From 849eba10d454c6f6a5ab323610c5fd5498414cd8 Mon Sep 17 00:00:00 2001 From: Alejandro Gallardo Escobar Date: Mon, 30 Oct 2017 18:03:09 +0100 Subject: [PATCH] [Console] Fixed a vulnerability into the 'fgraph.php' script --- .../visual_console_builder.editor.js | 27 ++------ pandora_console/include/functions_graph.php | 10 +-- pandora_console/include/graphs/fgraph.php | 64 ++++++------------- 3 files changed, 30 insertions(+), 71 deletions(-) diff --git a/pandora_console/godmode/reporting/visual_console_builder.editor.js b/pandora_console/godmode/reporting/visual_console_builder.editor.js index bc69c22351..42fc68d165 100755 --- a/pandora_console/godmode/reporting/visual_console_builder.editor.js +++ b/pandora_console/godmode/reporting/visual_console_builder.editor.js @@ -32,8 +32,6 @@ var SIZE_GRID = 16; //Const the size (for width and height) of grid. var img_handler_start; var img_handler_end; -var font; - function toggle_advance_options_palette(close) { if ($("#advance_options").css('display') == 'none') { $("#advance_options").css('display', ''); @@ -58,23 +56,6 @@ function visual_map_main() { img_handler_end = data; }); - //Get the actual system font. - parameter = Array(); - parameter.push ({name: "page", value: "include/ajax/visual_console_builder.ajax"}); - parameter.push ({name: "action", value: "get_font"}); - parameter.push ({name: "id_visual_console", - value: id_visual_console}); - jQuery.ajax({ - url: get_url_ajax(), - data: parameter, - type: "POST", - dataType: 'json', - success: function (data) - { - font = data['font']; - } - }); - //Get the list of posible parents parents = Base64.decode($("input[name='parents_load']").val()); parents = eval("(" + parents + ")"); @@ -1912,9 +1893,9 @@ function setPercentileBar(id_data, values) { value_text = module_value + " " + unit_text; } - var img = url_hack_metaconsole + 'include/graphs/fgraph.php?homeurl=../../&graph_type=progressbar&height=15&' + + var img = url_hack_metaconsole + 'include/graphs/fgraph.php?graph_type=progressbar&height=15&' + 'width=' + width_percentile + '&mode=1&progress=' + percentile + - '&font=' + font + '&value_text=' + value_text + '&colorRGB=' + colorRGB; + '&value_text=' + value_text + '&colorRGB=' + colorRGB; $("#"+ id_data).attr('src', img); @@ -2035,9 +2016,9 @@ function setPercentileBubble(id_data, values) { value_text = module_value + " " + unit_text; } - var img = url_hack_metaconsole + 'include/graphs/fgraph.php?homeurl=../../&graph_type=progressbubble&height=' + width_percentile + '&' + + var img = url_hack_metaconsole + 'include/graphs/fgraph.php?graph_type=progressbubble&height=' + width_percentile + '&' + 'width=' + width_percentile + '&mode=1&progress=' + percentile + - '&font=' + font + '&value_text=' + value_text + '&colorRGB=' + colorRGB; + '&value_text=' + value_text + '&colorRGB=' + colorRGB; $("#image_" + id_data).attr('src', img); diff --git a/pandora_console/include/functions_graph.php b/pandora_console/include/functions_graph.php index c97867733b..754e1b684c 100644 --- a/pandora_console/include/functions_graph.php +++ b/pandora_console/include/functions_graph.php @@ -2457,10 +2457,10 @@ function progress_bar($progress, $width, $height, $title = '', $mode = 1, $value require_once("include_graph_dependencies.php"); include_graphs_dependencies($config['homedir'].'/'); $src = ui_get_full_url( - "/include/graphs/fgraph.php?homeurl=../../&graph_type=progressbar" . - "&width=".$width."&homedir=".$config['homedir']."&height=".$height."&progress=".$progress. + "/include/graphs/fgraph.php?graph_type=progressbar" . + "&width=".$width."&height=".$height."&progress=".$progress. "&mode=" . $mode . "&out_of_lim_str=".$out_of_lim_str . - "&title=".$title."&font=".$config['fontpath']."&value_text=". $value_text . + "&title=".$title."&value_text=". $value_text . "&colorRGB=". $colorRGB, false, false, false ); @@ -2492,10 +2492,10 @@ function progress_bubble($progress, $width, $height, $title = '', $mode = 1, $va include_graphs_dependencies($config['homedir'].'