Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix #5895 : security issues
  • Loading branch information
julienmathis committed Oct 20, 2014
1 parent 46437ec commit cc21098
Show file tree
Hide file tree
Showing 16 changed files with 65 additions and 60 deletions.
2 changes: 1 addition & 1 deletion www/include/Administration/corePerformance/getStats.php
Expand Up @@ -97,7 +97,7 @@ function escape_command($command) {
/*
* Check Session activity
*/
$session = $pearDB->query("SELECT * FROM `session` WHERE session_id = '".$_GET["session_id"]."'");
$session = $pearDB->query("SELECT * FROM `session` WHERE session_id = '".$pearDB->escape($_GET["session_id"])."'");
if (!$session->numRows()){
;
} else {
Expand Down
2 changes: 1 addition & 1 deletion www/include/common/XmlTree/GetXmlTree.php
Expand Up @@ -88,7 +88,7 @@ function getServiceGroupCount() {

$is_admin = isUserAdmin($_GET["sid"]);
if (isset($_GET["sid"]) && $_GET["sid"]){
$DBRESULT = $pearDB->query("SELECT user_id FROM session where session_id = '".$_GET["sid"]."'");
$DBRESULT = $pearDB->query("SELECT user_id FROM session where session_id = '".$pearDB->escape($_GET["sid"])."'");
$session = $DBRESULT->fetchRow();
$access = new CentreonAcl($session["user_id"], $is_admin);
$lca = array("LcaHost" => $access->getHostServices($pearDBndo), "LcaHostGroup" => $access->getHostGroups(), "LcaSG" => $access->getServiceGroups());
Expand Down
2 changes: 1 addition & 1 deletion www/include/common/getHiddenImage.php
Expand Up @@ -51,7 +51,7 @@
$logos_path = "../../img/media/";

if (isset($_GET["id"]) && $_GET["id"] && is_numeric($_GET["id"])) {
$result = $pearDB->query("SELECT dir_name, img_path FROM view_img_dir, view_img, view_img_dir_relation vidr WHERE view_img_dir.dir_id = vidr.dir_dir_parent_id AND vidr.img_img_id = img_id AND img_id = '".$_GET["id"]."'");
$result = $pearDB->query("SELECT dir_name, img_path FROM view_img_dir, view_img, view_img_dir_relation vidr WHERE view_img_dir.dir_id = vidr.dir_dir_parent_id AND vidr.img_img_id = img_id AND img_id = '".$pearDB->escape($_GET["id"])."'");
while ($img = $result->fetchRow() ) {
$imgpath = $logos_path . $img["dir_name"] ."/". $img["img_path"];
if (!is_file($imgpath)) {
Expand Down
Expand Up @@ -46,7 +46,7 @@ function testCommandCategorieExistence ($name = NULL) {
if (isset($form))
$id = $form->getSubmitValue('cmd_category_id');

$DBRESULT = $pearDB->query("SELECT `category_name`, `cmd_category_id` FROM `command_categories` WHERE `category_name` = '".htmlentities($name, ENT_QUOTES, "UTF-8")."'");
$DBRESULT = $pearDB->query("SELECT `category_name`, `cmd_category_id` FROM `command_categories` WHERE `category_name` = '".$pearDB->escape($name)."'");
$cat = $DBRESULT->fetchRow();

if ($DBRESULT->numRows() >= 1 && $cat["cmd_category_id"] == $id)
Expand Down Expand Up @@ -88,14 +88,14 @@ function insertCommandCategorieInDB(){
global $pearDB;

if (testCommandCategorieExistence($_POST["category_name"])){
$DBRESULT = $pearDB->query("INSERT INTO `command_categories` (`category_name` , `category_alias`, `category_order`) VALUES ('".$_POST["category_name"]."', '".$_POST["category_alias"]."', '1')");
$DBRESULT = $pearDB->query("INSERT INTO `command_categories` (`category_name` , `category_alias`, `category_order`) VALUES ('".$pearDB->escape($_POST["category_name"])."', '".$pearDB->escape($_POST["category_alias"])."', '1')");
}
}

function updateCommandCategorieInDB(){
global $pearDB;

