Skip to content

Commit 6c1f728

Browse files
committed
Bugfix: Security fix
- XSS (reflected) in 'find subnets'; Reported by Celso Bezerra <celso.bezerra@tempest.com.br>
1 parent 4b764b9 commit 6c1f728

File tree

4 files changed

+13
-3
lines changed

4 files changed

+13
-3
lines changed

Diff for: app/admin/subnets/find_free_section_subnets.php

+4-1
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,9 @@
2020
# verify that user is logged in
2121
$User->check_user_session();
2222

23+
# validate csrf cookie
24+
$User->Crypto->csrf_cookie ("validate", "find_free_section_subnets", $_POST['csrf_cookie']) === false ? $Result->show("danger", _("Invalid CSRF cookie"), true) : "";
25+
2326
# verify that user has permissions to add subnet
2427
if($Sections->check_permission ($User->user, $_POST['sectionid']) != 3) { $Result->show("danger", _('You do not have permissions to add new subnet in this section')."!", true, true); }
2528

@@ -92,7 +95,7 @@
9295
<td>
9396
<div class="input-group">
9497
<input type="text" class="form-control input-sm input-w-auto" name="results" value='50'>
95-
<input type="hidden" name="sectionid" value='<?php print $_POST['sectionid']; ?>'>
98+
<input type="hidden" name="sectionid" value='<?php print escape_input($_POST['sectionid']); ?>'>
9699
</div>
97100

98101
</td>

Diff for: app/subnets/subnets-menu.php

+4-1
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@
99
# verify that user is logged in
1010
$User->check_user_session();
1111

12+
# create csrf token
13+
$csrf_ffss = $User->Crypto->csrf_cookie ("create-if-not-exists", "find_free_section_subnets");
14+
1215
# ID must be numeric
1316
if(!is_numeric($_GET['section'])) { $Result->show("danger",_('Invalid ID'), true); }
1417

@@ -133,7 +136,7 @@
133136
print " <span>";
134137
print " <div class='btn-group'>";
135138
print " <button id='add_subnet' class='btn btn-xs btn-default btn-success' rel='tooltip' data-container='body' data-placement='top' title='"._('Add new subnet to')." $section[name]' data-subnetId='' data-sectionId='$section[id]' data-action='add'><i class='fa fa-sm fa-plus'></i></button>";
136-
print " <button class='btn btn-xs btn-default btn-success open_popup' data-script='app/admin/subnets/find_free_section_subnets.php' data-class='700' rel='tooltip' data-container='body' data-placement='top' title='"._('Search for free subnets in section ')." $section[name]' data-sectionId='$section[id]'><i class='fa fa-sm fa-search'></i></button>";
139+
print " <button class='btn btn-xs btn-default btn-success open_popup' data-script='app/admin/subnets/find_free_section_subnets.php' data-csrf_cookie='$csrf_ffss' data-class='700' rel='tooltip' data-container='body' data-placement='top' title='"._('Search for free subnets in section ')." $section[name]' data-sectionId='$section[id]'><i class='fa fa-sm fa-search'></i></button>";
137140
# snmp
138141
if($User->settings->enableSNMP==1) {
139142
$csrf = $User->Crypto->csrf_cookie ("create", "scan");

Diff for: functions/classes/class.Sections.php

+4-1
Original file line numberDiff line numberDiff line change
@@ -537,6 +537,9 @@ public function get_group_section_permissions ($gid, $name = true) {
537537
public function print_section_subnets_table($User, $sectionId, $showSupernetOnly = false) {
538538
$html = array();
539539

540+
# create csrf token
541+
$csrf_ffss = $User->Crypto->csrf_cookie ("create-if-not-exists", "find_free_section_subnets");
542+
540543
# set custom fields
541544
$Tools = new Tools ($this->Database);
542545
$custom = $Tools->fetch_custom_fields ("subnets");
@@ -556,7 +559,7 @@ public function print_section_subnets_table($User, $sectionId, $showSupernetOnly
556559
if ($permission>1) {
557560
$html[] = "<div class='btn-group'>";
558561
$html[] = '<button class="btn btn-sm btn-default btn-success editSubnet" data-action="add" data-sectionid="'.$sectionId.'" data-subnetId="" rel="tooltip" data-placement="left" title="'._('Add new subnet to section').'"><i class="fa fa-plus"></i> '._('Add subnet').'</button>';
559-
$html[] = "<button class='btn btn-sm btn-default btn-success open_popup' data-script='app/admin/subnets/find_free_section_subnets.php' data-class='700' rel='tooltip' data-container='body' data-placement='top' title='"._('Search for free subnets in section ')."' data-sectionId='$sectionId'><i class='fa fa-sm fa-search'></i> "._("Find subnet")."</button>";
562+
$html[] = "<button class='btn btn-sm btn-default btn-success open_popup' data-script='app/admin/subnets/find_free_section_subnets.php' data-csrf_cookie='$csrf_ffss' data-class='700' rel='tooltip' data-container='body' data-placement='top' title='"._('Search for free subnets in section ')."' data-sectionId='$sectionId'><i class='fa fa-sm fa-search'></i> "._("Find subnet")."</button>";
560563
$html[] = "</div>";
561564
}
562565

Diff for: misc/CHANGELOG

+1
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,7 @@
8787
+ SQL injection in edit-bgp-mapping-search.php;
8888
+ Stored XSS in the "Site title" parameter;
8989
+ XSS while uploading CVS files;
90+
+ XSS (reflected) in 'find subnets';
9091

9192
Translations:
9293
----------------------------

0 commit comments

Comments
 (0)