tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-29 08:45:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ent 5690 vulnerabilidad critica inyeccion de comandos en llamada a event response

Browse Source
This commit is contained in:
Daniel Maya 2020-04-15 15:50:08 +02:00 committed by Alejandro Fraguas
parent a4bd4a4c5d
commit 8ae8ac45f5
4 changed files with 42 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pandora_console/include/ajax/events.php
View File

@ -917,9 +917,11 @@ if ($get_response) {
if ($perform_event_response) { if ($perform_event_response) {
global $config; global $config;
$command = get_parameter('target', '');
$response_id = get_parameter('response_id'); $response_id = get_parameter('response_id');
$event_id = (int) get_parameter('event_id');
$server_id = (int) get_parameter('server_id', 0);
$command = events_get_response_target($event_id, $response_id, $server_id);
$event_response = db_get_row('tevent_response', 'id', $response_id); $event_response = db_get_row('tevent_response', 'id', $response_id);
@ -1017,6 +1019,7 @@ if ($dialogue_event_response) {
$show_execute_again_btn = get_parameter('show_execute_again_btn'); $show_execute_again_btn = get_parameter('show_execute_again_btn');
$out_iterator = get_parameter('out_iterator'); $out_iterator = get_parameter('out_iterator');
$event_response = db_get_row('tevent_response', 'id', $response_id); $event_response = db_get_row('tevent_response', 'id', $response_id);
$server_id = get_parameter('server_id');
$event = db_get_row('tevento', 'id_evento', $event_id); $event = db_get_row('tevento', 'id_evento', $event_id);
@ -1067,7 +1070,8 @@ if ($dialogue_event_response) {
echo "<br><div id='response_out' style='text-align:left'></div>"; echo "<br><div id='response_out' style='text-align:left'></div>";
echo "<br><div id='re_exec_command' style='display:none;'>"; echo "<br><div id='re_exec_command' style='display:none;'>";
html_print_button(__('Execute again'), 'btn_str', false, 'perform_response(\''.$command.'\', '.$response_id.');', "class='sub next'"); html_print_button(__('Execute again'), 'btn_str', false, "perform_response({'target':'".$command."','event_id':".$event_id.",'server_id':".$server_id.'}, '.$response_id.');', "class='sub next'");
echo '</div>'; echo '</div>';
} }
break; break;

