Skip to content

Commit cc21098

Browse files
committed
fix #5895 : security issues
1 parent 46437ec commit cc21098

File tree

16 files changed

+65
-60
lines changed

16 files changed

+65
-60
lines changed

Diff for: www/include/Administration/corePerformance/getStats.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,7 @@ function escape_command($command) {
9797
/*
9898
* Check Session activity
9999
*/
100-
$session = $pearDB->query("SELECT * FROM `session` WHERE session_id = '".$_GET["session_id"]."'");
100+
$session = $pearDB->query("SELECT * FROM `session` WHERE session_id = '".$pearDB->escape($_GET["session_id"])."'");
101101
if (!$session->numRows()){
102102
;
103103
} else {

Diff for: www/include/common/XmlTree/GetXmlTree.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -88,7 +88,7 @@ function getServiceGroupCount() {
8888

8989
$is_admin = isUserAdmin($_GET["sid"]);
9090
if (isset($_GET["sid"]) && $_GET["sid"]){
91-
$DBRESULT = $pearDB->query("SELECT user_id FROM session where session_id = '".$_GET["sid"]."'");
91+
$DBRESULT = $pearDB->query("SELECT user_id FROM session where session_id = '".$pearDB->escape($_GET["sid"])."'");
9292
$session = $DBRESULT->fetchRow();
9393
$access = new CentreonAcl($session["user_id"], $is_admin);
9494
$lca = array("LcaHost" => $access->getHostServices($pearDBndo), "LcaHostGroup" => $access->getHostGroups(), "LcaSG" => $access->getServiceGroups());

Diff for: www/include/common/getHiddenImage.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@
5151
$logos_path = "../../img/media/";
5252

5353
if (isset($_GET["id"]) && $_GET["id"] && is_numeric($_GET["id"])) {
54-
$result = $pearDB->query("SELECT dir_name, img_path FROM view_img_dir, view_img, view_img_dir_relation vidr WHERE view_img_dir.dir_id = vidr.dir_dir_parent_id AND vidr.img_img_id = img_id AND img_id = '".$_GET["id"]."'");
54+
$result = $pearDB->query("SELECT dir_name, img_path FROM view_img_dir, view_img, view_img_dir_relation vidr WHERE view_img_dir.dir_id = vidr.dir_dir_parent_id AND vidr.img_img_id = img_id AND img_id = '".$pearDB->escape($_GET["id"])."'");
5555
while ($img = $result->fetchRow() ) {
5656
$imgpath = $logos_path . $img["dir_name"] ."/". $img["img_path"];
5757
if (!is_file($imgpath)) {

Diff for: www/include/configuration/configObject/command_categories/DB-Func.php

+3-3
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ function testCommandCategorieExistence ($name = NULL) {
4646
if (isset($form))
4747
$id = $form->getSubmitValue('cmd_category_id');
4848

49-
$DBRESULT = $pearDB->query("SELECT `category_name`, `cmd_category_id` FROM `command_categories` WHERE `category_name` = '".htmlentities($name, ENT_QUOTES, "UTF-8")."'");
49+
$DBRESULT = $pearDB->query("SELECT `category_name`, `cmd_category_id` FROM `command_categories` WHERE `category_name` = '".$pearDB->escape($name)."'");
5050
$cat = $DBRESULT->fetchRow();
5151

5252
if ($DBRESULT->numRows() >= 1 && $cat["cmd_category_id"] == $id)
@@ -88,14 +88,14 @@ function insertCommandCategorieInDB(){
8888
global $pearDB;
8989

9090
if (testCommandCategorieExistence($_POST["category_name"])){
91-
$DBRESULT = $pearDB->query("INSERT INTO `command_categories` (`category_name` , `category_alias`, `category_order`) VALUES ('".$_POST["category_name"]."', '".$_POST["category_alias"]."', '1')");
91+
$DBRESULT = $pearDB->query("INSERT INTO `command_categories` (`category_name` , `category_alias`, `category_order`) VALUES ('".$pearDB->escape($_POST["category_name"])."', '".$pearDB->escape($_POST["category_alias"])."', '1')");
9292
}
9393
}
9494

