tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-28 00:04:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

#12286 fix dashboard vulnerability login admin

Browse Source
This commit is contained in:
Jonathan 2023-10-19 17:06:01 +02:00
parent 42aa751d29
commit 98388bb7d2
5 changed files with 19 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
pandora_console/include/ajax/module.php
View File

@ -1627,7 +1627,6 @@ if (check_login()) {
// Uncompress. // Uncompress.
try { try {
ob_start();
$dateNow = get_system_time(); $dateNow = get_system_time();
$final = ($dateNow - $period); $final = ($dateNow - $period);
$date = ($dateNow - ($time_all_box * $start)); $date = ($dateNow - ($time_all_box * $start));
@ -1751,31 +1750,11 @@ if (check_login()) {
'recordsFiltered' => $total_box, 'recordsFiltered' => $total_box,
] ]
); );
$response = ob_get_clean();
// Clean output buffer.
while (ob_get_level() !== 0) {
ob_end_clean();
}
} catch (Exception $e) { } catch (Exception $e) {
echo json_encode( echo json_encode(
['error' => $e->getMessage()] ['error' => $e->getMessage()]
); );
} }
// If not valid it will throw an exception.
json_decode($response);
if (json_last_error() === JSON_ERROR_NONE) {
// If valid dump.
echo $response;
} else {
echo json_encode(
['error' => $response]
);
}
return;
} }
if ($get_cluster_module_detail === true) { if ($get_cluster_module_detail === true) {

7
pandora_console/include/lib/Dashboard/Widgets/DataMatrix.php
View File

@ -518,6 +518,10 @@ class DataMatrix extends Widget
$column_names = $info_columns['column_names']; $column_names = $info_columns['column_names'];
$columns_sort = $info_columns['columns_sort']; $columns_sort = $info_columns['columns_sort'];
// Public dashboard.
$hash = get_parameter('auth_hash', '');
$id_user = get_parameter('id_user', '');
$tableId = 'dataMatrix_'.$this->dashboardId.'_'.$this->cellId; $tableId = 'dataMatrix_'.$this->dashboardId.'_'.$this->cellId;
// Load datatables user interface. // Load datatables user interface.
ui_print_datatable( ui_print_datatable(
@ -535,6 +539,9 @@ class DataMatrix extends Widget
'slice' => $this->values['slice'], 'slice' => $this->values['slice'],
'formatData' => $this->values['formatData'], 'formatData' => $this->values['formatData'],
'modules' => json_encode($modules), 'modules' => json_encode($modules),
'auth_hash' => $hash,
'auth_class' => 'PandoraFMS\Dashboard\Manager',
'id_user' => $id_user,
], ],
'default_pagination' => $this->values['limit'], 'default_pagination' => $this->values['limit'],
'no_sortable_columns' => $columns_sort, 'no_sortable_columns' => $columns_sort,

6
pandora_console/include/lib/Dashboard/Widgets/ITSMIncidences.php
View File

@ -383,6 +383,9 @@ class ITSMIncidences extends Widget
$column_names[] = $fields[$field]; $column_names[] = $fields[$field];
} }
$hash = get_parameter('auth_hash', '');
$id_user = get_parameter('id_user', '');
$tableId = 'ITSMIncidence_'.$this->dashboardId.'_'.$this->cellId; $tableId = 'ITSMIncidence_'.$this->dashboardId.'_'.$this->cellId;
try { try {
ui_print_datatable( ui_print_datatable(
@ -396,6 +399,9 @@ class ITSMIncidences extends Widget
'ajax_data' => [ 'ajax_data' => [
'method' => 'getListTickets', 'method' => 'getListTickets',
'customSearch' => $this->values['customSearch'], 'customSearch' => $this->values['customSearch'],
'auth_hash' => $hash,
'auth_class' => 'PandoraFMS\Dashboard\Manager',
'id_user' => $id_user,
], ],
'order' => [ 'order' => [
'field' => 'updateDate', 'field' => 'updateDate',

5
pandora_console/include/lib/Dashboard/Widgets/ModulesByStatus.php
View File

@ -431,6 +431,8 @@ class ModulesByStatus extends Widget
$info_columns = $this->columns(); $info_columns = $this->columns();
$column_names = $info_columns['column_names']; $column_names = $info_columns['column_names'];
$columns = $info_columns['columns']; $columns = $info_columns['columns'];
$hash = get_parameter('auth_hash', '');
$id_user = get_parameter('id_user', '');
$tableId = 'ModuleByStatus_'.$this->dashboardId.'_'.$this->cellId; $tableId = 'ModuleByStatus_'.$this->dashboardId.'_'.$this->cellId;
// Load datatables user interface. // Load datatables user interface.
@ -449,6 +451,9 @@ class ModulesByStatus extends Widget
'status' => $this->values['status'], 'status' => $this->values['status'],
'nodes' => $this->values['nodes'], 'nodes' => $this->values['nodes'],
'disabled_modules' => $this->values['disabled_modules'], 'disabled_modules' => $this->values['disabled_modules'],
'auth_hash' => $hash,
'auth_class' => 'PandoraFMS\Dashboard\Manager',
'id_user' => $id_user,
], ],
'default_pagination' => $this->values['limit'], 'default_pagination' => $this->values['limit'],
'order' => [ 'order' => [

21
pandora_console/operation/events/events.php
View File

@ -354,8 +354,6 @@ if (is_ajax() === true) {
if ($get_events !== 0) { if ($get_events !== 0) {
try { try {
ob_start();
$fields = [ $fields = [
'te.id_evento', 'te.id_evento',
'te.id_agente', 'te.id_agente',
@ -1223,32 +1221,15 @@ if (is_ajax() === true) {
'recordsFiltered' => $count, 'recordsFiltered' => $count,
] ]
); );
$response = ob_get_clean();
// Clean output buffer.
while (ob_get_level() !== 0) {
ob_end_clean();
}
} catch (Exception $e) { } catch (Exception $e) {
echo json_encode( echo json_encode(
['error' => $e->getMessage()] ['error' => $e->getMessage()]
); );
} }
// If not valid it will throw an exception.
json_decode($response);
if (json_last_error() == JSON_ERROR_NONE) {
// If valid dump.
echo $response;
} else {
echo json_encode(
['error' => $response]
);
}
} }
// AJAX section ends. // AJAX section ends.
exit; return;
} }
/* /*