Skip to content

Commit 196729c

Browse files
Fix vulnerabilities
1 parent 517589e commit 196729c

File tree

9 files changed

+243
-132
lines changed

9 files changed

+243
-132
lines changed

Diff for: include/arrays.php

+4
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,8 @@
3737
10 => "EON - Name Error",
3838
11 => "EON - GED");
3939

40+
$array_modules = array ("glpi","ocsinventory-reports");
41+
4042
$array_tools = array (
4143
"snmpwalk" => "tools/snmpwalk.php",
4244
"show interface" => "tools/interface.php",
@@ -60,6 +62,8 @@
6062
"duplicate" => "duplicate",
6163
"back-up file" => "backup");
6264

65+
$array_ged_queues = array("active","sync","history");
66+
6367
$array_ged_types = array(
6468
0 => "label.all",
6569
1 => "services",

Diff for: include/function.php

+17-3
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ function message($id, $text, $type){
6363
}
6464

6565
// Connect to Database
66-
function sqlrequest($database,$sql,$id=false){
66+
function sqlrequest($database,$sql,$id=false,$prepare=false){
6767

6868
// Get the global value
6969
global $database_host;
@@ -83,8 +83,22 @@ function sqlrequest($database,$sql,$id=false){
8383
// Force UTF-8
8484
mysqli_query($connexion, "SET NAMES 'utf8'");
8585
}
86-
$result=mysqli_query($connexion, "$sql");
87-
86+
87+
if(is_array($prepare)) {
88+
$stmt = mysqli_prepare($connexion,$sql);
89+
90+
if(isset($prepare[0]) && isset($prepare[1])) {
91+
$ref = new ReflectionClass('mysqli_stmt');
92+
$method = $ref->getMethod("bind_param");
93+
$method->invokeArgs($stmt,$prepare);
94+
}
95+
96+
mysqli_stmt_execute($stmt);
97+
$result = mysqli_stmt_get_result($stmt);
98+
} else {
99+
$result=mysqli_query($connexion, "$sql");
100+
}
101+
88102
if($id==true)
89103
$result=mysqli_insert_id($connexion);
90104

Diff for: module/admin_bp/php/auto_completion.php

+19-15
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,24 @@
11
<?php
2-
// Mot tapé par l'utilisateur
3-
$q = $_GET['query'];
4-
$table_name = $_GET['table_name'];
52

6-
try {
7-
$bdd = new PDO('mysql:host=localhost;dbname=lilac', 'root', 'root66');
8-
} catch(Exception $e) {
9-
echo "Connection failed: " . $e->getMessage();
10-
exit('Impossible de se connecter à la base de données.');
11-
}
3+
include("../../../include/config.php");
124

13-
// Requête SQL
14-
$requete = "SELECT name FROM " . $table_name . " WHERE name LIKE '". $q ."%' LIMIT 0, 10";
5+
// Mot tapé par l'utilisateur
6+
$q = $_GET['query'];
7+
$table_name = $_GET['table_name'];
8+
9+
try {
10+
$bdd = new PDO('mysql:host=localhost;dbname='.$database_lilac, $database_username, $database_password);
11+
} catch(Exception $e) {
12+
echo "Connection failed: " . $e->getMessage();
13+
exit('Impossible de se connecter à la base de données.');
14+
}
15+
16+
// Requête SQL
17+
$requete = "SELECT name FROM " . $table_name . " WHERE name LIKE '". $q ."%' LIMIT 0, 10";
18+
19+
foreach ($bdd->query($requete) as $row) {
20+
$suggestions['suggestions'][] = $row['name'];
21+
}
22+
echo json_encode($suggestions);
1523

16-
foreach ($bdd->query($requete) as $row) {
17-
$suggestions['suggestions'][] = $row['name'];
18-
}
19-
echo json_encode($suggestions);
2024
?>

Diff for: module/admin_bp/php/function_bp.php

+81-56
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
<?php
22

3+
include("../../../include/config.php");
4+
35
$action = isset($_GET['action']) ? $_GET['action'] : false;
46
$bp_name = isset($_GET['bp_name']) ? $_GET['bp_name'] : false;
57
$host_name = isset($_GET['host_name']) ? $_GET['host_name'] : false;
@@ -16,7 +18,7 @@
1618
$min_value = isset($_GET['min_value']) ? $_GET['min_value'] : false;
1719

1820
try {
19-
$bdd = new PDO('mysql:host=localhost;dbname=nagiosbp', 'root', 'root66');
21+
$bdd = new PDO('mysql:host=localhost;dbname='.$database_nagios, $database_username, $database_password);
2022
} catch(Exception $e) {
2123
echo "Connection failed: " . $e->getMessage();
2224
exit('Impossible de se connecter à la base de données.');
@@ -73,17 +75,21 @@ function verify_services($bp,$host,$bdd){
7375
}
7476