9595
function updateCommandCategorieInDB(){
9696
global $pearDB;
9797

98-
$DBRESULT = $pearDB->query("UPDATE `command_categories` SET `category_name` = '".$_POST["category_name"]."' , `category_alias` = '".$_POST["category_alias"]."' , `category_order` = '".$_POST["category_order"]."' WHERE `cmd_category_id` = '".$_POST["cmd_category_id"]."'");
98+
$DBRESULT = $pearDB->query("UPDATE `command_categories` SET `category_name` = '".$pearDB->escape($_POST["category_name"])."' , `category_alias` = '".$pearDB->escape($_POST["category_alias"])."' , `category_order` = '".$pearDB->escape($_POST["category_order"])."' WHERE `cmd_category_id` = '".$pearDB->escape($_POST["cmd_category_id"])."'");
9999
}
100100

101101
function deleteCommandCategorieInDB($sc_id = NULL){

Diff for: www/include/configuration/configObject/host_template_model/formHostTemplateModel.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -152,7 +152,7 @@
152152
*/
153153
$host_tmplt_who_use_me = array();
154154
if (isset($_GET["host_id"]) && $_GET["host_id"]){
155-
$DBRESULT = $pearDB->query("SELECT host_id, host_name FROM host WHERE host_template_model_htm_id = '".$_GET["host_id"]."'");
155+
$DBRESULT = $pearDB->query("SELECT host_id, host_name FROM host WHERE host_template_model_htm_id = '".$pearDB->escape($_GET["host_id"])."'");
156156
while($host_tmpl_father = $DBRESULT->fetchRow())
157157
$host_tmplt_who_use_me[$host_tmpl_father["host_id"]] = $host_tmpl_father["host_name"];
158158
$DBRESULT->free();

Diff for: www/include/configuration/configObject/service_categories/DB-Func.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -134,11 +134,11 @@ function insertServiceCategorieInDB(){
134134

135135
if (testServiceCategorieExistence($_POST["sc_name"])){
136136
$DBRESULT = $pearDB->query("INSERT INTO `service_categories` (`sc_name`, `sc_description`, `level`, `icon_id`, `sc_activate` )
137-
VALUES ('".$_POST["sc_name"]."', '".$_POST["sc_description"]."', ".
137+
VALUES ('".$pearDB->escape($_POST["sc_name"])."', '".$pearDB->escape($_POST["sc_description"])."', ".
138138
(isset($_POST['sc_severity_level']) && $_POST['sc_type'] ? $pearDB->escape($_POST['sc_severity_level']):"NULL").", ".
139139
(isset($_POST['sc_severity_icon']) && $_POST['sc_type'] ? $pearDB->escape($_POST['sc_severity_icon']) : "NULL").", ".
140140
"'".$_POST["sc_activate"]["sc_activate"]."')");
141-
$DBRESULT = $pearDB->query("SELECT MAX(sc_id) FROM `service_categories` WHERE sc_name LIKE '".$_POST["sc_name"]."'");
141+
$DBRESULT = $pearDB->query("SELECT MAX(sc_id) FROM `service_categories` WHERE sc_name LIKE '".$pearDB->escape($_POST["sc_name"])."'");
142142
$data = $DBRESULT->fetchRow();
143143
}
144144
updateServiceCategoriesServices($data["MAX(sc_id)"]);

