diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog index d1c1633156..cbd7087f6b 100644 --- a/pandora_console/ChangeLog +++ b/pandora_console/ChangeLog @@ -1,145 +1,42 @@ -2010-08-18 Sergio Martin +2010-08-18 Sancho Lerena - * godmode/agentes/module_manager_editor_network.php: changed the - spinning snmp walk image from png to gif + * include/functions_io.php: safe_input() modified to detect SQL injection + attacks using /**/ strings. -2010-08-17 Raúl Mateos + * index.php: Prevent HTTP response splitting attacks. - * extensions/agents_modules.php, extensions/module_groups.php: Use - "status" instead "state". Change the order of colours, to maintain - coherence with other pages. Few cosmetic and gramatical changes. + * pandora_console.spec: Updated some spec variables and description. -2010-08-17 Sergio Martin + * pandoradb.sql, + extras/pandoradb_migrate_v3.1_to_v3.2.sql: Added a new field in trecon_task + to store the snmp_community on detected hosts in a recon task. - * godmode/agentes/massive_operations.php: Fixed the default tab - of the massive operations section + * extras/pandora_diag.php: Fixed security problem in relative path. -2010-08-17 Sergio Martin + * general/pandora_help.php, + general/footer.php: Fixed security problem in relative path/include. - * godmode/agentes/massive_copy_modules.php - godmode/agentes/massive_add_alerts.php - godmode/agentes/massive_delete_agents.php - godmode/agentes/massive_config.php - godmode/agentes/massive_delete_action_alerts.php - godmode/agentes/massive_delete_alerts.php - godmode/agentes/massive_edit_modules.php - godmode/agentes/massive_operations.php - godmode/agentes/massive_delete_modules.php - godmode/agentes/massive_add_action_alerts.php: Restructured the - tabs of masive operations. Now there are only four tabs: module, - agents, alerts and the enterprise policy masive operations. All - the operations are now classified under this hierarchy + * general/login_page.php: Fixed security problem in URL parsing. -2010-08-17 Sergio Martin + * godmode/servers/manage_recontask_form.php, + manage_recontask.php: Implemented new feature to use a snmp comunity on all + network modules added to a new detected host. - * extensions/agents_modules.php: Added an agent group filter into - the agents/modules matrix and increased the size of the header to - read more letters from the module names + * config_process.php: Updated build. -2010-08-13 Miguel de Dios - * include/functions.php: erased deprecate function "entrada_limpia" for to - use only the english named "safe_input". - - * godmode/setup/links.php: replaced the deprecate function "entrada_limpia" - for the english named "safe_input". + * functions.php: New version of safe_url_extraclean() function (security fix) + and modified also enterprise_include* functions to have a secure include. -2010-08-13 Sergio Martin + * functions_ui.php: Secured function get_include_contents(). - * include/functions_visual_map.php: Added the alerts fired status - to the visual maps drawing an orange edge around the static graph icon + * operation/agentes/gis_view.php: Secured url extraction/parsing. -2010-08-13 Miguel de Dios - * include/functions_reporting.php: fixed the loop of alerts when Pandora - haven't alerts. - Fixes: #3044246 +2010-08-10 Sancho Lerena -2010-08-13 Sergio Martin + * include/config_process.php: Updated build and development version. - * operation/snmpconsole/snmp_view.php: Fixed the pagination - block filter in the SNMP console + * pandora_console.spec: Updated some texts and version. -2010-08-13 Sergio Martin - - * extensions/agents_modules.php: Aligned vertically the modules - paginatiomn arrows in the agents/modules matrix - -2010-08-13 