$DBRESULT = $pearDB->query("UPDATE `command_categories` SET `category_name` = '".$_POST["category_name"]."' , `category_alias` = '".$_POST["category_alias"]."' , `category_order` = '".$_POST["category_order"]."' WHERE `cmd_category_id` = '".$_POST["cmd_category_id"]."'");
$DBRESULT = $pearDB->query("UPDATE `command_categories` SET `category_name` = '".$pearDB->escape($_POST["category_name"])."' , `category_alias` = '".$pearDB->escape($_POST["category_alias"])."' , `category_order` = '".$pearDB->escape($_POST["category_order"])."' WHERE `cmd_category_id` = '".$pearDB->escape($_POST["cmd_category_id"])."'");
}

function deleteCommandCategorieInDB($sc_id = NULL){
Expand Down
Expand Up @@ -152,7 +152,7 @@
*/
$host_tmplt_who_use_me = array();
if (isset($_GET["host_id"]) && $_GET["host_id"]){
$DBRESULT = $pearDB->query("SELECT host_id, host_name FROM host WHERE host_template_model_htm_id = '".$_GET["host_id"]."'");
$DBRESULT = $pearDB->query("SELECT host_id, host_name FROM host WHERE host_template_model_htm_id = '".$pearDB->escape($_GET["host_id"])."'");
while($host_tmpl_father = $DBRESULT->fetchRow())
$host_tmplt_who_use_me[$host_tmpl_father["host_id"]] = $host_tmpl_father["host_name"];
$DBRESULT->free();
Expand Down
Expand Up @@ -134,11 +134,11 @@ function insertServiceCategorieInDB(){

if (testServiceCategorieExistence($_POST["sc_name"])){
$DBRESULT = $pearDB->query("INSERT INTO `service_categories` (`sc_name`, `sc_description`, `level`, `icon_id`, `sc_activate` )
VALUES ('".$_POST["sc_name"]."', '".$_POST["sc_description"]."', ".
VALUES ('".$pearDB->escape($_POST["sc_name"])."', '".$pearDB->escape($_POST["sc_description"])."', ".
(isset($_POST['sc_severity_level']) && $_POST['sc_type'] ? $pearDB->escape($_POST['sc_severity_level']):"NULL").", ".
(isset($_POST['sc_severity_icon']) && $_POST['sc_type'] ? $pearDB->escape($_POST['sc_severity_icon']) : "NULL").", ".
"'".$_POST["sc_activate"]["sc_activate"]."')");
$DBRESULT = $pearDB->query("SELECT MAX(sc_id) FROM `service_categories` WHERE sc_name LIKE '".$_POST["sc_name"]."'");
$DBRESULT = $pearDB->query("SELECT MAX(sc_id) FROM `service_categories` WHERE sc_name LIKE '".$pearDB->escape($_POST["sc_name"])."'");
$data = $DBRESULT->fetchRow();
}
updateServiceCategoriesServices($data["MAX(sc_id)"]);
Expand Down
Expand Up @@ -186,7 +186,7 @@ function myDecodeSvTP($arg) {
*/
$svc_tmplt_who_use_me = array();
if (isset($_GET["service_id"]) && $_GET["service_id"]) {
$DBRESULT = $pearDB->query("SELECT service_description, service_id FROM service WHERE service_template_model_stm_id = '".$_GET["service_id"]."'");
$DBRESULT = $pearDB->query("SELECT service_description, service_id FROM service WHERE service_template_model_stm_id = '".$pearDB->escape($_GET["service_id"])."'");
while ($service_tmpl_father = $DBRESULT->fetchRow()) {
$svc_tmplt_who_use_me[$service_tmpl_father["service_id"]] = $service_tmpl_father["service_description"];
}
Expand All @@ -196,7 +196,7 @@ function myDecodeSvTP($arg) {
/*
* Service Templates comes from DB -> Store in $svTpls Array
*/
$svTpls = array(NULL=>NULL);
$svTpls = array(NULL => NULL);
$DBRESULT = $pearDB->query("SELECT service_id, service_description, service_template_model_stm_id FROM service WHERE service_register = '0' AND service_id != '".$service_id."' ORDER BY service_description");
while ($svTpl = $DBRESULT->fetchRow()) {
if (!$svTpl["service_description"]) {
Expand Down
Expand Up @@ -36,46 +36,48 @@
*
*/

include_once("@CENTREON_ETC@/centreon.conf.php");
include_once("@CENTREON_ETC@/centreon.conf.php");

require_once $centreon_path . "/www/class/centreonDB.class.php";
require_once $centreon_path . "/www/class/centreonXML.class.php";
require_once $centreon_path . "/www/class/centreonDB.class.php";
require_once $centreon_path . "/www/class/centreonXML.class.php";

/** ************************************
* start init db
*/
$pearDB = new CentreonDB();
/** ************************************
* start init db
*/
$pearDB = new CentreonDB();

/** ************************************
* start XML Flow
*/
$buffer = new CentreonXML();
$buffer->startElement("traps");

$mnftr_id = $pearDB->escape($_POST["mnftr_id"]);

