From da19665504220c20e3f7514d9d14176046e1dd86 Mon Sep 17 00:00:00 2001
From: jeremyjaouen <61694165+jeremyjaouen@users.noreply.github.com>
Date: Wed, 29 Jul 2020 22:21:59 +0200
Subject: [PATCH] fix(security): use user id instead of session id in session
 page (#8876)

---
 www/api/class/centreon_ldap_synchro.class.php | 31 +++++--------------
 .../options/session/connected_user.php        | 20 ++++++------
 2 files changed, 18 insertions(+), 33 deletions(-)

diff --git a/www/api/class/centreon_ldap_synchro.class.php b/www/api/class/centreon_ldap_synchro.class.php
index d54a41e1794..aa4ecb11763 100644
--- a/www/api/class/centreon_ldap_synchro.class.php
+++ b/www/api/class/centreon_ldap_synchro.class.php
@@ -75,44 +75,29 @@ public function postRequestLdapSynchro(): bool
         $result = false;
 
         $contactId = filter_var(
-            $_POST['contactId'] ?? null,
+            $_POST['contactId'] ?? false,
             FILTER_VALIDATE_INT
         );
-        $sessionId = filter_var(
-            $_POST['sessionId'] ?? null,
-            FILTER_SANITIZE_STRING
-        );
 
         if (!$this->isLdapEnabled()) {
             return $result;
         }
 
-        if (empty($contactId) && empty($sessionId)) {
+        if ($contactId === false) {
             $this->centreonLog->insertLog(
                 3, //ldap.log
-                "LDAP MANUAL SYNC : Error - Chosen contact data are missing."
+                "LDAP MANUAL SYNC : Error - Chosen contact id is not consistent."
             );
             return $result;
         }
 
         $this->pearDB->beginTransaction();
         try {
-            // getting the contact name and ID for the logs
-            if ($contactId) {
-                // (getting the contactId to homogenize the next request's bindValue variable name)
-                $resUser = $this->pearDB->prepare(
-                    'SELECT `contact_id`, `contact_name` FROM `contact`
-                    WHERE `contact_id` = :contactId'
-                );
-                $resUser->bindValue(':contactId', $contactId, PDO::PARAM_INT);
-            } elseif ($sessionId) {
-                $resUser = $this->pearDB->prepare(
-                    'SELECT `contact_id`, `contact_name` FROM contact
-                    LEFT JOIN session ON session.user_id = contact.contact_id
-                    WHERE session.session_id = :userSessionId'
-                );
-                $resUser->bindValue(':userSessionId', $sessionId, PDO::PARAM_STR);
-            }
+            $resUser = $this->pearDB->prepare(
+                'SELECT `contact_id`, `contact_name` FROM `contact`
+                WHERE `contact_id` = :contactId'
+            );
+            $resUser->bindValue(':contactId', $contactId, PDO::PARAM_INT);
             $resUser->execute();
             $contact = $resUser->fetch();
 
diff --git a/www/include/options/session/connected_user.php b/www/include/options/session/connected_user.php
index adf4fa44477..e7a3f5c24dd 100644
--- a/www/include/options/session/connected_user.php
+++ b/www/include/options/session/connected_user.php
@@ -51,9 +51,9 @@
     FILTER_SANITIZE_STRING
 );
 
-$selectedUserSid = filter_var(
-    $_GET['session'] ?? null, // the sessionId of the chosen user
-    FILTER_SANITIZE_STRING
+$selectedUserId = filter_var(
+    $_GET['user'] ?? null,
+    FILTER_VALIDATE_INT
 );
 
 $currentPage = filter_var(
@@ -61,7 +61,7 @@
     FILTER_VALIDATE_INT
 );
 
-if ($selectedUserSid) {
+if ($selectedUserId) {
     $msg = new CentreonMsg();
     $msg->setTextStyle("bold");
     $msg->setTimeOut("3");
@@ -69,8 +69,8 @@
     switch ($action) {
         // logout action
         case KICK_USER:
-            $stmt = $pearDB->prepare("DELETE FROM session WHERE session_id = :userSessionId");
-            $stmt->bindValue(':userSessionId', $selectedUserSid, \PDO::PARAM_STR);
+            $stmt = $pearDB->prepare("DELETE FROM session WHERE user_id = :userId");
+            $stmt->bindValue(':userId', $selectedUserId, \PDO::PARAM_INT);
             $stmt->execute();
             $msg->setText(_("User kicked"));
             break;
@@ -122,7 +122,7 @@
     if ($centreon->user->admin) {
         // adding the link to be able to kick the user
         $session_data[$cpt]["actions"] =
-            "<a href='./main.php?p=" . $p . "&o=k&session=" . $r['session_id'] . "'>" .
+            "<a href='./main.php?p=" . $p . "&o=k&user=" . $r['user_id'] . "'>" .
                 "<img src='./img/icons/delete.png' border='0' alt='" . _("Kick User") .
                 "' title='" . _("Kick User") . "'>" .
             "</a>";
@@ -139,7 +139,7 @@
                 "<a href='#'>" .
                     "<img src='./img/icons/refresh.png' border='0' " .
                         "alt='" . _("Synchronize LDAP") . "' title='" . _("Synchronize LDAP") . "' " .
-                        "onclick='submitSync(" . $currentPage . ", \"" . $r['session_id'] . "\")'>" .
+                        "onclick='submitSync(" . $currentPage . ", \"" . $r['user_id'] . "\")'>" .
                 "</a>";
         } else {
             // hiding the synchronization option and details
@@ -171,7 +171,7 @@
     formatDateMoment();
 
     // ask for confirmation when requesting to resynchronize contact data from the LDAP
-    function submitSync(p, sessionId) {
+    function submitSync(p, contactId) {
         // msg = localized message to be displayed in the confirmation popup
         let msg = "<?= _('All this contact sessions will be closed. Are you sure you want to request a ' .
             'synchronization at the next login of this Contact ?'); ?>";
@@ -181,7 +181,7 @@ function submitSync(p, sessionId) {
                 url: './api/internal.php?object=centreon_ldap_synchro&action=requestLdapSynchro',
                 type: 'POST',
                 async: false,
-                data: {sessionId: sessionId},
+                data: {contactId: contactId},
                 success: function(data) {
                     if (data === true) {
                         window.location.href = "?p=" + p;