Sergio Martin - - * include/functions.php: Fixed a bug to generate the image - in string2image whenn the string contains a sharp (#) - -2010-08-12 Sergio Martin - - * extensions/agents_modules.php: Change the status of the agents (the first - column colors) to the status of the agent, not the worst module - -2010-08-12 Sergio Martin - - * extensions/agents_modules.php: Improved the agents/modules matrix in - visual way and converting the horizontal module names in vertical images - -2010-08-12 Sergio Martin - - * include/functions.php: Added the function string2image to obtain an image - from a string with parameters like text color, background color, rotation degrees... - -2010-08-12 Sergio Martin - - * include/functions_ui.php: Improved the function print_status_image - to allow an additional parameter for send it image options like - style, width... - -2010-08-12 Ramon Novoa - - * include/functions_alerts.php, - godmode/alerts/configure_alert_template.php: Added support for - unknown status alerts. - - * pandoradb.sql, godmode/menu.php, - extras/pandoradb_migrate_v3.1_to_v3.2.sql: Added support for SNMP - filters. - - * godmode/snmpconsole/snmp_filters.php: Added to repository. SNMP - filter editor. - - * operation/snmpconsole/snmp_view.php: Fixed header placement. - -2010-08-12 Sergio Martin - - * include/functions_html.php: Added the function html2rgb for - convert a color string from format #FFFFFF to RGB values - -2010-08-12 Sergio Martin - - * godmode/agentes/massive_operations.php: Added the massive operation - to add snmp modules to an agent - -2010-08-11 Sergio Martin - - * godmode/agentes/module_manager_editor.php: Changed the old way of - get a snmpwalk to use the new function get_snmpwalk - -2010-08-11 Sergio Martin - - * include/functions.php: Changed the newst function added name - -2010-08-11 Sergio Martin - - * include/functions.php: Added a function to call snmpwalk - functions setting the version, ip address, community... - -2010-08-11 Junichi Satoh - - * include/help/ja/help_network_map.php, - include/help/ja/help_autocreate_blacklist.php: Added new help files - in Japanese. - -2010-08-10 Miguel de Dios - * ajax.php: cleaned source code. - - * godmode/agentes/massive_operations.php: cleaned source code, and added - hook to enterprise massive operations tab. - 2010-08-10 Sergio Martin * pandoradb.sql diff --git a/pandora_console/extras/pandora_diag.php b/pandora_console/extras/pandora_diag.php index a75f91d5a6..39671fd305 100644 --- a/pandora_console/extras/pandora_diag.php +++ b/pandora_console/extras/pandora_diag.php @@ -63,6 +63,10 @@ full path to Pandora FMS 'config.php' file. "; exit; } + if (preg_match ('/[^a-zA-Z0-9_\/\.]|(\/\/)|(\.\.)/', $argv[1])) { + echo "Invalid path: $argv[1]. Always use absolute paths."; + exit; + } include $argv[1]."/include/config.php"; } else { diff --git a/pandora_console/extras/pandoradb_migrate_v3.1_to_v3.2.sql b/pandora_console/extras/pandoradb_migrate_v3.1_to_v3.2.sql index fbd974312e..6bad57ff90 100644 --- a/pandora_console/extras/pandoradb_migrate_v3.1_to_v3.2.sql +++ b/pandora_console/extras/pandoradb_migrate_v3.1_to_v3.2.sql @@ -91,3 +91,5 @@ CREATE TABLE IF NOT EXISTS `tsnmp_filter` ( ALTER TABLE `talert_templates` MODIFY COLUMN `type` ENUM ('regex', 'max_min', 'max', 'min', 'equal', 'not_equal', 'warning', 'critica l', 'onchange', 'unknown'); +ALTER TABLE trecon_task ADD `snmp_community` varchar(64) NOT NULL default 'public'; + diff --git a/pandora_console/general/footer.php b/pandora_console/general/footer.php index 147dbf5625..3c6752dd87 100644 --- a/pandora_console/general/footer.php +++ b/pandora_console/general/footer.php @@ -20,12 +20,12 @@ if (isset($_SERVER['REQUEST_TIME'])) { $time = get_system_time (); } -$license_file = 'general/license/pandora_info_'.$config["language"].'.html'; -if (! file_exists ($license_file)) { - $license_file = 'general/license/pandora_info_en.html'; +$license_file = '/general/license/pandora_info_'.$config["language"].'.html'; +if (! file_exists ($config["homedir"] . $license_file)) { + $license_file = '/general/license/pandora_info_en.html'; } -echo ''; +echo ''; echo 'Pandora FMS '.$pandora_version.' - Build '.$build_version; echo '
