tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-28 00:04:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixed xss event comments vulnerabiluty and some acls on event ajax

Browse Source
This commit is contained in:
Luis Calvo 2020-06-26 15:36:51 +02:00
parent 898d29060a
commit 9a8c42f4ac
4 changed files with 67 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
pandora_console/include/ajax/events.php
View File

@ -871,6 +871,11 @@ if ($get_response_description) {
} }
if ($get_response_params) { if ($get_response_params) {
if (! check_acl($config['id_user'], 0, 'EW')) {
echo 'unauthorized';
return;
}
$response_id = get_parameter('response_id'); $response_id = get_parameter('response_id');
$params = db_get_value('params', 'tevent_response', 'id', $response_id); $params = db_get_value('params', 'tevent_response', 'id', $response_id);
@ -885,6 +890,11 @@ if ($get_response_params) {
} }
if ($get_response_target) { if ($get_response_target) {
if (! check_acl($config['id_user'], 0, 'EW')) {
echo 'unauthorized';
return;
}
$response_id = (int) get_parameter('response_id'); $response_id = (int) get_parameter('response_id');
$event_id = (int) get_parameter('event_id'); $event_id = (int) get_parameter('event_id');
$server_id = (int) get_parameter('server_id'); $server_id = (int) get_parameter('server_id');
@ -901,6 +911,11 @@ if ($get_response_target) {
} }
if ($get_response) { if ($get_response) {
if (! check_acl($config['id_user'], 0, 'EW')) {
echo 'unauthorized';
return;
}
$response_id = get_parameter('response_id'); $response_id = get_parameter('response_id');
$event_response = db_get_row('tevent_response', 'id', $response_id); $event_response = db_get_row('tevent_response', 'id', $response_id);
@ -917,6 +932,11 @@ if ($get_response) {
if ($perform_event_response) { if ($perform_event_response) {
global $config; global $config;
if (! check_acl($config['id_user'], 0, 'EW')) {
echo 'unauthorized';
return;
}
$response_id = get_parameter('response_id'); $response_id = get_parameter('response_id');
$event_id = (int) get_parameter('event_id'); $event_id = (int) get_parameter('event_id');
$server_id = (int) get_parameter('server_id', 0); $server_id = (int) get_parameter('server_id', 0);
@ -1011,6 +1031,11 @@ if ($perform_event_response) {
if ($dialogue_event_response) { if ($dialogue_event_response) {
global $config; global $config;
if (! check_acl($config['id_user'], 0, 'EW')) {
echo 'unauthorized';
return;
}
$event_id = get_parameter('event_id'); $event_id = get_parameter('event_id');
$response_id = get_parameter('response_id'); $response_id = get_parameter('response_id');
$command = get_parameter('target'); $command = get_parameter('target');

4
pandora_console/include/functions_events.php
View File

@ -2118,7 +2118,7 @@ function events_comment(
switch ($comments_format) { switch ($comments_format) {
case 'new': case 'new':
$comment_for_json['comment'] = $comment; $comment_for_json['comment'] = io_safe_input($comment);
$comment_for_json['action'] = $action; $comment_for_json['action'] = $action;
$comment_for_json['id_user'] = $config['id_user']; $comment_for_json['id_user'] = $config['id_user'];
$comment_for_json['utimestamp'] = time(); $comment_for_json['utimestamp'] = time();
@ -2141,7 +2141,7 @@ function events_comment(
$comment = str_replace(["\r\n", "\r", "\n"], '<br>', $comment); $comment = str_replace(["\r\n", "\r", "\n"], '<br>', $comment);
if ($comment != '') { if ($comment != '') {
$commentbox = '<div style="border:1px dotted #CCC; min-height: 10px;">'.$comment.'</div>'; $commentbox = '<div style="border:1px dotted #CCC; min-height: 10px;">'.io_safe_input($comment).'</div>';
} else { } else {
$commentbox = ''; $commentbox = '';
} }

2
pandora_console/operation/events/events.build_table.php
View File

@ -982,6 +982,7 @@ if ($group_rep == 2) {
$array_events_actions[$val['id']] = $val['name']; $array_events_actions[$val['id']] = $val['name'];
} }
if (check_acl($config['id_user'], 0, 'EW')) {
if ($config['event_replication'] != 1) { if ($config['event_replication'] != 1) {
echo '<div style="width:100%;text-align:right;">'; echo '<div style="width:100%;text-align:right;">';
echo '<form method="post" id="form_event_response">'; echo '<form method="post" id="form_event_response">';
@ -1002,6 +1003,7 @@ if ($group_rep == 2) {
echo '</div>'; echo '</div>';
} }
} }
}
?> ?>
<script type="text/javascript"> <script type="text/javascript">

4
pandora_console/operation/events/events.php
View File

@ -1530,7 +1530,7 @@ foreach ($event_responses as $val) {
$array_events_actions[$val['id']] = $val['name']; $array_events_actions[$val['id']] = $val['name'];
} }
if (check_acl($config['id_user'], 0, 'EW')) {
echo '<div class="multi-response-buttons">'; echo '<div class="multi-response-buttons">';
echo '<form method="post" id="form_event_response">'; echo '<form method="post" id="form_event_response">';
echo '<input type="hidden" id="max_execution_event_response" value="'.$config['max_execution_event_response'].'" />'; echo '<input type="hidden" id="max_execution_event_response" value="'.$config['max_execution_event_response'].'" />';
@ -1549,7 +1549,7 @@ echo __(
'Please, select an event' 'Please, select an event'
).'</span>'; ).'</span>';
echo '</div>'; echo '</div>';
}
// Close viewer. // Close viewer.
enterprise_hook('close_meta_frame'); enterprise_hook('close_meta_frame');