Diff for: www/include/configuration/configObject/service_template_model/formServiceTemplateModel.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -186,7 +186,7 @@ function myDecodeSvTP($arg) {
186186
*/
187187
$svc_tmplt_who_use_me = array();
188188
if (isset($_GET["service_id"]) && $_GET["service_id"]) {
189-
$DBRESULT = $pearDB->query("SELECT service_description, service_id FROM service WHERE service_template_model_stm_id = '".$_GET["service_id"]."'");
189+
$DBRESULT = $pearDB->query("SELECT service_description, service_id FROM service WHERE service_template_model_stm_id = '".$pearDB->escape($_GET["service_id"])."'");
190190
while ($service_tmpl_father = $DBRESULT->fetchRow()) {
191191
$svc_tmplt_who_use_me[$service_tmpl_father["service_id"]] = $service_tmpl_father["service_description"];
192192
}
@@ -196,7 +196,7 @@ function myDecodeSvTP($arg) {
196196
/*
197197
* Service Templates comes from DB -> Store in $svTpls Array
198198
*/
199-
$svTpls = array(NULL=>NULL);
199+
$svTpls = array(NULL => NULL);
200200
$DBRESULT = $pearDB->query("SELECT service_id, service_description, service_template_model_stm_id FROM service WHERE service_register = '0' AND service_id != '".$service_id."' ORDER BY service_description");
201201
while ($svTpl = $DBRESULT->fetchRow()) {
202202
if (!$svTpl["service_description"]) {

Diff for: www/include/configuration/configObject/traps/GetXMLTrapsForVendor.php

+40-38
Original file line numberDiff line numberDiff line change
@@ -36,46 +36,48 @@
3636
*
3737
*/
3838

39-
include_once("@CENTREON_ETC@/centreon.conf.php");
39+
include_once("@CENTREON_ETC@/centreon.conf.php");
4040

41-
require_once $centreon_path . "/www/class/centreonDB.class.php";
42-
require_once $centreon_path . "/www/class/centreonXML.class.php";
41+
require_once $centreon_path . "/www/class/centreonDB.class.php";
42+
require_once $centreon_path . "/www/class/centreonXML.class.php";
4343

44-
/** ************************************
45-
* start init db
46-
*/
47-
$pearDB = new CentreonDB();
44+
/** ************************************
45+
* start init db
46+
*/
47+
$pearDB = new CentreonDB();
48+
49+
/** ************************************
50+
* start XML Flow
51+
*/
52+
$buffer = new CentreonXML();
53+
$buffer->startElement("traps");
54+
55+
$mnftr_id = $pearDB->escape($_POST["mnftr_id"]);
4856

49-
/** ************************************
50-
* start XML Flow
51-
*/
52-
$buffer = new CentreonXML();
53-
$buffer->startElement("traps");
57+
$empty = 0;
58+
if (isset($_POST["mnftr_id"])){
59+
$traps = array();
60+
if ($_POST["mnftr_id"] == -1) {
61+
$DBRESULT = $pearDB->query("SELECT traps_id, traps_name FROM traps ORDER BY traps_name");
62+
} else if ($_POST["mnftr_id"] == -2) {
63+
$empty = 1;
64+
} else if ($_POST["mnftr_id"] != 0) {
65+
$DBRESULT = $pearDB->query("SELECT traps_id, traps_name FROM traps WHERE manufacturer_id = " . $mnftr_id . " ORDER BY traps_name");
66+
}
5467

55-
$empty = 0;
56-
if (isset($_POST["mnftr_id"])){
57-
$traps = array();
58-
if ($_POST["mnftr_id"] == -1) {
59-
$DBRESULT = $pearDB->query("SELECT traps_id, traps_name FROM traps ORDER BY traps_name");
60-
} else if ($_POST["mnftr_id"] == -2) {
61-
$empty = 1;
62-
} else if ($_POST["mnftr_id"] != 0) {
63-
$DBRESULT = $pearDB->query("SELECT traps_id, traps_name FROM traps WHERE manufacturer_id = " . $_POST["mnftr_id"]. " ORDER BY traps_name");
64-
}
68+
if ($empty != 1) {
69+
while ($trap = $DBRESULT->fetchRow()){
70+
$buffer->startElement("trap");
71+
$buffer->writeElement("id", $trap["traps_id"]);
72+
$buffer->writeElement("name", $trap["traps_name"]);
73+
$buffer->endElement();
74+
}
75+
$DBRESULT->free();
76+
}
77+
} else {
78+
$buffer->writeElement("error", "mnftr_id not found");
79+
}
80+
$buffer->endElement();
6581

