tyler.durden/pandorafms
1
0
Fork 0
mirror of https://github.com/pandorafms/pandorafms.git synced 2025-07-29 16:55:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ent-8611-vulnerabilidad-en-bulk-operations' into 'develop'

Browse Source 
Fix permission vulnerabilities on profile massive operations

See merge request artica/pandorafms!4717
This commit is contained in:
Daniel Rodriguez 2022-03-10 13:54:10 +00:00
commit ef98f5bdef
1 changed files with 68 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
pandora_console/godmode/massive/massive_add_profiles.php
View File

@ -64,6 +64,40 @@ require_once $config['homedir'].'/include/functions_users.php';
$create_profiles = (int) get_parameter('create_profiles'); $create_profiles = (int) get_parameter('create_profiles');
// Get users and groups user can manage to check and for selectors.
$group_um = users_get_groups_UM($config['id_user']);
$users_profiles = '';
$users_order = [
'field' => 'id_user',
'order' => 'ASC',
];
$info_users = [];
// Is admin.
if (users_is_admin()) {
$info_users = users_get_info($users_order, 'id_user');
// has PM permission.
} else if (check_acl($config['id_user'], 0, 'PM')) {
$info_users = users_get_info($users_order, 'id_user');
foreach ($info_users as $id_user => $value) {
if (users_is_admin($id_user)) {
unset($info_users[$value]);
}
}
} else {
$info = [];
foreach ($group_um as $group => $value) {
$info = array_merge($info, users_get_users_by_group($group, $value));
}
foreach ($info as $key => $value) {
if (!$value['is_admin']) {
$info_users[$key] = $value['id_user'];
}
}
}
if ($create_profiles) { if ($create_profiles) {
$profiles_id = get_parameter('profiles_id', -1); $profiles_id = get_parameter('profiles_id', -1);
$groups_id = get_parameter('groups_id', -1); $groups_id = get_parameter('groups_id', -1);
@ -74,8 +108,42 @@ if ($create_profiles) {
$result = false; $result = false;
} else { } else {
foreach ($profiles_id as $profile) { foreach ($profiles_id as $profile) {
// Check profiles permissions for non admin user.
if (is_user_admin($config['user_id']) === false) {
$user_profiles = profile_get_profiles(
[
'pandora_management' => '<> 1',
'db_management' => '<> 1',
]
);
if (array_search((int) $profile, array_keys($user_profiles)) === false) {
db_pandora_audit(
AUDIT_LOG_ACL_VIOLATION,
'Trying to add administrator profile whith standar user for user '.io_safe_input($user)
);
exit;
}
}
foreach ($groups_id as $group) { foreach ($groups_id as $group) {
if (check_acl($config['id_user'], $group, 'UM') === false) {
db_pandora_audit(
AUDIT_LOG_ACL_VIOLATION,
'Trying to add profile group without permission for user '.io_safe_input($user)
);
exit;
}
foreach ($users_id as $user) { foreach ($users_id as $user) {
if (array_search($user, $info_users) === false) {
db_pandora_audit(
AUDIT_LOG_ACL_VIOLATION,
'Trying to edit user without permission for user '.io_safe_input($user)
);
exit;
}
$profile_data = db_get_row_filter('tusuario_perfil', ['id_usuario' => $user, 'id_perfil' => $profile, 'id_grupo' => $group]); $profile_data = db_get_row_filter('tusuario_perfil', ['id_usuario' => $user, 'id_perfil' => $profile, 'id_grupo' => $group]);
// If the profile doesnt exist, we create it // If the profile doesnt exist, we create it
if ($profile_data === false) { if ($profile_data === false) {
@ -142,7 +210,6 @@ $table->size[2] = '33%';
$data = []; $data = [];
$data[0] = '<form method="post" id="form_profiles" action="index.php?sec=gmassive&sec2=godmode/massive/massive_operations&tab=massive_users&option=add_profiles">'; $data[0] = '<form method="post" id="form_profiles" action="index.php?sec=gmassive&sec2=godmode/massive/massive_operations&tab=massive_users&option=add_profiles">';
$group_um = users_get_groups_UM($config['id_user']);
$display_all_group = true; $display_all_group = true;
if (check_acl($config['id_user'], 0, 'PM')) { if (check_acl($config['id_user'], 0, 'PM')) {
@ -205,36 +272,6 @@ $data[1] = html_print_select_groups(
$data[2] = '<span id="alerts_loading" class="invisible">'; $data[2] = '<span id="alerts_loading" class="invisible">';
$data[2] .= html_print_image('images/spinner.png', true); $data[2] .= html_print_image('images/spinner.png', true);
$data[2] .= '</span>'; $data[2] .= '</span>';
$users_profiles = '';
$users_order = [
'field' => 'id_user',
'order' => 'ASC',
];
$info_users = [];
// Is admin.
if (users_is_admin()) {
$info_users = users_get_info($users_order, 'id_user');
// has PM permission.
} else if (check_acl($config['id_user'], 0, 'PM')) {
$info_users = users_get_info($users_order, 'id_user');
foreach ($info_users as $id_user => $value) {
if (users_is_admin($id_user)) {
unset($info_users[$value]);
}
}
} else {
$info = [];
foreach ($group_um as $group => $value) {
$info = array_merge($info, users_get_users_by_group($group, $value));
}
foreach ($info as $key => $value) {
if (!$value['is_admin']) {
$info_users[$key] = $value['id_user'];
}
}
}
$data[2] .= html_print_select( $data[2] .= html_print_select(
$info_users, $info_users,