Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

Commit

Permalink
fix(sec): add SQL and XSS protection of Administration Logs page (#7038)
Browse files Browse the repository at this point in the history
  • Loading branch information
@vhr @kduret
vhr authored and kduret committed Dec 28, 2018
1 parent 312b460 commit c67c1a2
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 25 deletions.
18 changes: 9 additions & 9 deletions www/include/Administration/configChangelog/viewLogs.ihtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,16 +11,16 @@
<td></td>
</tr>
<tr>
<td><input type='text' name='searchO' value="{$searchO}" /></td>
<td><input type='text' name='searchU' value="{$searchU}" /></td>
<td><input type='text' name='searchO' value="{$searchO|escape}" /></td>
<td><input type='text' name='searchU' value="{$searchU|escape}" /></td>
<td><select name='otype'>{$obj_type}</select></td>
<td><input type='submit' class="btc bt_success" name='SearchB' value='{$Search}' /></td>
<td><input type='submit' class="btc bt_success" name='SearchB' value='{$Search|escape}' /></td>
</tr>
</tbody>
</table>
<table class="ToolbarTable table">
<tr class="ToolbarTR">
<td style='width:30%;'><input name="p" value="{$p}" type="hidden">&nbsp;</td>
<td style='width:30%;'><input name="p" value="{$p|escape}" type="hidden">&nbsp;</td>
{php}
include('./include/common/pagination.php');
{/php}
Expand All @@ -47,11 +47,11 @@
<td class='ListColCenter'>{$elem.type}</td>
<td class='ListColLeft'>
{if $elem.host != ''}
<a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU}&searchO={$searchO}&otype={$type_id}">{$elem.host} / {$elem.object_name}</a>
<a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU|urlencode}&searchO={$searchO|urlencode}&otype={$type_id}">{$elem.host} / {$elem.object_name}</a>
{elseif $elem.hostgroup != ''}
<a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU}&searchO={$searchO}&otype={$type_id}">{$elem.hostgroup} / {$elem.object_name}</a>
<a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU|urlencode}&searchO={$searchO|urlencode}&otype={$type_id}">{$elem.hostgroup} / {$elem.object_name}</a>
{elseif $elem.hosts}
<a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU}&searchO={$searchO}&otype={$type_id}">
<a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU|urlencode}&searchO={$searchO|urlencode}&otype={$type_id}">
(
{assign var=flag value=0}
{foreach key=key2 item=item2 from=$elem.hosts}
Expand All @@ -61,7 +61,7 @@
{/foreach}
) {$elem.object_name}</a>
{elseif $elem.hostgroups}
<a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU}&searchO={$searchO}&otype={$type_id}">
<a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU|urlencode}&searchO={$searchO|urlencode}&otype={$type_id}">
(
{assign var=flag value=0}
{foreach key=key2 item=item2 from=$elem.hostgroups}
Expand All @@ -71,7 +71,7 @@
{/foreach}
) {$elem.object_name}</a>
{else}
<a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU}&searchO={$searchO}&otype={$type_id}">{$elem.object_name}</a>
<a href="./main.php?p={$p}&object_type={$elem.type}&object_id={$elem.object_id}&searchU={$searchU|urlencode}&searchO={$searchO|urlencode}&otype={$type_id|urlencode}">{$elem.object_name}</a>
{/if}
</td>
<td class='ListColCenter'>{$elem.author}</td>
Expand Down
47 changes: 31 additions & 16 deletions www/include/Administration/configChangelog/viewLogs.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ function searchUserName($user_name)
if ($str != "") {
$str .= ", ";
}
$str .= "'" . $row['contact_id'] . "'";
$str .= "'" . (int) $row['contact_id'] . "'";
}
if ($str == "") {
$str = "''";
Expand Down Expand Up @@ -85,7 +85,9 @@ function searchUserName($user_name)
$contactList = array();
$DBRES = $pearDB->query("SELECT contact_id, contact_name, contact_alias FROM contact");
while ($row = $DBRES->fetchRow()) {
$contactList[$row["contact_id"]] = $row["contact_name"] . " (".$row["contact_alias"].")";
$contactList[$row["contact_id"]] = CentreonUtils::escapeSecure(
$row["contact_name"] . " (" . $row["contact_alias"] . ")"
);
}

if (isset($_POST["searchO"])) {
Expand Down Expand Up @@ -188,10 +190,13 @@ function searchUserName($user_name)
} else {
$query .= " AND ";
}
$query .= " object_type = '".$objects_type_tab[$otype]."' ";
$query .= " object_type = '" . $pearDB->escape($objects_type_tab[$otype]) . "' ";
}
}
$query .= " ORDER BY action_log_date DESC LIMIT ".$num * $limit.", ".$limit;

$query .= " ORDER BY action_log_date DESC LIMIT "
. (int) ($num * $limit) . ", " . (int) $limit;

