name)."' for agent ".io_safe_output($agent["alias"]), false, true, io_json_mb_encode($values));
+			"Added module '$name' for agent ".$agent["alias"], false, true, io_json_mb_encode($values));
 	}
 }
 
@@ -1727,7 +1726,7 @@ if ($delete_module) { // DELETE agent module !
 		
 		$agent = db_get_row ('tagente', 'id_agente', $id_agente);
 		db_pandora_audit("Agent management",
-			"Deleted module '".io_safe_output($module_data["nombre"])."' for agent ".io_safe_output($agent["alias"]));
+			"Deleted module '".$module_data["nombre"]."' for agent ".$agent["alias"]);
 	}
 
 
@@ -1760,11 +1759,11 @@ if (!empty($duplicate_module)) { // DUPLICATE agent module !
 	
 	if ($result) {
 		db_pandora_audit("Agent management",
-			"Duplicate module '".$id_duplicate_module."' for agent " . io_safe_output($agent["alias"]) . " with the new id for clon " . $result);
+			"Duplicate module '".$id_duplicate_module."' for agent " . $agent["alias"] . " with the new id for clon " . $result);
 	}
 	else {
 		db_pandora_audit("Agent management",
-			"Fail to try duplicate module '".$id_duplicate_module."' for agent " . io_safe_output($agent["alias"]));
+			"Fail to try duplicate module '".$id_duplicate_module."' for agent " . $agent["alias"]);
 	}
 }
 

pandora_console/godmode/massive/massive_add_profiles.php

@@ -48,7 +48,7 @@ if ($create_profiles) {
 					// If the profile doesnt exist, we create it
 					if ($profile_data === false) {
 						db_pandora_audit("User management",
-							"Added profile for user ".io_safe_output($user));
+							"Added profile for user ".io_safe_input($user));
 						$return = profile_create_user_profile ($user, $profile, $group);
 						if ($return !== false) {
 							$n_added ++;

pandora_console/godmode/users/configure_user.php

@@ -242,7 +242,7 @@ if ($create_user) {
 		}
 
 		db_pandora_audit("User management",
-			"Created user ".io_safe_output($id), false, false, $info);
+			"Created user ".io_safe_input($id), false, false, $info);
 		
 		ui_print_result_message ($result,
 			__('Successfully created'),
@@ -392,7 +392,7 @@ if ($update_user) {
 			}
 			
 			
-			db_pandora_audit("User management", "Updated user ".io_safe_output($id),
+			db_pandora_audit("User management", "Updated user ".io_safe_input($id),
 				false, false, $info);
 			
 			ui_print_result_message ($res1,
@@ -450,7 +450,7 @@ if ($add_profile) {
 	$tags = implode(',', $tags);
 
 	db_pandora_audit("User management",
-		"Added profile for user ".io_safe_output($id2), false, false, 'Profile: ' . $profile2 . ' Group: ' . $group2 . ' Tags: ' . $tags);
+		"Added profile for user ".io_safe_input($id2), false, false, 'Profile: ' . $profile2 . ' Group: ' . $group2 . ' Tags: ' . $tags);
 	$return = profile_create_user_profile($id2, $profile2, $group2, false, $tags, $no_hierarchy);
 	ui_print_result_message ($return,
 		__('Profile added successfully'),
@@ -466,7 +466,7 @@ if ($delete_profile) {
 	$perfil = db_get_row('tperfil', 'id_perfil', $id_perfil);
 	
 	db_pandora_audit("User management",
-		"Deleted profile for user ".io_safe_output($id2), false, false, 'The profile with id ' . $id_perfil . ' in the group ' . $perfilUser['id_grupo']);
+		"Deleted profile for user ".io_safe_input($id2), false, false, 'The profile with id ' . $id_perfil . ' in the group ' . $perfilUser['id_grupo']);
 	
 	$return = profile_delete_user_profile ($id2, $id_up);
 	ui_print_result_message ($return,

pandora_console/index.php

@@ -360,7 +360,7 @@ if (! isset ($config['id_user'])) {
 				
 				if ($blocked) {
 					require_once ('general/login_page.php');
-					db_pandora_audit("Password expired", "Password expired: ".io_safe_output($nick), io_safe_output($nick));
+					db_pandora_audit("Password expired", "Password expired: ".$nick, $nick);
 					while (@ob_end_flush ());
 					exit ("</html>");
 				}
@@ -383,7 +383,7 @@ if (! isset ($config['id_user'])) {
 			
 			require_once ('general/login_page.php');
 			db_pandora_audit("Password expired",
-				"Password expired: " . io_safe_output($nick), $nick);
+				"Password expired: " . $nick, $nick);
 			while (@ob_end_flush ());
 			exit ("</html>");
 		}
@@ -541,20 +541,20 @@ if (! isset ($config['id_user'])) {
 			if ((!is_user_admin($nick) || $config['enable_pass_policy_admin']) && file_exists (ENTERPRISE_DIR . "/load_enterprise.php")) {
 				$blocked = login_check_blocked($nick);
 			}
-			$nick_usable = io_safe_output($nick);
+			
 			if (!$blocked) {
 				if (file_exists (ENTERPRISE_DIR . "/load_enterprise.php")) {
 					login_check_failed($nick); //Checks failed attempts
 				}
 				$login_failed = true;
 				require_once ('general/login_page.php');
-				db_pandora_audit("Logon Failed", "Invalid login: ".$nick_usable, $nick_usable);
+				db_pandora_audit("Logon Failed", "Invalid login: ".$nick, $nick);
 				while (@ob_end_flush ());
 				exit ("</html>");
 			}
 			else {
 				require_once ('general/login_page.php');
-				db_pandora_audit("Logon Failed", "Invalid login: ".$nick_usable, $nick_usable);
+				db_pandora_audit("Logon Failed", "Invalid login: ".$nick, $nick);
 				while (@ob_end_flush ());
 				exit ("</html>");
 			}