From 05cbc2fb0e5e8f04d6cf633c1ba5503df74b966e Mon Sep 17 00:00:00 2001 From: "alejandro.campos@artica.es" Date: Tue, 4 Oct 2022 18:00:47 +0200 Subject: [PATCH 1/4] fixed vulnerability --- pandora_console/extras/mr/58.sql | 5 +++++ pandora_console/include/lib/User.php | 8 ++++++++ pandora_console/include/rest-api/index.php | 14 +++++++++++++- pandora_console/pandoradb.sql | 1 + 4 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 pandora_console/extras/mr/58.sql diff --git a/pandora_console/extras/mr/58.sql b/pandora_console/extras/mr/58.sql new file mode 100644 index 0000000000..9ddcadb607 --- /dev/null +++ b/pandora_console/extras/mr/58.sql @@ -0,0 +1,5 @@ +START TRANSACTION; + +ALTER TABLE `tusuario` ADD COLUMN `auth_token_secret` VARCHAR(45) DEFAULT NULL; + +COMMIT; \ No newline at end of file diff --git a/pandora_console/include/lib/User.php b/pandora_console/include/lib/User.php index ce03e31a03..45605e9abe 100644 --- a/pandora_console/include/lib/User.php +++ b/pandora_console/include/lib/User.php @@ -188,6 +188,14 @@ class User implements PublicLogin $config['public_access'] = false; } + if (empty($other_secret) === true) { + $auth_token_secret = db_get_value('auth_token_secret', 'tusuario', 'id_user', $config['id_user']); + + if (empty($auth_token_secret) === false) { + $other_secret = $auth_token_secret; + } + } + // Build a hash to check. $hashCheck = self::generatePublicHash($other_secret); if ($hashCheck === $hash) { diff --git a/pandora_console/include/rest-api/index.php b/pandora_console/include/rest-api/index.php index 8db1b40c2f..dee51a9bc7 100644 --- a/pandora_console/include/rest-api/index.php +++ b/pandora_console/include/rest-api/index.php @@ -66,7 +66,19 @@ if ($doLogin === true) { ] ) === true ) { - echo json_encode(['auth_hash' => User::generatePublicHash()]); + $newGeneratedSecret = bin2hex(openssl_random_pseudo_bytes(15)); + + $res_update = update_user( + $id_user, + ['auth_token_secret' => $newGeneratedSecret] + ); + + if ($res_update === false) { + http_response_code(404); + return; + } + + echo json_encode(['auth_hash' => User::generatePublicHash($newGeneratedSecret)]); } else { db_pandora_audit( AUDIT_LOG_ACL_VIOLATION, diff --git a/pandora_console/pandoradb.sql b/pandora_console/pandoradb.sql index f3c3e61472..1ae2807317 100644 --- a/pandora_console/pandoradb.sql +++ b/pandora_console/pandoradb.sql @@ -1308,6 +1308,7 @@ CREATE TABLE IF NOT EXISTS `tusuario` ( `integria_user_level_pass` VARCHAR(45), `allowed_ip_active` TINYINT UNSIGNED DEFAULT 0, `allowed_ip_list` TEXT, + `auth_token_secret` VARCHAR(45) DEFAULT NULL, CONSTRAINT `fk_filter_id` FOREIGN KEY (`id_filter`) REFERENCES tevent_filter (`id_filter`) ON DELETE SET NULL, UNIQUE KEY `id_user` (`id_user`) ) ENGINE=InnoDB DEFAULT CHARSET=UTF8MB4; From 2ea3c3038cf7b66c35ed45499693aeca6d59922f Mon Sep 17 00:00:00 2001 From: "alejandro.campos@artica.es" Date: Tue, 4 Oct 2022 18:13:50 +0200 Subject: [PATCH 2/4] fixed vulnerabilities --- pandora_console/ajax.php | 1 + pandora_console/extras/delete_files/delete_files.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/pandora_console/ajax.php b/pandora_console/ajax.php index 8b98d1c34a..4139117364 100644 --- a/pandora_console/ajax.php +++ b/pandora_console/ajax.php @@ -110,6 +110,7 @@ $auth_class = io_safe_output( $page = (string) get_parameter('page'); $page = safe_url_extraclean($page); $page .= '.php'; +$page = realpath($page); $public_hash = get_parameter('auth_hash', false); $public_login = false; diff --git a/pandora_console/extras/delete_files/delete_files.txt b/pandora_console/extras/delete_files/delete_files.txt index f9acc8ade4..96223ccd69 100644 --- a/pandora_console/extras/delete_files/delete_files.txt +++ b/pandora_console/extras/delete_files/delete_files.txt @@ -1666,3 +1666,4 @@ godmode/um_client/vendor/sebastian/object-enumerator godmode/um_client/vendor/sebastian godmode/um_client/vendor update_manager_client/resources/styles/pandora.css +enterprise/meta/general/upload_head_image.php From d707c29110ca13fec7aa1f8c2119a0dd90a6de17 Mon Sep 17 00:00:00 2001 From: "alejandro.campos@artica.es" Date: Wed, 19 Oct 2022 16:46:07 +0200 Subject: [PATCH 3/4] minor fix --- pandora_console/ajax.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pandora_console/ajax.php b/pandora_console/ajax.php index 4139117364..bea9dfc771 100644 --- a/pandora_console/ajax.php +++ b/pandora_console/ajax.php @@ -116,7 +116,7 @@ $public_login = false; if (false === ((bool) get_parameter('doLogin', false) === true - && $page === 'include/rest-api/index.php') + && $page === realpath('include/rest-api/index.php')) ) { // Check user. if (class_exists($auth_class) === false || $public_hash === false) { From f87737a0933feb0b16f12a93d004cbdfb0df75bb Mon Sep 17 00:00:00 2001 From: "alejandro.campos@artica.es" Date: Wed, 19 Oct 2022 17:07:22 +0200 Subject: [PATCH 4/4] minor fix --- pandora_console/include/lib/User.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pandora_console/include/lib/User.php b/pandora_console/include/lib/User.php index 45605e9abe..227bb77c91 100644 --- a/pandora_console/include/lib/User.php +++ b/pandora_console/include/lib/User.php @@ -128,7 +128,7 @@ class User implements PublicLogin { $user = new self($data); - if ($user === null) { + if ($user->idUser === null) { return false; }