7577
function delete_bp($bp,$bdd){
76-
$sql = "delete from bp where name = '" . $bp . "'";
77-
$bdd->exec($sql);
78+
$sql = "delete from bp where name = ?";
79+
$req = $bdd->prepare($sql);
80+
$req->execute(array($bp));
7881

79-
$sql = "delete from bp_services where bp_name = '" . $bp . "'";
80-
$bdd->exec($sql);
82+
$sql = "delete from bp_services where bp_name = ?";
83+
$req = $bdd->prepare($sql);
84+
$req->execute(array($bp));
8185

82-
$sql = "delete from bp_links where bp_name = '" . $bp . "'";
83-
$bdd->exec($sql);
86+
$sql = "delete from bp_links where bp_name = ?";
87+
$req = $bdd->prepare($sql);
88+
$req->execute(array($bp));
8489

85-
$sql = "delete from bp_links where bp_link = '" . $bp . "'";
86-
$bdd->exec($sql);
90+
$sql = "delete from bp_links where bp_link = ?";
91+
$req = $bdd->prepare($sql);
92+
$req->execute(array($bp));
8793
}
8894

8995
function list_services($host_name){
@@ -112,8 +118,9 @@ function list_services($host_name){
112118
}
113119

114120
function list_process($bp,$display,$bdd){
115-
$sql = "select name from bp where is_define = 1 and name!='".$bp."' and priority = '" . $display . "'";
116-
$req = $bdd->query($sql);
121+
$sql = "select name from bp where is_define = 1 and name!=? and priority = ?";
122+
$req = $bdd->prepare($sql);
123+
$req->execute(array($bp,$display));
117124
$process = $req->fetchall();
118125

119126
echo json_encode($process);
@@ -130,20 +137,20 @@ function add_services($bp,$services,$bdd){
130137
$list_services[] = $service;
131138
}
132139
}
133-
$sql = "select service,host from bp_services where bp_name = '" . $bp . "'";
134-
$req = $bdd->query($sql);
135140

136-
$sql = "delete from bp_services where bp_name = '" . $bp . "'";
137-
$bdd->exec($sql);
141+
$sql = "delete from bp_services where bp_name = ?";
142+
$req = $bdd->prepare($sql);
143+
$req->execute(array($bp));
138144

139145
if(count($services) > 0){
140-
$sql = "update bp set is_define = 1 where name = '" . $bp . "'";
141-
$bdd->exec($sql);
146+
$sql = "update bp set is_define = 1 where name = ?";
147+
$req = $bdd->prepare($sql);
148+
$req->execute(array($bp));
142149
}
143-
144150
else{
145-
$sql = "update bp set is_define = 0 where name = '" . $bp . "'";
146-
$bdd->exec($sql);
151+
$sql = "update bp set is_define = 0 where name = ?";
152+
$req = $bdd->prepare($sql);
153+
$req->execute(array($bp));
147154
}
148155

149156
if(is_array($services)) {
@@ -152,37 +159,43 @@ function add_services($bp,$services,$bdd){
152159
$host = $value[0];
153160
$service = $value[1];
154161
echo $service;
155-
$sql = "insert into bp_services (bp_name,host,service) values('" . trim($bp) . "','" . $host . "','" . $service . "')";
156-
$bdd->exec($sql);
162+
$sql = "insert into bp_services (bp_name,host,service) values(?,?,?)";
163+
$req = $bdd->prepare($sql);
164+
$req->execute(array(trim($bp),$host,$service));
157165
}
158166
}
159167
}
160168

161169
function add_process($bp,$process,$bdd){
162-
$sql = "delete from bp_links where bp_name = '" . $bp . "'";
163-
$bdd->exec($sql);
164-
$sql = "update bp set is_define = 0 where name = '" . $bp . "'";
165-
$bdd->exec($sql);
170+
$sql = "delete from bp_links where bp_name = ?";
171+
$req = $bdd->prepare($sql);
172+
$req->execute(array($bp));
173+
$sql = "update bp set is_define = 0 where name = ?";
174+
$req = $bdd->prepare($sql);
175+
$req->execute(array($bp));
166176

167177
if(count($process) > 0 and is_array($process)){
168-
$sql = "update bp set is_define = 1 where name = '" . $bp . "'";
169-
$bdd->exec($sql);
178+
$sql = "update bp set is_define = 1 where name = ?";
179+
$req = $bdd->prepare($sql);
180+
$req->execute(array($bp));
170181

171182
foreach($process as $values){
172183
$value = explode("::", $values);
173184
$bp_link = $value[1];
174185

