Merge branch '2249-Vulnerabilidad-grave---Ejecución-remota-de-código-dev' into 'develop'

Fixed check login in ajax.php

See merge request artica/pandorafms!1474

pandora_console/ajax.php

@@ -46,8 +46,19 @@ if (isset ($_GET["loginhash"])) {
 	}
 }
 
+$public_hash = get_parameter('hash', false);
+
 // Check user
-//check_login ();
+if ($public_hash === false) {
+	check_login();
+} else {
+	enterprise_include_once('include/functions_dashboard.php');
+	if (dashboard_check_public_hash($public_hash) === false) {
+		db_pandora_audit("Invalid public hash",	"Trying to access public dashboard");
+		require ("general/noaccess.php");
+		exit;
+	}
+}
 
 define ('AJAX', true);
 

pandora_console/include/ajax/update_manager.ajax.php

@@ -15,6 +15,14 @@
 
 global $config;
 
+check_login ();
+
+if (! check_acl ($config['id_user'], 0, "PM") && ! is_user_admin ($config['id_user'])) {
+	db_pandora_audit("ACL Violation", "Trying to access update Management");
+	require ("general/noaccess.php");
+	return;
+}
+
 require_once($config['homedir'] . "/include/functions_update_manager.php");
 require_once($config['homedir'] . "/include/functions_graph.php");
 enterprise_include_once("include/functions_update_manager.php");