tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ent-13728-vulnerabilidades-sql-injection-y-os-command-injection' into 'develop' 

fix vulnerabilities events and api and fixed metaconsole responses pandora_enterprise#13728

See merge request artica/pandorafms!7393
This commit is contained in:
Diego Muñoz-Reja 2024-05-20 08:10:56 +00:00
parent 042accbc22 36c972c175
commit f6ec4f8004
4 changed files with 118 additions and 138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
pandora_console/include/ajax/events.php
View File

@ -1205,13 +1205,8 @@ if ($get_response === true) {
if (empty($event_id) === false) { if (empty($event_id) === false) {
try { try {
$target_metaconsole = ''; if (is_metaconsole() === true && $server_id > 0) {
if (is_metaconsole() === true
&& $server_id > 0
) {
$target_metaconsole = io_safe_output(db_get_value('target', 'tevent_response', 'id', $event_response['id']));
$node = new Node($server_id); $node = new Node($server_id);
$node->connect();
} }
$event_response['target'] = events_get_response_target( $event_response['target'] = events_get_response_target(
@ -1220,28 +1215,13 @@ if ($get_response === true) {
$response_parameters, $response_parameters,
$server_id, $server_id,
($server_id !== 0) ? $node->server_name() : 'Metaconsole', ($server_id !== 0) ? $node->server_name() : 'Metaconsole',
$target_metaconsole
); );
} catch (\Exception $e) { } catch (\Exception $e) {
// Unexistent agent.
if (is_metaconsole() === true
&& $server_id > 0
) {
$node->disconnect();
}
return; return;
} finally {
if (is_metaconsole() === true
&& $server_id > 0
) {
$node->disconnect();
}
} }
} }
echo json_encode($event_response); echo json_encode($event_response);
return; return;
} }
@ -1313,23 +1293,29 @@ if ($get_response_massive === true) {
if ($get_row_response_action === true) { if ($get_row_response_action === true) {
$response_id = get_parameter('response_id'); $response_id = get_parameter('response_id');
$response = json_decode( $server_id = get_parameter('server_id');
io_safe_output( $event_id = get_parameter('event_id');
get_parameter('response', '') $response_parameters = (array) json_decode(
), io_safe_output(get_parameter('response_parameters', '')),
true true
); );
$end = (bool) get_parameter('end', false); $event_response = db_get_row(
$index = $response['event_id']; 'tevent_response',
'id',
$response_id
);
$index = $event_id;
if (is_metaconsole() === true) { if (is_metaconsole() === true) {
$index .= '-'.$response['server_id']; $index .= '-'.$server_id;
} }
echo get_row_response_action( echo get_row_response_action(
$response, $event_response,
$response_id, $event_id,
$end, $server_id,
$response_parameters,
$index $index
); );
@ -1344,34 +1330,31 @@ if ($perform_event_response === true) {
return; return;
} }
$target = get_parameter('target', ''); $response_id = (int) get_parameter('response_id', 0);
$response_id = get_parameter('response_id');
$event_id = (int) get_parameter('event_id'); $event_id = (int) get_parameter('event_id');
$server_id = (int) get_parameter('server_id', 0); $server_id = (int) get_parameter('server_id', 0);
$response = json_decode( $response_parameters = (array) json_decode(
io_safe_output( io_safe_output(get_parameter('response_parameters', '')),
get_parameter('response', '')
),
true true
); );
$event_response = $response; $event_response = db_get_row(
'tevent_response',
'id',
$response_id
);
if (empty($event_response) === true) { if (empty($event_response) === true) {
echo __('No data'); echo __('No data');
return; return;
} }
$command = $event_response['target']; $command = get_events_get_response_target(
$event_id,
// Prevent OS command injection. $event_response,
$prev_command = get_events_get_response_target($event_id, $event_response, $server_id); $server_id,
$response_parameters
if ($command !== $prev_command) { );
echo __('unauthorized'); $command_timeout = (empty($event_response['command_timeout']) === false) ? $event_response['command_timeout'] : 90;
return;
}
$command_timeout = ($event_response !== false) ? $event_response['command_timeout'] : 90;
if (enterprise_installed() === true) { if (enterprise_installed() === true) {
if ($event_response !== false if ($event_response !== false
&& (int) $event_response['server_to_exec'] !== 0 && (int) $event_response['server_to_exec'] !== 0
@ -1470,21 +1453,33 @@ if ($dialogue_event_response) {
return; return;
} }
$event_id = get_parameter('event_id'); $event_id = (int) get_parameter('event_id', 0);
$response_id = get_parameter('response_id'); $response_id = (int) get_parameter('response_id', 0);
$command = get_parameter('target'); $server_id = (int) get_parameter('server_id', 0);
$event_response = json_decode( $response_parameters = (array) json_decode(
io_safe_output( io_safe_output(get_parameter('response_parameters', '')),
get_parameter('response', '')
),
true true
); );
$event_response = db_get_row(
'tevent_response',
'id',
$response_id
);
$command = get_events_get_response_target(
$event_id,
$event_response,
$server_id,
$response_parameters
);
switch ($event_response['type']) { switch ($event_response['type']) {
case 'command': case 'command':
echo get_row_response_action( echo get_row_response_action(
$event_response, $event_response,
$response_id $event_id,
$server_id,
$response_parameters
); );
break; break;