'; echo ''. __('Page generated at') . ' '. print_timestamp ($time, true, array ("prominent" => "timestamp")); //Always use timestamp here diff --git a/pandora_console/general/login_page.php b/pandora_console/general/login_page.php index 2feeeea6c3..babd549a4f 100644 --- a/pandora_console/general/login_page.php +++ b/pandora_console/general/login_page.php @@ -16,7 +16,7 @@ $url = '?login=1'; //These variables come from index.php if (!empty ($page) && !empty ($sec)) { foreach ($_GET as $key => $value) { - $url .= '&'.$key.'='.$value; + $url .= '&'.safe_url_extraclean($key).'='.safe_url_extraclean($value); } } diff --git a/pandora_console/general/pandora_help.php b/pandora_console/general/pandora_help.php index 17e3eccd5a..6de35ec4b3 100644 --- a/pandora_console/general/pandora_help.php +++ b/pandora_console/general/pandora_help.php @@ -24,10 +24,12 @@ echo ''; $id = get_parameter ('id'); /* Possible file locations */ -$files = array ($config["homedir"]."/include/help/".$config["language"]."/help_".$id.".php", - $config["homedir"].ENTERPRISE_DIR."/include/help/".$config["language"]."/help_".$id.".php", - $config["homedir"].ENTERPRISE_DIR."/include/help/en/help_".$id.".php", - $config["homedir"]."/include/help/en/help_".$id.".php"); +$safe_language = safe_url_extraclean ($config["language"], "en"); +$safe_id = safe_url_extraclean ($id, ""); +$files = array ($config["homedir"]."/include/help/".$safe_language."/help_".$safe_id.".php", + $config["homedir"].ENTERPRISE_DIR."/include/help/".$safe_language."/help_".$safe_id.".php", + $config["homedir"].ENTERPRISE_DIR."/include/help/en/help_".$safe_id.".php", + $config["homedir"]."/include/help/en/help_".$safe_id.".php"); $help_file = ''; foreach ($files as $file) { if (file_exists ($file)) { diff --git a/pandora_console/godmode/servers/manage_recontask.php b/pandora_console/godmode/servers/manage_recontask.php index 02b7d3f194..c194b9721e 100644 --- a/pandora_console/godmode/servers/manage_recontask.php +++ b/pandora_console/godmode/servers/manage_recontask.php @@ -57,6 +57,7 @@ if ((isset ($_GET["update"])) OR ((isset ($_GET["create"])))) { $id_network_profile = get_parameter_post ("id_network_profile"); $recon_ports = get_parameter_post ("recon_ports", ""); $id_os = get_parameter_post ("id_os", 10); + $snmp_community = get_parameter_post ("snmp_community", "public"); } // -------------------------------- @@ -64,9 +65,7 @@ if ((isset ($_GET["update"])) OR ((isset ($_GET["create"])))) { // -------------------------------- if (isset($_GET["update"])) { $id = get_parameter_get ("update"); - $sql = sprintf ("UPDATE trecon_task SET id_os = %d, name = '%s', subnet = '%s', - description = '%s', id_recon_server = %d, create_incident = %b, id_group = %d, interval_sweep = %u, - id_network_profile = %d, recon_ports = '%s' WHERE id_rt = %u",$id_os,$name,$network,$description,$id_recon_server,$create_incident,$id_group,$interval,$id_network_profile,$recon_ports, $id); + $sql = sprintf ("UPDATE trecon_task SET snmp_community = '%s', id_os = %d, name = '%s', subnet = '%s', description = '%s', id_recon_server = %d, create_incident = %b, id_group = %d, interval_sweep = %u, id_network_profile = %d, recon_ports = '%s' WHERE id_rt = %u",$snmp_community, $id_os,$name,$network,$description,$id_recon_server,$create_incident,$id_group,$interval,$id_network_profile,$recon_ports, $id); if($name != "" && preg_match("/[0-9]+.