/** ************************************
* start XML Flow
*/
$buffer = new CentreonXML();
$buffer->startElement("traps");
$empty = 0;
if (isset($_POST["mnftr_id"])){
$traps = array();
if ($_POST["mnftr_id"] == -1) {
$DBRESULT = $pearDB->query("SELECT traps_id, traps_name FROM traps ORDER BY traps_name");
} else if ($_POST["mnftr_id"] == -2) {
$empty = 1;
} else if ($_POST["mnftr_id"] != 0) {
$DBRESULT = $pearDB->query("SELECT traps_id, traps_name FROM traps WHERE manufacturer_id = " . $mnftr_id . " ORDER BY traps_name");
}

$empty = 0;
if (isset($_POST["mnftr_id"])){
$traps = array();
if ($_POST["mnftr_id"] == -1) {
$DBRESULT = $pearDB->query("SELECT traps_id, traps_name FROM traps ORDER BY traps_name");
} else if ($_POST["mnftr_id"] == -2) {
$empty = 1;
} else if ($_POST["mnftr_id"] != 0) {
$DBRESULT = $pearDB->query("SELECT traps_id, traps_name FROM traps WHERE manufacturer_id = " . $_POST["mnftr_id"]. " ORDER BY traps_name");
}
if ($empty != 1) {
while ($trap = $DBRESULT->fetchRow()){
$buffer->startElement("trap");
$buffer->writeElement("id", $trap["traps_id"]);
$buffer->writeElement("name", $trap["traps_name"]);
$buffer->endElement();
}
$DBRESULT->free();
}
} else {
$buffer->writeElement("error", "mnftr_id not found");
}
$buffer->endElement();

if ($empty != 1) {
while ($trap = $DBRESULT->fetchRow()){
$buffer->startElement("trap");
$buffer->writeElement("id", $trap["traps_id"]);
$buffer->writeElement("name", $trap["traps_name"]);
$buffer->endElement();
}
$DBRESULT->free();
}
} else {
$buffer->writeElement("error", "mnftr_id not found");
}
$buffer->endElement();
header('Content-Type: text/xml');
$buffer->output();
?>
header('Content-Type: text/xml');
$buffer->output();
Expand Up @@ -52,7 +52,7 @@
*/
require_once ($centreon_path . "www/class/centreonSession.class.php");
require_once ($centreon_path . "www/class/centreon.class.php");
if(!isset($_SESSION['centreon'])) {
if (!isset($_SESSION['centreon'])) {
CentreonSession::start();
}

Expand Down
2 changes: 1 addition & 1 deletion www/include/eventLogs/XmlTree/GetXmlTree.php
Expand Up @@ -171,7 +171,7 @@ function getServiceGroupSearch($search = NULL) {

$is_admin = isUserAdmin($_GET["sid"]);
if (isset($_GET["sid"]) && $_GET["sid"]) {
$DBRESULT = $pearDB->query("SELECT user_id FROM session where session_id = '".$_GET["sid"]."'");
$DBRESULT = $pearDB->query("SELECT user_id FROM session where session_id = '".$pearDB->escape($_GET["sid"])."'");
$session = $DBRESULT->fetchRow();
$access = new CentreonAcl($session["user_id"], $is_admin);
$lca = array("LcaHost" => $access->getHostServices(($oreon->broker->getBroker() == "ndo" ? $pearDBndo : $pearDBO)), "LcaHostGroup" => $access->getHostGroups(), "LcaSG" => $access->getServiceGroups());
Expand Down
2 changes: 1 addition & 1 deletion www/include/options/accessLists/reloadACL/reloadACL.php
Expand Up @@ -48,7 +48,7 @@
require_once 'HTML/QuickForm/Renderer/ArraySmarty.php';

if (isset($_GET["o"]) && $_GET["o"] == "r"){
$pearDB->query("UPDATE session SET update_acl = '1' WHERE session_id = '".$_GET["session_id"]."'");
$pearDB->query("UPDATE session SET update_acl = '1' WHERE session_id = '".$pearDB->escape($_GET["session_id"])."'");
$pearDB->query("UPDATE acl_resources SET changed = '1'");
$msg = new CentreonMsg();
$msg->setTextStyle("bold");
Expand Down
2 changes: 1 addition & 1 deletion www/include/options/media/images/syncDir.php
Expand Up @@ -55,7 +55,7 @@
exit ;

if (isset($_GET["session_id"])) {
$DBRESULT = $pearDB->query("SELECT * FROM session WHERE session_id = '".$_GET["session_id"]."'");
$DBRESULT = $pearDB->query("SELECT * FROM session WHERE session_id = '".$pearDB->escape($_GET["session_id"])."'");
if ($DBRESULT->numRows() == 0)
exit();
}
Expand Down
2 changes: 1 addition & 1 deletion www/include/options/session/connected_user.php
Expand Up @@ -46,7 +46,7 @@
require_once "./class/centreonMsg.class.php";