2
pandora_console/include/api.php
View File

@ -83,7 +83,7 @@ $apiPassword = io_output_password(
$apiTokenValid = false; $apiTokenValid = false;
// Try getting bearer token from header. // Try getting bearer token from header.
// TODO. Getting token from url will be removed. // TODO. Getting token from url will be removed.
$apiToken = (string) getBearerToken(); $apiToken = (string) io_safe_input(getBearerToken());
if (empty($apiToken) === true) { if (empty($apiToken) === true) {
// Legacy user/pass token. // Legacy user/pass token.
// TODO. Revome in future. // TODO. Revome in future.

52
pandora_console/include/functions_events.php
View File

@ -636,7 +636,10 @@ function events_update_status($id_evento, $status, $filter=null)
break; break;
} }
$result = db_process_sql($update_sql); $result = false;
if (empty($update_sql) === false) {
$result = db_process_sql($update_sql);
}
if ($result !== false) { if ($result !== false) {
switch ($status) { switch ($status) {
@ -3832,8 +3835,7 @@ function events_get_response_target(
array $event_response, array $event_response,
?array $response_parameters=null, ?array $response_parameters=null,
?int $server_id=0, ?int $server_id=0,
?string $server_name='', ?string $server_name=''
?string $target_metaconsole=''
) { ) {
global $config; global $config;
@ -3847,9 +3849,6 @@ function events_get_response_target(
$event = db_get_row('tevento', 'id_evento', $event_id); $event = db_get_row('tevento', 'id_evento', $event_id);
$target = io_safe_output(db_get_value('target', 'tevent_response', 'id', $event_response['id'])); $target = io_safe_output(db_get_value('target', 'tevent_response', 'id', $event_response['id']));
if (empty($target) === true && $target_metaconsole !== '') {
$target = io_safe_output($target_metaconsole);
}
// Replace parameters response. // Replace parameters response.
if (isset($response_parameters) === true if (isset($response_parameters) === true
@ -6008,9 +6007,10 @@ function events_get_criticity_class($criticity)
*/ */
function get_row_response_action( function get_row_response_action(
array $event_response, array $event_response,
?int $response_id, ?int $id_event,
$end=false, ?int $server_id,
$index=null ?array $response_parameters=[],
?string $index=null
) { ) {
$output = '<div class="container-massive-events-response-cell">'; $output = '<div class="container-massive-events-response-cell">';
$display_command = (bool) $event_response['display_command']; $display_command = (bool) $event_response['display_command'];
@ -6019,7 +6019,7 @@ function get_row_response_action(
// String command. // String command.
$output .= '<div class="container-massive-events-response-command">'; $output .= '<div class="container-massive-events-response-command">';
$output .= '<b>'; $output .= '<b>';
$output .= __('Event # %d', $event_response['event_id']); $output .= __('Event # %d', $id_event);
if (empty($command_str) === false) { if (empty($command_str) === false) {
$output .= ' '; $output .= ' ';
$output .= __('Executing command: '); $output .= __('Executing command: ');
@ -6042,11 +6042,18 @@ function get_row_response_action(
// Butom. // Butom.
$output .= '<div id="re_exec_command'.$index.'" style="display:none" class="container-massive-events-response-execute">'; $output .= '<div id="re_exec_command'.$index.'" style="display:none" class="container-massive-events-response-execute">';
$info = [
'response_id' => $event_response['id'],
'server_id' => $server_id,
'event_id' => $id_event,
'response_parameters' => $response_parameters,
];
$output .= html_print_button( $output .= html_print_button(
__('Execute again'), __('Execute again'),
'btn_str', 'btn_str',
false, false,
'perform_response("'.base64_encode(json_encode($event_response)).'",'.$response_id.',"'.trim($index).'")', 'perform_response("'.base64_encode(json_encode($info)).'","'.trim($index).'")',
[ [
'icon' => 'next', 'icon' => 'next',
'mode' => 'mini secondary', 'mode' => 'mini secondary',
@ -6077,13 +6084,8 @@ function get_events_get_response_target(
$response_parameters=[] $response_parameters=[]
) { ) {
try { try {
$target_metaconsole = ''; if (is_metaconsole() === true && $server_id > 0) {
if (is_metaconsole() === true
&& $server_id > 0
) {
$target_metaconsole = io_safe_output(db_get_value('target', 'tevent_response', 'id', $event_response['id']));
$node = new Node($server_id); $node = new Node($server_id);
$node->connect();
} }
return events_get_response_target( return events_get_response_target(
@ -6091,24 +6093,10 @@ function get_events_get_response_target(
$event_response, $event_response,
$response_parameters, $response_parameters,
$server_id, $server_id,
($server_id !== 0) ? $node->server_name() : 'Metaconsole', ($server_id !== 0) ? $node->server_name() : 'Metaconsole'
$target_metaconsole
); );
} catch (\Exception $e) { } catch (\Exception $e) {
// Unexistent agent.
if (is_metaconsole() === true
&& $server_id > 0
) {
$node->disconnect();
}
return ''; return '';
} finally {
if (is_metaconsole() === true
&& $server_id > 0
) {
$node->disconnect();
}
} }
} }