+[0-9]+.+[0-9]+.+[0-9]+\/+[0-9]/", $network)) $result = process_sql ($sql); @@ -85,8 +84,8 @@ if (isset($_GET["update"])) { // -------------------------------- if (isset($_GET["create"])) { $sql = sprintf ("INSERT INTO trecon_task - (name, subnet, description, id_recon_server, create_incident, id_group, id_network_profile, interval_sweep, id_os, recon_ports) - VALUES ( '%s', '%s', '%s', %u, %b, %d, %d, %u, %d, '%s')",$name,$network,$description,$id_recon_server,$create_incident,$id_group,$id_network_profile,$interval,$id_os, $recon_ports); + (name, subnet, description, id_recon_server, create_incident, id_group, id_network_profile, interval_sweep, id_os, recon_ports, snmp_community) + VALUES ( '%s', '%s', '%s', %u, %b, %d, %d, %u, %d, '%s', '%s')",$name,$network,$description,$id_recon_server,$create_incident,$id_group,$id_network_profile,$interval,$id_os, $recon_ports, $snmp_community); if($name != "" && preg_match("/[0-9]+.+[0-9]+.+[0-9]+.+[0-9]+\/+[0-9]/", $network)) $result = process_sql ($sql); diff --git a/pandora_console/godmode/servers/manage_recontask_form.php b/pandora_console/godmode/servers/manage_recontask_form.php index 67e7ab1555..152245ed4f 100644 --- a/pandora_console/godmode/servers/manage_recontask_form.php +++ b/pandora_console/godmode/servers/manage_recontask_form.php @@ -39,6 +39,7 @@ if (isset ($_GET["update"])) { // Edit mode $id_network_profile = $row["id_network_profile"]; $id_os = $row["id_os"]; $recon_ports = $row["recon_ports"]; + $snmp_community = $row["snmp_community"]; } elseif (isset ($_GET["create"])) { $id_rt = -1; $name = ""; @@ -48,6 +49,7 @@ if (isset ($_GET["update"])) { // Edit mode $interval = 43200; $id_group = 0; $create_incident = 1; + $snmp_community = "public"; $id_network_profile = 1; $id_os = -1; // Any $recon_ports = ""; // Any @@ -116,9 +118,15 @@ $table->data[8][0] = "".__('Incident'); $table->data[8][1] = print_select ($values, "create_incident", $create_incident, '','','',true); +// SNMP default community +$table->data[9][0] = "".__('SNMP Default community'); +$table->data[9][1] = print_input_text ('snmp_community', $snmp_community, '', 35, 0, true); + // Comments -$table->data[9][0] = "".__('Comments'); -$table->data[9][1] = print_input_text ('description', $description, '', 45, 0, true); +$table->data[10][0] = "".__('Comments'); +$table->data[10][1] = print_input_text ('description', $description, '', 45, 0, true); + + // Different Form url if it's a create or if it's a update form diff --git a/pandora_console/include/config_process.php b/pandora_console/include/config_process.php index 6f44de50a5..224f992518 100644 --- a/pandora_console/include/config_process.php +++ b/pandora_console/include/config_process.php @@ -22,8 +22,8 @@ /** * Pandora build version and version */ -$build_version = 'PC100608'; -$pandora_version = 'v3.1'; +$build_version = 'PC100810'; +$pandora_version = 'v3.2dev'; /* Help to debug problems. Override global PHP configuration */ if (!isset($develop_bypass)) $develop_bypass = 0; diff --git a/pandora_console/include/functions.php b/pandora_console/include/functions.php index e62620061f..41e4b15641 100644 --- a/pandora_console/include/functions.php +++ b/pandora_console/include/functions.php @@ -77,22 +77,21 @@ function output_clean_strict ($string) { * TODO: Make this multibyte safe (I don't know if there is an attack vector there) * * @param string String to clean + * @param default_string String that will be returned if invalid characters are found. * * @return string Cleaned string */ -function safe_url_extraclean ($string) { - /* Clean "://" from the strings - See: http://seclists.org/lists/incidents/2004/Jul/0034.html - */ - $pos = strpos ($string, "://"); - if ($pos != 0) { - //Strip the string from (protocol[://] to protocol[://] + 125 chars) - $string = substr ($string, $pos + 3, $pos + 128); - } else { - $string = substr ($string, 0, 125); - } +function safe_url_extraclean ($string, $default_string = '') { + /* Strip the string to 125 characters */ - return preg_replace ('/[^a-z0-9_\/\.]