if (isset($_GET["o"]) && $_GET["o"] == "k"){
$pearDB->query("DELETE FROM session WHERE session_id = '".$_GET["session_id"]."'");
$pearDB->query("DELETE FROM session WHERE session_id = '".$pearDB->escape($_GET["session_id"])."'");
$msg = new CentreonMsg();
$msg->setTextStyle("bold");
$msg->setText(_("User kicked"));
Expand Down
2 changes: 1 addition & 1 deletion www/include/views/graphs/GetXmlTree.php
Expand Up @@ -97,7 +97,7 @@

$is_admin = isUserAdmin($_GET["sid"]);
if (isset($_GET["sid"]) && $_GET["sid"]){
$DBRESULT = $pearDB->query("SELECT user_id FROM session where session_id = '".$_GET["sid"]."'");
$DBRESULT = $pearDB->query("SELECT user_id FROM session where session_id = '".$pearDB->escape($_GET["sid"])."'");
$session = $DBRESULT->fetchRow();
$access = new CentreonAcl($session["user_id"], $is_admin);
$lca = array("LcaHost" => $access->getHostServices($pearDBndo), "LcaHostGroup" => $access->getHostGroups(), "LcaSG" => $access->getServiceGroups());
Expand Down
4 changes: 2 additions & 2 deletions www/include/views/graphs/common/makeXML_ListMetrics.php
Expand Up @@ -90,7 +90,7 @@ function compare($a, $b) {
$where = " AND def_type='".$_GET["vdef"]."'";

if (isset($_GET["index_id"]) && $_GET["index_id"] != 0) {
$pq_sql = $pearDBO->query("SELECT metric_id, metric_name FROM metrics as ms, index_data as ixd WHERE ms.index_id = ixd.id and ms.index_id='".$_GET["index_id"]."';");
$pq_sql = $pearDBO->query("SELECT metric_id, metric_name FROM metrics as ms, index_data as ixd WHERE ms.index_id = ixd.id and ms.index_id='".$pearDB->escape($_GET["index_id"])."';");
while($fw_sql = $pq_sql->fetchRow()) {
$sd_l = strlen($fw_sql["metric_name"]);
$fw_sql["metric_name"] = $fw_sql["metric_name"]."   ";
Expand All @@ -99,7 +99,7 @@ function compare($a, $b) {
$mx_l = $sd_l;
}
$pq_sql->free();
$pq_sql = $pearDB->query("SELECT vmetric_id, vmetric_name, def_type FROM virtual_metrics WHERE index_id='".$_GET["index_id"]."'".$where.";");
$pq_sql = $pearDB->query("SELECT vmetric_id, vmetric_name, def_type FROM virtual_metrics WHERE index_id='".$pearDB->escape($_GET["index_id"])."'".$where.";");

while($fw_sql = $pq_sql->fetchRow()) {
$sd_l = strlen($fw_sql["vmetric_name"]." [CDEF]");
Expand Down
9 changes: 6 additions & 3 deletions www/include/views/graphs/graphStatus/displayServiceStatus.php
Expand Up @@ -36,7 +36,7 @@
*
*/
function escape_command($command) {
return preg_replace("/(\\\$|`)/", "", $command);
return preg_replace("/(\\\$|;`)/", "", $command);
}

require_once "@CENTREON_ETC@/centreon.conf.php";
Expand Down Expand Up @@ -71,7 +71,7 @@ function getStatusDBDir($pearDBO){
* Verify if session is active
*/

$session = $pearDB->query("SELECT * FROM `session` WHERE session_id = '".$_GET["session_id"]."'");
$session = $pearDB->query("SELECT * FROM `session` WHERE session_id = '".$pearDB->escape($_GET["session_id"])."'");
if (!$session->numRows()){

$image = imagecreate(250,100);
Expand Down Expand Up @@ -142,8 +142,11 @@ function getStatusDBDir($pearDBO){
/*
* get all template infos
*/
if (!is_numeric($template_id)) {
exit();
}

$DBRESULT = $pearDB->query("SELECT * FROM giv_graphs_template WHERE graph_id = '".$template_id."' LIMIT 1");
$DBRESULT = $pearDB->query("SELECT * FROM giv_graphs_template WHERE graph_id = '".$pearDB->escape($template_id)."' LIMIT 1");
$GraphTemplate = $DBRESULT->fetchRow();
if (is_null($GraphTemplate))
{
Expand Down

0 comments on commit cc21098

Please sign in to comment.