From 6c1f72816d6ac634e9c174057e008717d959f351 Mon Sep 17 00:00:00 2001
From: Gary Allan <github@gallan.co.uk>
Date: Mon, 17 Jan 2022 22:14:10 +0000
Subject: [PATCH] Bugfix: Security fix

    - XSS (reflected) in 'find subnets';

Reported by Celso Bezerra <celso.bezerra@tempest.com.br>
---
 app/admin/subnets/find_free_section_subnets.php | 5 ++++-
 app/subnets/subnets-menu.php                    | 5 ++++-
 functions/classes/class.Sections.php            | 5 ++++-
 misc/CHANGELOG                                  | 1 +
 4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/app/admin/subnets/find_free_section_subnets.php b/app/admin/subnets/find_free_section_subnets.php
index 5455eb706..86a90b8f9 100644
--- a/app/admin/subnets/find_free_section_subnets.php
+++ b/app/admin/subnets/find_free_section_subnets.php
@@ -20,6 +20,9 @@
 # verify that user is logged in
 $User->check_user_session();
 
+# validate csrf cookie
+$User->Crypto->csrf_cookie ("validate", "find_free_section_subnets", $_POST['csrf_cookie']) === false ? $Result->show("danger", _("Invalid CSRF cookie"), true) : "";
+
 # verify that user has permissions to add subnet
 if($Sections->check_permission ($User->user, $_POST['sectionid']) != 3) { $Result->show("danger", _('You do not have permissions to add new subnet in this section')."!", true, true); }
 
@@ -92,7 +95,7 @@
         <td>
             <div class="input-group">
                 <input type="text" class="form-control input-sm input-w-auto" name="results" value='50'>
-                <input type="hidden" name="sectionid" value='<?php print $_POST['sectionid']; ?>'>
+                <input type="hidden" name="sectionid" value='<?php print escape_input($_POST['sectionid']); ?>'>
             </div>
 
         </td>
diff --git a/app/subnets/subnets-menu.php b/app/subnets/subnets-menu.php
index bf53330ee..115196003 100755
--- a/app/subnets/subnets-menu.php
+++ b/app/subnets/subnets-menu.php
@@ -9,6 +9,9 @@
 # verify that user is logged in
 $User->check_user_session();
 
+# create csrf token
+$csrf_ffss = $User->Crypto->csrf_cookie ("create-if-not-exists", "find_free_section_subnets");
+
 # ID must be numeric
 if(!is_numeric($_GET['section'])) { $Result->show("danger",_('Invalid ID'), true); }
 
@@ -133,7 +136,7 @@
 	print "	<span>";
 	print "	<div class='btn-group'>";
 	print "	 <button id='add_subnet' class='btn btn-xs btn-default btn-success'  rel='tooltip' data-container='body'  data-placement='top' title='"._('Add new subnet to')." $section[name]'  data-subnetId='' data-sectionId='$section[id]' data-action='add'><i class='fa fa-sm fa-plus'></i></button>";
-	print "	 <button class='btn btn-xs btn-default btn-success open_popup' data-script='app/admin/subnets/find_free_section_subnets.php'  data-class='700' rel='tooltip' data-container='body'  data-placement='top' title='"._('Search for free subnets in section ')." $section[name]'  data-sectionId='$section[id]'><i class='fa fa-sm fa-search'></i></button>";
+	print "	 <button class='btn btn-xs btn-default btn-success open_popup' data-script='app/admin/subnets/find_free_section_subnets.php' data-csrf_cookie='$csrf_ffss' data-class='700' rel='tooltip' data-container='body'  data-placement='top' title='"._('Search for free subnets in section ')." $section[name]'  data-sectionId='$section[id]'><i class='fa fa-sm fa-search'></i></button>";
 	# snmp
 	if($User->settings->enableSNMP==1) {
     $csrf = $User->Crypto->csrf_cookie ("create", "scan");
diff --git a/functions/classes/class.Sections.php b/functions/classes/class.Sections.php
index bfdb42f4b..ed38de459 100644
--- a/functions/classes/class.Sections.php
+++ b/functions/classes/class.Sections.php
@@ -537,6 +537,9 @@ public function get_group_section_permissions ($gid, $name = true) {
 	public function print_section_subnets_table($User, $sectionId, $showSupernetOnly = false) {
 		$html = array();
 
+		# create csrf token
+		$csrf_ffss = $User->Crypto->csrf_cookie ("create-if-not-exists", "find_free_section_subnets");
+
 		# set custom fields
 		$Tools = new Tools ($this->Database);
 		$custom = $Tools->fetch_custom_fields ("subnets");
@@ -556,7 +559,7 @@ public function print_section_subnets_table($User, $sectionId, $showSupernetOnly
 			if ($permission>1) {
 				$html[] = "<div class='btn-group'>";
 				$html[] = '<button class="btn btn-sm btn-default btn-success editSubnet" data-action="add" data-sectionid="'.$sectionId.'" data-subnetId="" rel="tooltip" data-placement="left" title="'._('Add new subnet to section').'"><i class="fa fa-plus"></i> '._('Add subnet').'</button>';
-				$html[] = "<button class='btn btn-sm btn-default btn-success open_popup' data-script='app/admin/subnets/find_free_section_subnets.php'  data-class='700' rel='tooltip' data-container='body'  data-placement='top' title='"._('Search for free subnets in section ')."'  data-sectionId='$sectionId'><i class='fa fa-sm fa-search'></i> "._("Find subnet")."</button>";
+				$html[] = "<button class='btn btn-sm btn-default btn-success open_popup' data-script='app/admin/subnets/find_free_section_subnets.php' data-csrf_cookie='$csrf_ffss' data-class='700' rel='tooltip' data-container='body'  data-placement='top' title='"._('Search for free subnets in section ')."'  data-sectionId='$sectionId'><i class='fa fa-sm fa-search'></i> "._("Find subnet")."</button>";
 				$html[] = "</div>";
 			}
 
diff --git a/misc/CHANGELOG b/misc/CHANGELOG
index 4ecbecf64..a576281cd 100755
--- a/misc/CHANGELOG
+++ b/misc/CHANGELOG
@@ -87,6 +87,7 @@
     + SQL injection in edit-bgp-mapping-search.php;
     + Stored XSS in the "Site title" parameter;
     + XSS while uploading CVS files;
+    + XSS (reflected) in 'find subnets';
 
     Translations:
     ----------------------------