49
pandora_console/include/javascript/pandora_events.js
View File

@ -118,30 +118,26 @@ function execute_response(event_id, server_id) {
} }
response["target"] = get_response_target(event_id, response_id, server_id); response["target"] = get_response_target(event_id, response_id, server_id);
response["event_id"] = event_id;
response["server_id"] = server_id;
switch (response["type"]) { if (response["type"] == "url" && response["new_window"] == 1) {
case "command":
show_response_dialog(event_id, response_id, response);
break;
case "url":
if (response["new_window"] == 1) {
window.open(response["target"], "_blank"); window.open(response["target"], "_blank");
} else { } else {
show_response_dialog(event_id, response_id, response); show_response_dialog(response_id, response);
}
break;
} }
} }
//Show the modal window of an event response //Show the modal window of an event response
function show_response_dialog(event_id, response_id, response) { function show_response_dialog(response_id, response) {
var params = []; var params = [];
params.push("page=include/ajax/events"); params.push("page=include/ajax/events");
params.push("dialogue_event_response=1"); params.push("dialogue_event_response=1");
params.push("massive=0"); params.push("massive=0");
params.push("event_id=" + event_id); params.push("event_id=" + response["event_id"]);
params.push("target=" + response["target"]); params.push("target=" + response["target"]);
params.push("response_id=" + response_id); params.push("response_id=" + response_id);
params.push("server_id=" + response["server_id"]);
jQuery.ajax({ jQuery.ajax({
data: params.join("&"), data: params.join("&"),
@ -159,7 +155,7 @@ function show_response_dialog(event_id, response_id, response) {
draggable: true, draggable: true,
modal: false, modal: false,
open: function() { open: function() {
perform_response(response["target"], response_id); perform_response(response, response_id);
}, },
width: response["modal_width"], width: response["modal_width"],
height: response["modal_height"] height: response["modal_height"]
@ -171,7 +167,6 @@ function show_response_dialog(event_id, response_id, response) {
//Show the modal window of event responses when multiple events are selected //Show the modal window of event responses when multiple events are selected
function show_massive_response_dialog( function show_massive_response_dialog(
event_id,
response_id, response_id,
response, response,
out_iterator, out_iterator,
@ -183,13 +178,14 @@ function show_massive_response_dialog(
params.push("massive=1"); params.push("massive=1");
params.push("end=" + end); params.push("end=" + end);
params.push("out_iterator=" + out_iterator); params.push("out_iterator=" + out_iterator);
params.push("event_id=" + event_id); params.push("event_id=" + response["event_id"]);
params.push("target=" + response["target"]); params.push("target=" + response["target"]);
params.push("response_id=" + response_id); params.push("response_id=" + response_id);
params.push("server_id=" + response["server_id"]);
jQuery.ajax({ jQuery.ajax({
data: params.join("&"), data: params.join("&"),
response_tg: response["target"], response_tg: response,
response_id: response_id, response_id: response_id,
out_iterator: out_iterator, out_iterator: out_iterator,
type: "POST", type: "POST",
@ -384,7 +380,7 @@ function get_response_target(
} }
// Perform a response and put the output into a div // Perform a response and put the output into a div
function perform_response(target, response_id) { function perform_response(response, response_id) {
$("#re_exec_command").hide(); $("#re_exec_command").hide();
$("#response_loading_command").show(); $("#response_loading_command").show();
$("#response_out").html(""); $("#response_out").html("");
@ -392,8 +388,10 @@ function perform_response(target, response_id) {
var params = []; var params = [];
params.push("page=include/ajax/events"); params.push("page=include/ajax/events");
params.push("perform_event_response=1"); params.push("perform_event_response=1");
params.push("target=" + target); params.push("target=" + response["target"]);
params.push("response_id=" + response_id); params.push("response_id=" + response_id);
params.push("event_id=" + response["event_id"]);
params.push("server_id=" + response["server_id"]);
jQuery.ajax({ jQuery.ajax({
data: params.join("&"), data: params.join("&"),
@ -413,7 +411,7 @@ function perform_response(target, response_id) {
} }
// Perform a response and put the output into a div // Perform a response and put the output into a div
function perform_response_massive(target, response_id, out_iterator) { function perform_response_massive(response, response_id, out_iterator) {
$("#re_exec_command").hide(); $("#re_exec_command").hide();
$("#response_loading_command_" + out_iterator).show(); $("#response_loading_command_" + out_iterator).show();
$("#response_out_" + out_iterator).html(""); $("#response_out_" + out_iterator).html("");
@ -421,8 +419,10 @@ function perform_response_massive(target, response_id, out_iterator) {
var params = []; var params = [];
params.push("page=include/ajax/events"); params.push("page=include/ajax/events");
params.push("perform_event_response=1"); params.push("perform_event_response=1");
params.push("target=" + target); params.push("target=" + response["target"]);
params.push("response_id=" + response_id); params.push("response_id=" + response_id);
params.push("event_id=" + response["event_id"]);
params.push("server_id=" + response["server_id"]);
jQuery.ajax({ jQuery.ajax({
data: params.join("&"), data: params.join("&"),
@ -916,17 +916,24 @@ function check_massive_response_event(
$(".chk_val:checked").each(function() { $(".chk_val:checked").each(function() {
var event_id = $(this).val(); var event_id = $(this).val();
var server_id = $("#hidden-server_id_" + event_id).val(); var meta = $("#hidden-meta").val();
var server_id = 0;
if (meta) {
server_id = $("#hidden-server_id_" + event_id).val();
}
response["target"] = get_response_target( response["target"] = get_response_target(
event_id, event_id,
response_id, response_id,
server_id, server_id,
response_command response_command
); );
response["server_id"] = server_id;
response["event_id"] = event_id;
if (total_checked - 1 === counter) end = 1; if (total_checked - 1 === counter) end = 1;
show_massive_response_dialog(event_id, response_id, response, counter, end); show_massive_response_dialog(response_id, response, counter, end);
counter++; counter++;
}); });

3
pandora_console/operation/events/events.build_table.php
View File

@ -1119,12 +1119,13 @@ if ($group_rep == 2) {
server_id, server_id,
response_command response_command
); );
response["server_id"] = server_id;
response["event_id"] = event_id;
if (total_checked-1 === counter) if (total_checked-1 === counter)
end=1; end=1;
show_massive_response_dialog( show_massive_response_dialog(
event_id,
response_id, response_id,
response, response,
counter, counter,

3
pandora_console/operation/events/events.php
View File

@ -1765,6 +1765,9 @@ function process_datatables_item(item) {
evn += '('+item.event_rep+') '; evn += '('+item.event_rep+') ';
} }
evn += item.evento+'</a>'; evn += item.evento+'</a>';
if(item.meta === true) {
evn += '<input id="hidden-server_id_'+item.id_evento+'" type="hidden" value="'+item.server_id+'">';
}
item.mini_severity = '<div class="event flex-row h100p nowrap">'; item.mini_severity = '<div class="event flex-row h100p nowrap">';
item.mini_severity += output; item.mini_severity += output;