Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix some xss injection for sysLocation and some other fields (#15183)
Reported by [Zluudg](https://huntr.dev/users/zluudg/)
  • Loading branch information
murrant committed Aug 2, 2023
1 parent d810c7a commit 3252ea3
Show file tree
Hide file tree
Showing 6 changed files with 22 additions and 22 deletions.
6 changes: 3 additions & 3 deletions app/Http/Controllers/Table/DeviceController.php
Expand Up @@ -153,10 +153,10 @@ public function formatItem($device)
'icon' => '<img src="' . asset($device->icon) . '" title="' . pathinfo($device->icon, PATHINFO_FILENAME) . '">',
'hostname' => $this->getHostname($device),
'metrics' => $this->getMetrics($device),
'hardware' => Rewrite::ciscoHardware($device),
'os' => $this->getOsText($device),
'hardware' => htmlspecialchars(Rewrite::ciscoHardware($device)),
'os' => htmlspecialchars($this->getOsText($device)),
'uptime' => (! $device->status && ! $device->last_polled) ? __('Never polled') : Time::formatInterval($device->status ? $device->uptime : $device->last_polled->diffInSeconds(), true),
'location' => $this->getLocation($device),
'location' => htmlspecialchars($this->getLocation($device)),
'actions' => view('device.actions', ['actions' => $this->getActions($device)])->__toString(),
'device_id' => $device->device_id,
];
Expand Down
2 changes: 1 addition & 1 deletion app/Http/Controllers/Table/LocationController.php
Expand Up @@ -79,7 +79,7 @@ public function formatItem($location)
{
return [
'id' => $location->id,
'location' => $location->location,
'location' => htmlspecialchars($location->location),
'lat' => $location->lat,
'lng' => $location->lng,
'down' => $location->devices()->isDown()->count(),
Expand Down
2 changes: 1 addition & 1 deletion includes/html/forms/get-host-dependencies.inc.php
Expand Up @@ -73,7 +73,7 @@
}

$hostname = format_hostname($myrow);
$sysname = ($hostname == $myrow['sysName']) ? $myrow['hostname'] : $myrow['sysName'];
$sysname = htmlspecialchars(($hostname == $myrow['sysName']) ? $myrow['hostname'] : $myrow['sysName']);
array_push($res_arr, ['deviceid' => $myrow['id'], 'hostname' => $hostname, 'sysname' => $sysname, 'parent' => $parent, 'parentid' => $myrow['parentid']]);
}
$status = ['current' => $_POST['current'], 'rowCount' => $_POST['rowCount'], 'rows' => $res_arr, 'total' => $rec_count];
Expand Down
30 changes: 15 additions & 15 deletions includes/html/pages/devices.inc.php
Expand Up @@ -344,21 +344,21 @@
},
post: function () {
return {
format: '<?php echo $vars['format']; ?>',
format: '<?php echo htmlspecialchars($vars['format']); ?>',
searchPhrase: '<?php echo htmlspecialchars($vars['searchquery'] ?? ''); ?>',
os: '<?php echo $vars['os'] ?? ''; ?>',
version: '<?php echo $vars['version'] ?? ''; ?>',
hardware: '<?php echo $vars['hardware'] ?? ''; ?>',
features: '<?php echo $vars['features'] ?? ''; ?>',
location: '<?php echo $vars['location'] ?? ''; ?>',
type: '<?php echo $vars['type'] ?? ''; ?>',
state: '<?php echo $vars['state'] ?? ''; ?>',
disabled: '<?php echo $vars['disabled'] ?? ''; ?>',
ignore: '<?php echo $vars['ignore'] ?? ''; ?>',
disable_notify: '<?php echo $vars['disable_notify'] ?? ''; ?>',
group: '<?php echo $vars['group'] ?? ''; ?>',
poller_group: '<?php echo $vars['poller_group'] ?? ''; ?>',
device_id: '<?php echo $vars['device_id'] ?? ''; ?>',
os: '<?php echo htmlspecialchars($vars['os'] ?? ''); ?>',
version: '<?php echo htmlspecialchars($vars['version'] ?? ''); ?>',
hardware: '<?php echo htmlspecialchars($vars['hardware'] ?? ''); ?>',
features: '<?php echo htmlspecialchars($vars['features'] ?? ''); ?>',
location: '<?php echo htmlspecialchars($vars['location'] ?? ''); ?>',
type: '<?php echo htmlspecialchars($vars['type'] ?? ''); ?>',
state: '<?php echo htmlspecialchars($vars['state'] ?? ''); ?>',
disabled: '<?php echo htmlspecialchars($vars['disabled'] ?? ''); ?>',
ignore: '<?php echo htmlspecialchars($vars['ignore'] ?? ''); ?>',
disable_notify: '<?php echo htmlspecialchars($vars['disable_notify'] ?? ''); ?>',
group: '<?php echo htmlspecialchars($vars['group'] ?? ''); ?>',
poller_group: '<?php echo htmlspecialchars($vars['poller_group'] ?? ''); ?>',
device_id: '<?php echo htmlspecialchars($vars['device_id'] ?? ''); ?>',
};
},
url: "<?php echo url('/ajax/table/device') ?>"
Expand All @@ -372,7 +372,7 @@
"<form method='post' action='' class='form-inline devices-search-header' role='form'>" +
"<?php echo addslashes(csrf_field()) ?>"+
"<div class='form-group'>" +
"<input type='text' name='searchquery' id='searchquery' value='<?php echo $vars['searchquery'] ?? ''; ?>' class='form-control' placeholder='Search'>" +
"<input type='text' name='searchquery' id='searchquery' value='<?php echo htmlspecialchars($vars['searchquery'] ?? ''); ?>' class='form-control' placeholder='Search'>" +
"</div>" +
"<div class='form-group'><?php echo $state_selection ?></div>" +
"<div class='form-group'><select name='os' id='os' class='form-control'></select></div>" +
Expand Down
2 changes: 1 addition & 1 deletion includes/html/pages/services.inc.php
Expand Up @@ -134,7 +134,7 @@
foreach (dbFetchRows($host_sql, $host_par) as $device) {
$device_id = $device['device_id'];
$device_hostname = $device['hostname'];
$device_sysName = $device['sysName'];
$device_sysName = htmlspecialchars($device['sysName']);
$devlink = generate_device_link($device, null, ['tab' => 'services']);
if ($shift == 1) {
array_unshift($sql_param, $device_id);
Expand Down
2 changes: 1 addition & 1 deletion includes/html/table/alerts.inc.php
Expand Up @@ -194,7 +194,7 @@
'details' => '<a class="fa-solid fa-plus incident-toggle" style="display:none" data-toggle="collapse" data-target="#incident' . $alert['id'] . '" data-parent="#alerts"></a>',
'verbose_details' => "<button type='button' class='btn btn-alert-details command-alert-details' aria-label='Details' id='alert-details' data-alert_log_id='{$alert_log_id}'><i class='fa-solid fa-circle-info'></i></button>",
'hostname' => $hostname,
'location' => generate_link($alert['location'], ['page' => 'devices', 'location' => $alert['location']]),
'location' => generate_link(htmlspecialchars($alert['location']), ['page' => 'devices', 'location' => $alert['location']]),
'timestamp' => ($alert['timestamp_display'] ? $alert['timestamp_display'] : 'N/A'),
'severity' => $severity_ico,
'state' => $alert['state'],
Expand Down

0 comments on commit 3252ea3

Please sign in to comment.