/i', '', $string); + $string = substr ($string, 0, 125); + + /* Search for unwanted characters */ + if (preg_match ('/[^a-zA-Z0-9_\/\.]|(\/\/)|(\.\.)/', $string)) { + return $default_string; + } + + return $string; } /** @@ -862,6 +861,9 @@ function enterprise_include ($filename) { $filepath = realpath ($config["homedir"].'/'.ENTERPRISE_DIR.'/'.$filename); if ($filepath === false) return ENTERPRISE_NOT_HOOK; + if (strncmp ($config["homedir"], $filepath, strlen ($config["homedir"])) != 0){ + return ENTERPRISE_NOT_HOOK; + } if (file_exists ($filepath)) { include ($filepath); return true; @@ -875,6 +877,8 @@ function enterprise_include_once ($filename) { $filepath = realpath ($config["homedir"].'/'.ENTERPRISE_DIR.'/'.$filename); if ($filepath === false) return ENTERPRISE_NOT_HOOK; + if (strncmp ($config["homedir"], $filepath, strlen ($config["homedir"])) != 0) + return ENTERPRISE_NOT_HOOK; if (file_exists ($filepath)) { require_once ($filepath); return true; diff --git a/pandora_console/include/functions_io.php b/pandora_console/include/functions_io.php index fbee69fb33..1148c3e7fc 100755 --- a/pandora_console/include/functions_io.php +++ b/pandora_console/include/functions_io.php @@ -32,7 +32,12 @@ function safe_input($value) { //Replace the character '\' for the equivalent html entitie $valueHtmlEncode = str_replace('\\', "\", $valueHtmlEncode); - + + // First attempt to avoid SQL Injection based on SQL comments + // Specific for MySQL. + $valueHtmlEncode = str_replace('/*', "/*", $valueHtmlEncode); + $valueHtmlEncode = str_replace('*/', "*/", $valueHtmlEncode); + return $valueHtmlEncode; } diff --git a/pandora_console/include/functions_ui.php b/pandora_console/include/functions_ui.php index 44f3a6627f..0080a827b7 100644 --- a/pandora_console/include/functions_ui.php +++ b/pandora_console/include/functions_ui.php @@ -1286,12 +1286,19 @@ function print_ui_agents_list ($options = false, $filter = false, $return = fals * could not be included. */ function get_include_contents ($filename, $params = false) { + global $config; + ob_start (); if (is_array ($params)) { extract ($params); } + $filename = realpath ($filename); + if (strncmp ($config["homedir"], $filename, strlen ($config["homedir"])) != 0) { + return false; + } + $result = include ($filename); if ($result === false) { ob_end_clean (); diff --git a/pandora_console/index.php b/pandora_console/index.php index dd49190038..8dda55a91b 100644 --- a/pandora_console/index.php +++ b/pandora_console/index.php @@ -86,6 +86,11 @@ if (!empty ($config["https"]) && empty ($_SERVER['HTTPS'])) { foreach ($_POST as $key => $value) { $query .= '&'.$key.'='.$value; } + + // Prevent HTTP response splitting attacks + // http://en.wikipedia.org/wiki/HTTP_response_splitting + $query = str_replace ("\n", "", $query); + header ('Location: '.$query); exit; //Always exit after sending location headers } @@ -138,7 +143,7 @@ if (! isset ($config['id_user']) && isset ($_GET["loginhash"])) { $loginhash_data = get_parameter("loginhash_data", ""); $loginhash_user = get_parameter("loginhash_user", ""); - if ($loginhash_data == md5($loginhash_user.