66-
if ($empty != 1) {
67-
while ($trap = $DBRESULT->fetchRow()){
68-
$buffer->startElement("trap");
69-
$buffer->writeElement("id", $trap["traps_id"]);
70-
$buffer->writeElement("name", $trap["traps_name"]);
71-
$buffer->endElement();
72-
}
73-
$DBRESULT->free();
74-
}
75-
} else {
76-
$buffer->writeElement("error", "mnftr_id not found");
77-
}
78-
$buffer->endElement();
79-
header('Content-Type: text/xml');
80-
$buffer->output();
81-
?>
82+
header('Content-Type: text/xml');
83+
$buffer->output();

Diff for: www/include/configuration/configObject/traps/xml/additionalRowXml.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@
5252
*/
5353
require_once ($centreon_path . "www/class/centreonSession.class.php");
5454
require_once ($centreon_path . "www/class/centreon.class.php");
55-
if(!isset($_SESSION['centreon'])) {
55+
if (!isset($_SESSION['centreon'])) {
5656
CentreonSession::start();
5757
}
5858

Diff for: www/include/eventLogs/XmlTree/GetXmlTree.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -171,7 +171,7 @@ function getServiceGroupSearch($search = NULL) {
171171

172172
$is_admin = isUserAdmin($_GET["sid"]);
173173
if (isset($_GET["sid"]) && $_GET["sid"]) {
174-
$DBRESULT = $pearDB->query("SELECT user_id FROM session where session_id = '".$_GET["sid"]."'");
174+
$DBRESULT = $pearDB->query("SELECT user_id FROM session where session_id = '".$pearDB->escape($_GET["sid"])."'");
175175
$session = $DBRESULT->fetchRow();
176176
$access = new CentreonAcl($session["user_id"], $is_admin);
177177
$lca = array("LcaHost" => $access->getHostServices(($oreon->broker->getBroker() == "ndo" ? $pearDBndo : $pearDBO)), "LcaHostGroup" => $access->getHostGroups(), "LcaSG" => $access->getServiceGroups());

Diff for: www/include/options/accessLists/reloadACL/reloadACL.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@
4848
require_once 'HTML/QuickForm/Renderer/ArraySmarty.php';
4949

5050
if (isset($_GET["o"]) && $_GET["o"] == "r"){
51-
$pearDB->query("UPDATE session SET update_acl = '1' WHERE session_id = '".$_GET["session_id"]."'");
51+
$pearDB->query("UPDATE session SET update_acl = '1' WHERE session_id = '".$pearDB->escape($_GET["session_id"])."'");
5252
$pearDB->query("UPDATE acl_resources SET changed = '1'");
5353
$msg = new CentreonMsg();
5454
$msg->setTextStyle("bold");

Diff for: www/include/options/media/images/syncDir.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,7 @@
5555
exit ;
5656

5757
if (isset($_GET["session_id"])) {
58-
$DBRESULT = $pearDB->query("SELECT * FROM session WHERE session_id = '".$_GET["session_id"]."'");
58+
$DBRESULT = $pearDB->query("SELECT * FROM session WHERE session_id = '".$pearDB->escape($_GET["session_id"])."'");
5959
if ($DBRESULT->numRows() == 0)
6060
exit();
6161
}

Diff for: www/include/options/session/connected_user.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@
4646
require_once "./class/centreonMsg.class.php";
4747

4848
if (isset($_GET["o"]) && $_GET["o"] == "k"){
49-
$pearDB->query("DELETE FROM session WHERE session_id = '".$_GET["session_id"]."'");
49+
$pearDB->query("DELETE FROM session WHERE session_id = '".$pearDB->escape($_GET["session_id"])."'");
5050
$msg = new CentreonMsg();
5151
$msg->setTextStyle("bold");
5252
$msg->setText(_("User kicked"));

Diff for: www/include/views/graphs/GetXmlTree.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,7 @@
9797