93
pandora_console/include/javascript/pandora_events.js
View File

@ -143,7 +143,14 @@ function execute_response(event_id, server_id) {
if (response["type"] == "url" && response["new_window"] == 1) { if (response["type"] == "url" && response["new_window"] == 1) {
window.open(response["target"], "_blank"); window.open(response["target"], "_blank");
} else { } else {
show_response_dialog(response_id, response); var data = {};
data.response_id = response_id;
data.server_id = server_id;
data.event_id = event_id;
data.response_parameters = response_parameters;
data.modal_width = response["modal_width"];
data.modal_height = response["modal_height"];
show_response_dialog(data);
} }
} }
}); });
@ -173,12 +180,10 @@ function execute_response_massive(events, response_id, response_parameters) {
// Convert to array. // Convert to array.
var array_data = Object.entries(data.event_response_targets); var array_data = Object.entries(data.event_response_targets);
var total_count = array_data.length;
// Each input checkeds. // Each input checkeds.
array_data.forEach(function(element, index) { array_data.forEach(function(element, index) {
var id = element[0]; var id = element[0];
var target = element[1].target;
var meta = $("#hidden-meta").val(); var meta = $("#hidden-meta").val();
var event_id = id; var event_id = id;
var server_id = 0; var server_id = 0;
@ -188,25 +193,22 @@ function execute_response_massive(events, response_id, response_parameters) {
server_id = split_id[1]; server_id = split_id[1];
} }
var end = 0; if (
if (total_count - 1 === index) { data.event_response["type"] == "url" &&
end = 1; data.event_response["new_window"] == 1
} ) {
window.open(data.event_response["target"], "_blank");
var response = data.event_response;
response["event_id"] = event_id;
response["server_id"] = server_id;
response["target"] = target;
if (response["type"] == "url" && response["new_window"] == 1) {
window.open(response["target"], "_blank");
} else { } else {
var params = []; var params = [];
params.push({ name: "page", value: "include/ajax/events" }); params.push({ name: "page", value: "include/ajax/events" });
params.push({ name: "get_row_response_action", value: 1 }); params.push({ name: "get_row_response_action", value: 1 });
params.push({ name: "response_id", value: response_id }); params.push({ name: "response_id", value: response_id });
params.push({ name: "server_id", value: response.server_id }); params.push({ name: "server_id", value: server_id });
params.push({ name: "end", value: end }); params.push({ name: "event_id", value: event_id });
params.push({ name: "response", value: JSON.stringify(response) }); params.push({
name: "response_parameters",
value: response_parameters
});
jQuery.ajax({ jQuery.ajax({
data: params, data: params,
@ -215,20 +217,17 @@ function execute_response_massive(events, response_id, response_parameters) {
dataType: "html", dataType: "html",
success: function(data) { success: function(data) {
$(".container-massive-events-response").append(data); $(".container-massive-events-response").append(data);
response["event_id"] = event_id;
response["server_id"] = server_id;
response["target"] = target;
var indexstr = event_id; var indexstr = event_id;
if (meta != 0) { if (meta != 0) {
indexstr += "-" + server_id; indexstr += "-" + server_id;
} }
perform_response( var info = {};
btoa(JSON.stringify(response)), info.response_id = response_id;
