Permalink
Browse files

Bugfix: XSS in subnet-scan-telnet.php, CSRF in subnet-scan-execute.php.

Fixes #2327
  • Loading branch information...
GaryAllan committed Dec 8, 2018
1 parent 89feb5a commit fd37bd8fb2b9c306079db505e0e3fe79a096c31c
@@ -4,11 +4,8 @@
* Discover new hosts with ping
*******************************/
# verify that user is logged in
$User->check_user_session();
# create csrf token
$csrf = $User->Crypto->csrf_cookie ("create", "scan");
# Check we have been included and not called directly
if (!isset($subnet_scan_execute_included)) { $Result->show("danger", _("Invalid request"), true); }
# validate subnetId and type
if(!is_numeric($_POST['subnetId'])) { $Result->show("danger", "Invalid subnet Id", true); die(); }
@@ -4,17 +4,17 @@
* Discover new hosts with telnet scan
*******************************/
# verify that user is logged in
$User->check_user_session();
# Check we have been included and not called directly
if (!isset($subnet_scan_execute_included)) { $Result->show("danger", _("Invalid request"), true); }
# get ports
if(strlen($_POST['port'])==0) { $Result->show("danger", _('Please enter ports to scan').'!', true); }
if(empty($_POST['port'])) { $Result->show("danger", _('Please enter ports to scan').'!', true); }
//verify ports
$pcheck = explode(";", str_replace(",",";",$_POST['port']));
foreach($pcheck as $p) {
if(!is_numeric($p)) {
$Result->show("danger", _("Invalid port")." ($p)", true);
$Result->show("danger", _("Invalid port").' ('.escape_input($p).')', true);
}
}
$_POST['port'] = str_replace(";",",",$_POST['port']);
@@ -4,11 +4,8 @@
* Discover new hosts with snmp
*******************************/
# verify that user is logged in
$User->check_user_session();
# create csrf token
$csrf = $User->Crypto->csrf_cookie ("create", "scan");
# Check we have been included and not called directly
if (!isset($subnet_scan_execute_included)) { $Result->show("danger", _("Invalid request"), true); }
//title
print "<h5>"._('Scan results').":</h5><hr>";
@@ -4,11 +4,8 @@
* Discover new hosts with snmp
*******************************/
# verify that user is logged in
$User->check_user_session();
# create csrf token
$csrf = $User->Crypto->csrf_cookie ("create", "scan");
# Check we have been included and not called directly
if (!isset($subnet_scan_execute_included)) { $Result->show("danger", _("Invalid request"), true); }
//title
print "<h5>"._('Scan results').":</h5><hr>";
@@ -4,6 +4,9 @@
* Update alive status of all hosts in subnet
***************************/
# Check we have been included and not called directly
if (!isset($subnet_scan_execute_included)) { $Result->show("danger", _("Invalid request"), true); }
# validate subnetId and type
if(!is_numeric($_POST['subnetId'])) { $Result->show("danger", "Invalid subnet Id", true); die(); }
@@ -4,8 +4,8 @@
* Discover new hosts with snmp
*******************************/
# verify that user is logged in
$User->check_user_session();
# Check we have been included and not called directly
if (!isset($subnet_scan_execute_included)) { $Result->show("danger", _("Invalid request"), true); }
# scan disabled
if ($User->settings->enableSNMP!="1") { $Result->show("danger", "SNMP module disbled", true); }
@@ -24,6 +24,9 @@
# check maintaneance mode
$User->check_maintaneance_mode ();
# validate csrf cookie
$User->Crypto->csrf_cookie ("validate", "scan", $_POST['csrf_cookie']) === false ? $Result->show("danger", _("Invalid CSRF cookie"), true) : "";
# subnet Id must be a integer
if(!is_numeric($_POST['subnetId'])) { $Result->show("danger", _("Invalid ID"), true); }
@@ -43,29 +46,21 @@
# verify php path
if(!file_exists($Scan->php_exec)) { $Result->show("danger", _("Invalid php path"), true, true); }
# scan
switch ($_POST['type']) {
$type = $_POST['type'];
switch ($type) {
#scan
case "scan-icmp":
include("subnet-scan-execute-scan-icmp.php");
break;
case "scan-telnet":
include("subnet-scan-execute-scan-telnet.php");
break;
case "snmp-arp":
include("subnet-scan-execute-snmp-arp.php");
break;
case "snmp-mac":
include("subnet-scan-execute-snmp-mac.php");
break;
case "snmp-route-all":
include("subnet-scan-execute-snmp-route-all.php");
break;
# discovery
case "update-icmp":
include("subnet-scan-execute-update-icmp.php");
break;
case "update-snmp-arp":
include("subnet-scan-execute-update-snmp-arp.php");
$csrf = $_POST['csrf_cookie'];
$subnet_scan_execute_included = true;
require("subnet-scan-execute-$type.php");
break;
default:
$Result->show("danger", _("Invalid scan type"), true);
@@ -29,7 +29,7 @@
case "snmp-mac":
case "snmp-route-all":
$subnet_scan_result_included = true;
include("subnet-scan-result-$type.php");
require("subnet-scan-result-$type.php");
break;
default:
$Result->show("danger", _("Invalid scan type"), true);
@@ -17,6 +17,8 @@
# verify that user is logged in
$User->check_user_session();
# create csrf token
$csrf = $User->Crypto->csrf_cookie ("create", "scan");
# ID must be numeric
if(!is_numeric($_POST['subnetId'])) { $Result->show("danger", _("Invalid ID"), true, true); }
@@ -104,7 +106,7 @@
<div class="pFooter">
<div class="btn-group">
<button class="btn btn-sm btn-default hidePopups"><?php print _('Cancel'); ?></button>
<button class="btn btn-sm btn-default btn-success" id="subnetScanSubmit" data-subnetId='<?php print $_POST['subnetId']; ?>'><i class="fa fa-gears"></i> <?php print _('Scan subnet'); ?></button>
<button class="btn btn-sm btn-default btn-success" id="subnetScanSubmit" data-subnetId='<?php print $_POST['subnetId']; ?>' data-csrf-cookie='<?php print $csrf; ?>'><i class="fa fa-gears"></i> <?php print _('Scan subnet'); ?></button>
</div>