$DBRESULT = $pearDBO->query($query);

/* Get rows number */
Expand All @@ -201,7 +206,9 @@ function searchUserName($user_name)
$elemArray = array();
while ($res = $DBRESULT->fetchRow()) {
if ($res['object_id']) {
$objectName = str_replace(array('#S#', '#BS#'), array("/", "\\"), $res["object_name"]);
$objectName = CentreonUtils::escapeSecure(
str_replace(array('#S#', '#BS#'), array("/", "\\"), $res["object_name"])
);

if ($res['object_type'] == "service") {
$tmp = $centreon->CentreonLogAction->getHostId($res['object_id']);
Expand All @@ -210,22 +217,30 @@ function searchUserName($user_name)
$tmp2 = $centreon->CentreonLogAction->getHostId($res['object_id']);
$tabHost = split(',', $tmp2["h"]);
if (count($tabHost) == 1) {
$host_name = $centreon->CentreonLogAction->getHostName($tmp2["h"]);
$host_name = CentreonUtils::escapeSecure(
$centreon->CentreonLogAction->getHostName($tmp2["h"])
);
} elseif (count($tabHost) > 1) {
$hosts = array();
foreach ($tabHost as $key => $value) {
$hosts[] = $centreon->CentreonLogAction->getHostName($value);
$hosts[] = CentreonUtils::escapeSecure(
$centreon->CentreonLogAction->getHostName($value)
);
}
}
} elseif (isset($tmp['hg'])) {
$tmp2 = $centreon->CentreonLogAction->getHostId($res['object_id']);
$tabHost = split(',', $tmp2["hg"]);
if (count($tabHost) == 1) {
$hg_name = $centreon->CentreonLogAction->getHostGroupName($tmp2["hg"]);
$hg_name = CentreonUtils::escapeSecure(
$centreon->CentreonLogAction->getHostGroupName($tmp2["hg"])
);
} elseif (count($tabHost) > 1) {
$hostgroups = array();
foreach ($tabHost as $key => $value) {
$hostgroups[] = $centreon->CentreonLogAction->getHostGroupName($value);
$hostgroups[] = CentreonUtils::escapeSecure(
$centreon->CentreonLogAction->getHostGroupName($value)
);
}
}
}
Expand All @@ -236,7 +251,7 @@ function searchUserName($user_name)
if (isset($host_name) && $host_name != '') {
$elemArray[] = array(
"date" => date('Y/m/d H:i:s', $res['action_log_date']),
"type" => $res['object_type'],
"type" => CentreonUtils::escapeSecure($res['object_type']),
"object_name" => $objectName,
"action_log_id" => $res['action_log_id'],
"object_id" => $res['object_id'],
Expand All @@ -249,7 +264,7 @@ function searchUserName($user_name)
} elseif (isset($hosts) && count($hosts) != 1) {
$elemArray[] = array(
"date" => date('Y/m/d H:i:s', $res['action_log_date']),
"type" => $res['object_type'],
"type" => CentreonUtils::escapeSecure($res['object_type']),
"object_name" => $objectName,
"action_log_id" => $res['action_log_id'],
"object_id" => $res['object_id'],
Expand All @@ -262,7 +277,7 @@ function searchUserName($user_name)
} elseif (isset($hg_name) && $hg_name != '') {
$elemArray[] = array(
"date" => date('Y/m/d H:i:s', $res['action_log_date']),
"type" => $res['object_type'],
"type" => CentreonUtils::escapeSecure($res['object_type']),
"object_name" => $objectName,
"action_log_id" => $res['action_log_id'],
"object_id" => $res['object_id'],
Expand All @@ -275,7 +290,7 @@ function searchUserName($user_name)
} elseif (isset($hostgroups) && count($hostgroups) != 1) {
$elemArray[] = array(
"date" => date('Y/m/d H:i:s', $res['action_log_date']),
"type" => $res['object_type'],
"type" => CentreonUtils::escapeSecure($res['object_type']),
"object_name" => $objectName,
"action_log_id" => $res['action_log_id'],
"object_id" => $res['object_id'],
Expand Down Expand Up @@ -316,10 +331,10 @@ function searchUserName($user_name)
$tpl->assign('search_object_str', _("Object"));
$tpl->assign('search_user_str', _("User"));
$tpl->assign('Search', _('Search'));
$tpl->assign('searchO', htmlentities($searchO));
$tpl->assign('searchU', htmlentities($searchU));
$tpl->assign('searchO', CentreonUtils::escapeSecure($searchO));
$tpl->assign('searchU', CentreonUtils::escapeSecure($searchU));
$tpl->assign('obj_str', _("Object Type"));
$tpl->assign('type_id', $otype);
$tpl->assign('type_id', urlencode($otype));

$tpl->assign('event_type', _("Event Type"));
$tpl->assign('time', _("Time"));
Expand Down

0 comments on commit c67c1a2

Please sign in to comment.