175-
$sql = "insert into bp_links (bp_name,bp_link) values('" . $bp . "','" . $bp_link . "')";
186+
$sql = "insert into bp_links (bp_name,bp_link) values(?,?)";
176187

177-
$bdd->exec($sql);
188+
$req = $bdd->prepare($sql);
189+
$req->execute(array($bp,$bp_link));
178190
}
179191
}
180192
}
181193

182194
function check_app_exists($uniq_name, $bdd)
183195
{
184-
$sql = "select count(*) from bp where name = '" . $uniq_name . "';";
185-
$req = $bdd->query($sql);
196+
$sql = "select count(*) from bp where name = ?;";
197+
$req = $bdd->prepare($sql);
198+
$req->execute(array($uniq_name));
186199
$bp_exist = $req->fetch(PDO::FETCH_NUM);
187200

188201
if($bp_exist[0] == 1){
@@ -196,34 +209,41 @@ function add_application($uniq_name_orig,$uniq_name,$process_name,$display,$url,
196209
if($type != 'MIN'){
197210
$min_value = "";
198211
}
199-
$sql = "select count(*) from bp where name = '" . $uniq_name . "';";
200-
$req = $bdd->query($sql);
212+
$sql = "select count(*) from bp where name = ?;";
213+
$req = $bdd->prepare($sql);
214+
$req->execute(array($uniq_name));
201215
$bp_exist = $req->fetch();
202216

203217
// add
204218
if($bp_exist[0] == 0 and empty($uniq_name_orig)){
205-
$sql = "insert into bp (name,description,priority,type,command,url,min_value) values('" . $uniq_name ."','" . $process_name ."','" . $display . "','" . $type . "','" . $command . "','" . $url . "','" . $min_value . "')";
206-
$bdd->exec($sql);
219+
$sql = "insert into bp (name,description,priority,type,command,url,min_value) values(?,?,?,?,?,?,?)";
220+
$req = $bdd->prepare($sql);
221+
$req->execute(array($uniq_name,$process_name,$display,$type,$command,$url,$min_value));
207222
}
208223
// uniq name modification
209224
elseif($uniq_name_orig != $uniq_name) {
210225
if($bp_exist[0] != 0){
211226
// TODO QUENTIN
212227
} else {
213-
$sql = "update bp set name = '" . $uniq_name . "',description = '" . $process_name . "',priority = '" . $display . "',type = '" . $type . "',command = '" . $command . "',url = '" . $url . "',min_value = '" . $min_value . "' where name = '" . $uniq_name_orig . "'";
214-
$bdd->exec($sql);
215-
$sql = "update bp_links set bp_name = '" . $uniq_name . "' where bp_name = '" . $uniq_name_orig . "'";
216-
$bdd->exec($sql);
217-
$sql = "update bp_links set bp_link = '" . $uniq_name . "' where bp_link = '" . $uniq_name_orig . "'";
218-
$bdd->exec($sql);
219-
$sql = "update bp_services set bp_name = '" . $uniq_name . "' where bp_name = '" . $uniq_name_orig . "'";
220-
$bdd->exec($sql);
228+
$sql = "update bp set name = ?,description = ?,priority = ?,type = ?,command = ?,url = ?,min_value = ? where name = ?";
229+
$req = $bdd->prepare($sql);
230+
$req->execute(array($uniq_name,$process_name,$display,$type,$command,$url,$min_value,$uniq_name_orig));
231+
$sql = "update bp_links set bp_name = ? where bp_name = ?";
232+
$req = $bdd->prepare($sql);
233+
$req->execute(array($uniq_name,$uniq_name_orig));
234+
$sql = "update bp_links set bp_link = ? where bp_link = ?";
235+
$req = $bdd->prepare($sql);
236+
$req->execute(array($uniq_name,$uniq_name_orig));
237+
$sql = "update bp_services set bp_name = ? where bp_name = ?";
238+
$req = $bdd->prepare($sql);
239+
$req->execute(array($uniq_name,$uniq_name_orig));
221240
}
222241
}
223242
// modification
224243
else{
225-
$sql = "update bp set name = '" . $uniq_name . "',description = '" . $process_name . "',priority = '" . $display . "',type = '" . $type . "',command = '" . $command . "',url = '" . $url . "',min_value = '" . $min_value . "' where name = '" . $uniq_name . "'";
226-
$bdd->exec($sql);
244+
$sql = "update bp set name = ?,description = ?,priority = ?,type = ?,command = ?,url = ?,min_value = ? where name = ?";
245+
$req = $bdd->prepare($sql);
246+
$req->execute(array($uniq_name,$process_name,$display,$type,$command,$url,$min_value,$uniq_name));
227247
}
228248
}
229249

