Fixed Security issues regarding SQL Injection under special circumsta…

…nces.

This was only possible for logged in users.
This was reported @ http://www.exploit-db.com/exploits/24269/

detail.php

@@ -45,9 +45,10 @@
 if ( empty($_GET["id"]) ){
     NConf_DEBUG::set("No id", 'ERROR');
 }else{
-    $item_id = $_GET["id"];
-    $item_class = db_templates("class_name", $_GET["id"]);
-    $item_name = db_templates("naming_attr", $_GET["id"]);
+    // Be sure ID it is an integer - fixes injecting issues
+    $item_id = (int) $_GET["id"];
+    $item_class = db_templates("class_name", $item_id);
+    $item_name = db_templates("naming_attr", $item_id);
 }
 // end / exit page if error
 if ( NConf_DEBUG::status('ERROR') ) {
@@ -76,17 +77,17 @@
 			$output = '';
 
 			// Edit
-			$output .= ( !isset($_GET["xmode"]) ) ?  '<a href="handle_item.php?item='.$item_class.'&amp;id='.$_GET["id"].'">'.ICON_EDIT.'</a>' : '';
+			$output .= ( !isset($_GET["xmode"]) ) ?  '<a href="handle_item.php?item='.$item_class.'&amp;id='.$item_id.'">'.ICON_EDIT.'</a>' : '';
 			// Clone
-			$output .= ( $item_class == "host" ) ? '<a href="clone_host.php?class='.$item_class.'&amp;id='.$_GET["id"].'">'.ICON_CLONE.'</a>' : '';
+			$output .= ( $item_class == "host" ) ? '<a href="clone_host.php?class='.$item_class.'&amp;id='.$item_id.'">'.ICON_CLONE.'</a>' : '';
 			// Delete
-			$output .= ( !isset($_GET["xmode"]) ) ?  '<a href="delete_item.php?item='.$item_class.'&amp;ids='.$_GET["id"].'&amp;from='.$from_url.'">'.ICON_DELETE.'</a>' : '';
+			$output .= ( !isset($_GET["xmode"]) ) ?  '<a href="delete_item.php?item='.$item_class.'&amp;ids='.$item_id.'&amp;from='.$from_url.'">'.ICON_DELETE.'</a>' : '';
 			// Services
-			$output .= ( $item_class == "host" ) ? '<a href="modify_item_service.php?id='.$_GET["id"].'">'.ICON_SERVICES.'</a>' : '';
+			$output .= ( $item_class == "host" ) ? '<a href="modify_item_service.php?id='.$item_id.'">'.ICON_SERVICES.'</a>' : '';
 			// History
-			$output .= '<a href="history.php?item='.$item_class.'&amp;id='.$_GET["id"].'&amp;from='.$from_url.'">'.ICON_HISTORY.'</a>';
+			$output .= '<a href="history.php?item='.$item_class.'&amp;id='.$item_id.'&amp;from='.$from_url.'">'.ICON_HISTORY.'</a>';
 			// Parent child
-			$output .= ( $item_class == "host" ) ? '<a href="dependency.php?id='.$_GET["id"].'">'.ICON_PARENT_CHILD.'</a>' : '';
+			$output .= ( $item_class == "host" ) ? '<a href="dependency.php?id='.$item_id.'">'.ICON_PARENT_CHILD.'</a>' : '';
 
 			echo $output;
 
@@ -112,7 +113,7 @@
                             WHERE id_attr=fk_id_attr
                             AND id_item=fk_id_item
                             AND ConfigAttrs.visible="yes" 
-                            AND id_item='.$_GET["id"].'
+                            AND id_item='.$item_id.'
                             ORDER BY ConfigAttrs.ordering';
 
     $result = db_handler($query, "array", "get basic entries");
@@ -145,7 +146,7 @@
                                 AND ConfigAttrs.visible="yes"
                                 AND fk_id_class=id_class
                                 AND (SELECT naming_attr FROM ConfigAttrs WHERE id_attr=ConfigValues.fk_id_attr)="yes"
-                                AND ItemLinks.fk_id_item='.$_GET["id"].'
+                                AND ItemLinks.fk_id_item='.$item_id.'
                             ORDER BY
                                 ConfigAttrs.friendly_name DESC,
                                 ItemLinks.cust_order,
@@ -156,7 +157,7 @@
 