/'); return "" . $title . ""; } diff --git a/pandora_console/include/graphs/fgraph.php b/pandora_console/include/graphs/fgraph.php index c36529b7f7..15cf6eeeb7 100644 --- a/pandora_console/include/graphs/fgraph.php +++ b/pandora_console/include/graphs/fgraph.php @@ -10,48 +10,29 @@ // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. -$ttl = 1; -$homeurl = ''; - -if (isset($_GET['homeurl'])) { - $homeurl = $_GET['homeurl']; -} -else $homeurl = ''; - -$homeurl = ((bool)filter_var($homeurl, FILTER_VALIDATE_URL) == 1) ? '' : $homeurl; - -if (isset($_GET['ttl'])) { - $ttl = $_GET['ttl']; -} -else $ttl_param = 1; - -if (isset($_GET['graph_type'])) { - $graph_type = $_GET['graph_type']; -} -else $graph_type = ''; - -//$graph_type = get_parameter('graph_type', ''); -//$ttl_param = get_parameter('ttl', 1); -//$homeurl_param = get_parameter('homeurl', ''); - // Turn on output buffering. // The entire buffer will be discarded later so that any accidental output // does not corrupt images generated by fgraph. -ob_start (); +ob_start(); + +global $config; + +if (empty($config['homedir'])) { + require_once ('../../include/config.php'); + global $config; +} + +include_once($config['homedir'] . '/include/functions.php'); + +$ttl = get_parameter('ttl', 1); +$graph_type = get_parameter('graph_type', ''); if (!empty($graph_type)) { - $homedir = $_GET['homedir']; - if ($homedir != null) { - $config['homedir'] = $homedir; - } - - include_once($homeurl . 'include/functions.php'); - include_once($homeurl . 'include/functions_html.php'); - - include_once($homeurl . 'include/graphs/functions_gd.php'); - include_once($homeurl . 'include/graphs/functions_utils.php'); - include_once($homeurl . 'include/graphs/functions_d3.php'); - include_once($homeurl . 'include/graphs/functions_flot.php'); + include_once($config['homedir'] . '/include/functions_html.php'); + include_once($config['homedir'] . '/include/graphs/functions_gd.php'); + include_once($config['homedir'] . '/include/graphs/functions_utils.php'); + include_once($config['homedir'] . '/include/graphs/functions_d3.php'); + include_once($config['homedir'] . '/include/graphs/functions_flot.php'); } // Clean the output buffer and turn off output buffering @@ -61,13 +42,12 @@ switch($graph_type) { case 'histogram': $width = get_parameter('width'); $height = get_parameter('height'); - $font = get_parameter('font'); $data = json_decode(io_safe_output(get_parameter('data')), true); $max = get_parameter('max'); $title = get_parameter('title'); $mode = get_parameter ('mode', 1); - gd_histogram ($width, $height, $mode, $data, $max, $font, $title); + gd_histogram ($width, $height, $mode, $data, $max, $config['fontpath'], $title); break; case 'progressbar': $width = get_parameter('width'); @@ -77,7 +57,6 @@ switch($graph_type) { $out_of_lim_str = io_safe_output(get_parameter('out_of_lim_str', false)); $out_of_lim_image = get_parameter('out_of_lim_image', false); - $font = get_parameter('font'); $title = get_parameter('title'); $mode = get_parameter('mode', 1); @@ -87,7 +66,7 @@ switch($graph_type) { $value_text = get_parameter('value_text', ''); $colorRGB = get_parameter('colorRGB', ''); - gd_progress_bar ($width, $height, $progress, $title, $font, + gd_progress_bar ($width, $height, $progress, $title, $config['fontpath'], $out_of_lim_str, $out_of_lim_image, $mode, $fontsize, $value_text, $colorRGB); break; @@ -99,7 +78,6 @@ switch($graph_type) { $out_of_lim_str = io_safe_output(get_parameter('out_of_lim_str', false)); $out_of_lim_image = get_parameter('out_of_lim_image', false); - $font = get_parameter('font'); $title = get_parameter('title'); $mode = get_parameter('mode', 1); @@ -109,7 +87,7 @@ switch($graph_type) { $value_text = get_parameter('value_text', ''); $colorRGB = get_parameter('colorRGB', ''); - gd_progress_bubble ($width, $height, $progress, $title, $font, + gd_progress_bubble ($width, $height, $progress, $title, $config['fontpath'], $out_of_lim_str, $out_of_lim_image, $mode, $fontsize, $value_text, $colorRGB); break;