9898
$is_admin = isUserAdmin($_GET["sid"]);
9999
if (isset($_GET["sid"]) && $_GET["sid"]){
100-
$DBRESULT = $pearDB->query("SELECT user_id FROM session where session_id = '".$_GET["sid"]."'");
100+
$DBRESULT = $pearDB->query("SELECT user_id FROM session where session_id = '".$pearDB->escape($_GET["sid"])."'");
101101
$session = $DBRESULT->fetchRow();
102102
$access = new CentreonAcl($session["user_id"], $is_admin);
103103
$lca = array("LcaHost" => $access->getHostServices($pearDBndo), "LcaHostGroup" => $access->getHostGroups(), "LcaSG" => $access->getServiceGroups());

Diff for: www/include/views/graphs/common/makeXML_ListMetrics.php

+2-2
Original file line numberDiff line numberDiff line change
@@ -90,7 +90,7 @@ function compare($a, $b) {
9090
$where = " AND def_type='".$_GET["vdef"]."'";
9191

9292
if (isset($_GET["index_id"]) && $_GET["index_id"] != 0) {
93-
$pq_sql = $pearDBO->query("SELECT metric_id, metric_name FROM metrics as ms, index_data as ixd WHERE ms.index_id = ixd.id and ms.index_id='".$_GET["index_id"]."';");
93+
$pq_sql = $pearDBO->query("SELECT metric_id, metric_name FROM metrics as ms, index_data as ixd WHERE ms.index_id = ixd.id and ms.index_id='".$pearDB->escape($_GET["index_id"])."';");
9494
while($fw_sql = $pq_sql->fetchRow()) {
9595
$sd_l = strlen($fw_sql["metric_name"]);
9696
$fw_sql["metric_name"] = $fw_sql["metric_name"]."   ";
@@ -99,7 +99,7 @@ function compare($a, $b) {
9999
$mx_l = $sd_l;
100100
}
101101
$pq_sql->free();
102-
$pq_sql = $pearDB->query("SELECT vmetric_id, vmetric_name, def_type FROM virtual_metrics WHERE index_id='".$_GET["index_id"]."'".$where.";");
102+
$pq_sql = $pearDB->query("SELECT vmetric_id, vmetric_name, def_type FROM virtual_metrics WHERE index_id='".$pearDB->escape($_GET["index_id"])."'".$where.";");
103103

104104
while($fw_sql = $pq_sql->fetchRow()) {
105105
$sd_l = strlen($fw_sql["vmetric_name"]." [CDEF]");

Diff for: www/include/views/graphs/graphStatus/displayServiceStatus.php

+6-3
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@
3636
*
3737
*/
3838
function escape_command($command) {
39-
return preg_replace("/(\\\$|`)/", "", $command);
39+
return preg_replace("/(\\\$|;`)/", "", $command);
4040
}
4141

4242
require_once "@CENTREON_ETC@/centreon.conf.php";
@@ -71,7 +71,7 @@ function getStatusDBDir($pearDBO){
7171
* Verify if session is active
7272
*/
7373

74-
$session = $pearDB->query("SELECT * FROM `session` WHERE session_id = '".$_GET["session_id"]."'");
74+
$session = $pearDB->query("SELECT * FROM `session` WHERE session_id = '".$pearDB->escape($_GET["session_id"])."'");
7575
if (!$session->numRows()){
7676

7777
$image = imagecreate(250,100);
@@ -142,8 +142,11 @@ function getStatusDBDir($pearDBO){
142142
/*
143143
* get all template infos
144144
*/
145+
if (!is_numeric($template_id)) {
146+
exit();
147+
}
145148

146-
$DBRESULT = $pearDB->query("SELECT * FROM giv_graphs_template WHERE graph_id = '".$template_id."' LIMIT 1");
149+
$DBRESULT = $pearDB->query("SELECT * FROM giv_graphs_template WHERE graph_id = '".$pearDB->escape($template_id)."' LIMIT 1");
147150
$GraphTemplate = $DBRESULT->fetchRow();
148151
if (is_null($GraphTemplate))
149152
{

0 commit comments

Comments
 (0)