 
     # get entries
-    $result = db_templates("linked_as_child", $_GET["id"], '', '', 'array');
+    $result = db_templates("linked_as_child", $item_id, '', '', 'array');
     echo table_output($result, $item_class, "Child items linked");
 
 
@@ -291,11 +292,11 @@
 if we want to change that, we have to get all normal types, and then group the child or bidirectionals as follows:
 
 # get entries linked as child
-$result = db_templates("linked_as_child", $_GET["id"], "link_as_child");
+$result = db_templates("linked_as_child", $item_id, "link_as_child");
 table_output($result, $item_class, "Child items linked");
 
 # get bidirectional entries
-$result = db_templates("linked_as_child", $_GET["id"], "link_bidirectional");
+$result = db_templates("linked_as_child", $item_id, "link_bidirectional");
 table_output($result, $item_class, "Bidirectional items");
 
 */

detail_admin_items.php

@@ -5,7 +5,8 @@
 
 # Get ID
 if ( !empty($_REQUEST["id"]) ){
-    $id = $_REQUEST["id"];
+    // Be sure ID it is an integer - fixes injecting issues
+    $id = (int) $_REQUEST["id"];
 }else{
     NConf_DEBUG::set("No id", 'ERROR');
 }
@@ -125,11 +126,11 @@
 
             if(!isset($_GET["xmode"])){
                 if ($type == "attr"){
-                    echo '<a href="modify_attr.php?id='.$_GET["id"].'">'.ICON_EDIT.'</a>';
-                    echo '<a href="delete_attr.php?id='.$_GET["id"].'">'.ICON_DELETE.'</a>';
+                    echo '<a href="modify_attr.php?id='.$id.'">'.ICON_EDIT.'</a>';
+                    echo '<a href="delete_attr.php?id='.$id.'">'.ICON_DELETE.'</a>';
                 }elseif($type == "class"){
-                    echo '<a href="modify_class.php?id='.$_GET["id"].'">'.ICON_EDIT.'</a>';
-                    echo '<a href="delete_class.php?id='.$_GET["id"].'">'.ICON_DELETE.'</a>';
+                    echo '<a href="modify_class.php?id='.$id.'">'.ICON_EDIT.'</a>';
+                    echo '<a href="delete_class.php?id='.$id.'">'.ICON_DELETE.'</a>';
                 }
             }
         echo '</div>';

include/tabs/history.php

@@ -30,10 +30,10 @@
         echo '<div>';
 
 
-if ( !empty($_GET["id"]) ){
+if ( !empty($item_id) ){
     # Normal query
     $query = 'SELECT timestamp, action, attr_name FROM History
-            WHERE fk_id_item='.$_GET["id"].'
+            WHERE fk_id_item='.$item_id.'
             AND action <> "edited"
             ORDER BY timestamp DESC, id_hist DESC
             LIMIT '.HISTORY_TAB_LIMIT.';';
@@ -52,7 +52,7 @@
                 <td colspan=2>Last '.HISTORY_TAB_LIMIT.' changes:</td>
                 <td>
                     <div align="right">
-                        <a href="history.php?id='.$_GET["id"].'">show all changes</a>
+                        <a href="history.php?id='.$item_id.'">show all changes</a>
                     </div>
                 </td>
               </tr>';
@@ -84,8 +84,8 @@
                 echo '<td>'.$timestamp.'</td>';
                 echo '<td>'.$entry["action"].'</td>';
                 echo '<td>';
-                    if ( !empty($_GET["id"]) ){
-                        echo '&nbsp<a href="history.php?id='.$_GET["id"].'&amp;filter='.$entry["attr_name"].'">'.$entry["attr_name"].'</a>';
+                    if ( !empty($item_id) ){
+                        echo '&nbsp<a href="history.php?id='.$item_id.'&amp;filter='.$entry["attr_name"].'">'.$entry["attr_name"].'</a>';
                     }else{
                         echo $entry["attr_name"];
                     }