$config["loginhash_pwd"])) { + if ($config["loginhash_pwd"] != "" && $loginhash_data == md5($loginhash_user.$config["loginhash_pwd"])) { logon_db ($loginhash_user, $_SERVER['REMOTE_ADDR']); $_SESSION['id_usuario'] = $loginhash_user; $config["id_user"] = $loginhash_user; diff --git a/pandora_console/operation/agentes/gis_view.php b/pandora_console/operation/agentes/gis_view.php index ad269780c3..5a54fc0d78 100644 --- a/pandora_console/operation/agentes/gis_view.php +++ b/pandora_console/operation/agentes/gis_view.php @@ -35,6 +35,12 @@ $agentId = get_parameter('id_agente'); $agent_name = get_agent_name($agentId); $agentData = getDataLastPositionAgent($id_agente); +$url = ''; +//These variables come from index.php +foreach ($_GET as $key => $value) { + $url .= '&'.safe_url_extraclean($key).'='.safe_url_extraclean($value); +} + echo "
"; /* Map with the current position */ @@ -72,7 +78,7 @@ if ($dataLastPosition !== false) { $dataLastPosition['stored_longitude'] . ", " . $dataLastPosition['stored_latitude'] . ", " . $dataLastPosition['stored_altitude']; } echo "
"; -echo "
"; +echo ""; echo __("Period to show data as path") . ": "; print_extended_select_for_time ($intervals, 'period', $period, '', '', '0', 10); echo __(" seconds.") . " "; diff --git a/pandora_console/pandora_console.spec b/pandora_console/pandora_console.spec index f714644702..2726065a4d 100755 --- a/pandora_console/pandora_console.spec +++ b/pandora_console/pandora_console.spec @@ -2,7 +2,7 @@ # Pandora FMS Console # %define name pandorafms_console -%define version 3.1 +%define version 3.2 %define release 1 %define httpd_name httpd # User and Group under which Apache is running @@ -22,7 +22,7 @@ Vendor: Artica ST Source0: %{name}-%{version}.tar.gz URL: http://www.pandorafms.com Group: Productivity/Networking/Web/Utilities -Packager: Manuel Arostegui +Packager: Sancho Lerena Prefix: /srv/www/htdocs BuildRoot: %{_tmppath}/%{name} BuildArchitectures: noarch @@ -30,13 +30,13 @@ AutoReq: 0 Requires: apache2 Requires: php >= 4.3.0 Requires: php5-gd, php5-snmp, php5-pear, php5-json, php5-gettext -Requires: php5-mysql, php5-ldap, php5-mbstring, php5 +Requires: php5-mysql, php5-ldap, php5-mbstring, php5 Requires: graphviz, xorg-x11-fonts-core Requires: php5-pear-db, php-pear-xml_rpc Provides: %{name}-%{version} %description -The Web Console is a web application that allows to see graphical reports, state of every agent, also to access to the information sent by the agent, to see every monitored parameter and to see its evolution throughout the time, to form the different nodes, groups and users of the system. It is the part that interacts with the final user, and that will allows you to administer the system. +Pandora FMS Console is a web application to manage Pandora FMS. Console allows to see graphical reports, state of every agent, also to access to the information sent by the agent, to see every monitored parameter and to see its evolution throughout the time, to form the different nodes, groups and users of the system. It is the part that interacts with the final user, and that will allows you to administer the system. %prep rm -rf $RPM_BUILD_ROOT diff --git a/pandora_console/pandoradb.sql b/pandora_console/pandoradb.sql index 15d9ce694a..59a03c844e 100644 --- a/pandora_console/pandoradb.sql +++ b/pandora_console/pandoradb.sql @@ -594,6 +594,7 @@ CREATE TABLE IF NOT EXISTS `trecon_task` ( `id_recon_server` int(10) unsigned NOT NULL default '0', `id_os` tinyint(4) NOT NULL default '0', `recon_ports` varchar(250) NOT NULL default '', + `snmp_community` varchar(64) NOT NULL default 'public', PRIMARY KEY (`id_rt`), KEY `recon_task_daemon` (`id_recon_server`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8;