@@ -252,16 +272,18 @@ function build_file($bdd){
252272

253273
function build_file_recursive($bdd,$bp_file,$bp_informations,$bp_sons){
254274

255-
$sql = "SELECT bp_link FROM bp_links where bp_name='".$bp_informations['name']."'";
256-
$req = $bdd->query($sql);
275+
$sql = "SELECT bp_link FROM bp_links where bp_name=?";
276+
$req = $bdd->prepare($sql);
277+
$req->execute(array($bp_informations['name']));
257278
if($req->rowCount() == 0) {
258279
$bp_sons[]=$bp_informations['name'];
259280
build_file_bp($bdd,$bp_file, $bp_informations);
260281
} else {
261282
$bp_links = $req->fetchall();
262283
foreach($bp_links as $bp_link){
263-
$sql = "SELECT * FROM bp where is_define ='1' and name='".$bp_link["bp_link"]."'";
264-
$req = $bdd->query($sql);
284+
$sql = "SELECT * FROM bp where is_define ='1' and name=?";
285+
$req = $bdd->prepare($sql);
286+
$req->execute(array($bp_link["bp_link"]));
265287
$bps_sons_informations = $req->fetchall();
266288
foreach($bps_sons_informations as $bp_sons_informations){
267289
if(!in_array($bp_sons_informations['name'],$bp_sons,true)) {
@@ -287,8 +309,9 @@ function build_file_bp($bdd,$bp_file, $bp_informations){
287309
$type = "+";
288310
fputs($bp_file, $bp_informations['min_value'] . " of: ");
289311
}
290-
$sql = "select host,service from bp_services where bp_name = '" . $bp_informations['name'] . "'";
291-
$req = $bdd->query($sql);
312+
$sql = "select host,service from bp_services where bp_name = ?";
313+
$req = $bdd->prepare($sql);
314+
$req->execute(array($bp_informations['name']));
292315
$host_services = $req->fetchall();
293316

294317
$counter1 = count($host_services);
@@ -303,8 +326,9 @@ function build_file_bp($bdd,$bp_file, $bp_informations){
303326
}
304327
}
305328

306-
$sql = "select bp_link from bp_links where bp_name = '" .$bp_informations['name'] . "'";
307-
$req = $bdd->query($sql);
329+
$sql = "select bp_link from bp_links where bp_name = ?";
330+
$req = $bdd->prepare($sql);
331+
$req->execute(array($bp_informations['name']));
308332
$link_informations = $req->fetchall();
309333

310334
$counter1 = count($link_informations);
@@ -333,8 +357,9 @@ function build_file_bp($bdd,$bp_file, $bp_informations){
333357
}
334358

335359
function info_application($bp_name, $bdd){
336-
$sql = "select * from bp where name = '" . $bp_name . "'";
337-
$req = $bdd->query($sql);
360+
$sql = "select * from bp where name = ?";
361+
$req = $bdd->prepare($sql);
362+
$req->execute(array($bp_name));
338363
$info = $req->fetch();
339364
echo json_encode($info);
340365
}

Diff for: module/admin_user/search.php

+2-1
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,8 @@
2525

2626
// Search function for Jquery an exit
2727
if(isset($_GET['term']) && isset($_GET['request']) && $_GET['request'] == "search_user") {
28-
$result=sqlrequest($database_eonweb,"select * from ldap_users_extended where (user LIKE '%".$_GET['term']."%') OR (login LIKE '%".$_GET['term']."%') order by user");
28+
$sql="select * from ldap_users_extended where (user LIKE ?) OR (login LIKE ?) order by user";
29+
$result=sqlrequest($database_eonweb,$sql,false,array("ss","%".$_GET['term']."%","%".$_GET['term']."%"));
2930

3031
$array = array();
3132
while ($line = mysqli_fetch_array($result)){

Diff for: module/index.php

+7-3
Original file line numberDiff line numberDiff line change
@@ -23,10 +23,14 @@
2323
# Check optionnal module to load
2424
if(isset($_GET["module"]) && isset($_GET["link"])) {
2525

26-
$module=exec("rpm -q ".$_GET["module"]." |grep '.eon' |wc -l");
26+
include("../include/config.php");
27+
include("../include/arrays.php");
2728

28-
# Redirect to module page if rpm installed
29-
if($module!=0) { header('Location: '.$_GET["link"].''); }
29+
if(in_array($_GET["module"],$array_modules)) {
30+
$module=exec("rpm -q ".$_GET["module"]." |grep '.eon' |wc -l");
31+
# Redirect to module page if rpm installed
32+
if($module!=0) { header('Location: '.$_GET["link"].''); }
33+
}
3034

3135
}
3236

0 commit comments

Comments
 (0)