response_id, info.server_id = server_id;
indexstr info.event_id = event_id;
); info.response_parameters = JSON.parse(response_parameters);
perform_response(btoa(JSON.stringify(info)), indexstr);
} }
}); });
} }
@ -238,15 +237,17 @@ function execute_response_massive(events, response_id, response_parameters) {
} }
//Show the modal window of an event response //Show the modal window of an event response
function show_response_dialog(response_id, response) { function show_response_dialog(info) {
var params = []; var params = [];
params.push({ name: "page", value: "include/ajax/events" }); params.push({ name: "page", value: "include/ajax/events" });
params.push({ name: "dialogue_event_response", value: 1 }); params.push({ name: "dialogue_event_response", value: 1 });
params.push({ name: "event_id", value: response.event_id }); params.push({ name: "event_id", value: info.event_id });
params.push({ name: "target", value: response.target }); params.push({ name: "response_id", value: info.response_id });
params.push({ name: "response_id", value: response_id }); params.push({ name: "server_id", value: info.server_id });
params.push({ name: "server_id", value: response.server_id }); params.push({
params.push({ name: "response", value: JSON.stringify(response) }); name: "response_parameters",
value: JSON.stringify(info.response_parameters)
});
var view = ``; var view = ``;
@ -272,10 +273,10 @@ function show_response_dialog(response_id, response) {
draggable: true, draggable: true,
modal: false, modal: false,
open: function() { open: function() {
perform_response(btoa(JSON.stringify(response)), response_id, ""); perform_response(btoa(JSON.stringify(info)));
}, },
width: response["modal_width"], width: info.modal_width,
height: response["modal_height"], height: info.modal_height,
buttons: [] buttons: []
}) })
.show(); .show();
@ -284,26 +285,22 @@ function show_response_dialog(response_id, response) {
} }
// Perform a response and put the output into a div // Perform a response and put the output into a div
function perform_response(response, response_id, index = "") { function perform_response(info, index = "") {
info = JSON.parse(atob(info));
$("#re_exec_command" + index).hide(); $("#re_exec_command" + index).hide();
$("#response_loading_command" + index).show(); $("#response_loading_command" + index).show();
$("#response_out" + index).html(""); $("#response_out" + index).html("");
try {
response = JSON.parse(atob(response));
} catch (e) {
console.error(e);
return;
}
var params = []; var params = [];
params.push({ name: "page", value: "include/ajax/events" }); params.push({ name: "page", value: "include/ajax/events" });
params.push({ name: "perform_event_response", value: 1 }); params.push({ name: "perform_event_response", value: 1 });
params.push({ name: "target", value: response["target"] }); params.push({ name: "response_id", value: info.response_id });
params.push({ name: "response_id", value: response_id }); params.push({ name: "event_id", value: info.event_id });
params.push({ name: "event_id", value: response["event_id"] }); params.push({ name: "server_id", value: info.server_id });
params.push({ name: "server_id", value: response["server_id"] }); params.push({
params.push({ name: "response", value: JSON.stringify(response) }); name: "response_parameters",
value: JSON.stringify(info.response_parameters)
});
jQuery.ajax({ jQuery.ajax({
data: params, data: params,