<div class="subnetTruncateResult"></div>
@@ -4,7 +4,7 @@
/* set latest version */
define("VERSION_VISIBLE", "1.4"); //visible version in footer e.g 1.3.2
/* set latest revision */
define("REVISION", "030"); //increment on static content changes (js/css) or point releases to avoid caching issues
define("REVISION", "031"); //increment on static content changes (js/css) or point releases to avoid caching issues
/* set last possible upgrade */
define("LAST_POSSIBLE", "1.1"); //minimum required version to be able to upgrade
@@ -732,12 +732,13 @@ $(document).on('click','#subnetScanSubmit', function() {
showSpinner();
$('#subnetScanResult').slideUp('fast');
var subnetId = $(this).attr('data-subnetId');
var csrf = $(this).attr('data-csrf-cookie');
var type = $('select[name=type]').find(":selected").val();
if($('input[name=debug]').is(':checked')) { var debug = 1; }
else { var debug = 0; }
var port = $('input[name=telnetports]').val();
$('#alert-scan').slideUp('fast');
$.post('app/subnets/scan/subnet-scan-execute.php', {subnetId:subnetId, type:type, debug:debug, port:port}, function(data) {
$.post('app/subnets/scan/subnet-scan-execute.php', {subnetId:subnetId, type:type, debug:debug, port:port, csrf_cookie:csrf}, function(data) {
$('#subnetScanResult').html(data).slideDown('fast');
hideSpinner();
}).fail(function(jqxhr, textStatus, errorThrown) { showError(jqxhr.statusText + "<br>Status: " + textStatus + "<br>Error: "+errorThrown); }); return false;
@@ -53,6 +53,7 @@
+ XSS in print-user.php, CSRF in user-edit.php (#2326);
+ Possible SQL injection in nat/item-add-submit.php (#2344);
+ Fixed possible file inclusion in editing authenticaiton methods;
+ XSS in subnet-scan-telnet.php, CSRF in subnet-scan-execute.php (#2327);

== 1.3.2

0 comments on commit fd37bd8

Please sign in to comment.