Skip to content
Permalink
Browse files Browse the repository at this point in the history
Bugfix: XSS in subnet-scan-telnet.php, CSRF in subnet-scan-execute.php.
Fixes #2327
  • Loading branch information
GaryAllan committed Dec 8, 2018
1 parent 89feb5a commit fd37bd8
Show file tree
Hide file tree
Showing 12 changed files with 33 additions and 40 deletions.
7 changes: 2 additions & 5 deletions app/subnets/scan/subnet-scan-execute-scan-icmp.php
Expand Up @@ -4,11 +4,8 @@
* Discover new hosts with ping
*******************************/

# verify that user is logged in
$User->check_user_session();

# create csrf token
$csrf = $User->Crypto->csrf_cookie ("create", "scan");
# Check we have been included and not called directly
if (!isset($subnet_scan_execute_included)) { $Result->show("danger", _("Invalid request"), true); }

# validate subnetId and type
if(!is_numeric($_POST['subnetId'])) { $Result->show("danger", "Invalid subnet Id", true); die(); }
Expand Down
8 changes: 4 additions & 4 deletions app/subnets/scan/subnet-scan-execute-scan-telnet.php
Expand Up @@ -4,17 +4,17 @@
* Discover new hosts with telnet scan
*******************************/

# verify that user is logged in
$User->check_user_session();
# Check we have been included and not called directly
if (!isset($subnet_scan_execute_included)) { $Result->show("danger", _("Invalid request"), true); }

# get ports
if(strlen($_POST['port'])==0) { $Result->show("danger", _('Please enter ports to scan').'!', true); }
if(empty($_POST['port'])) { $Result->show("danger", _('Please enter ports to scan').'!', true); }

//verify ports
$pcheck = explode(";", str_replace(",",";",$_POST['port']));
foreach($pcheck as $p) {
if(!is_numeric($p)) {
$Result->show("danger", _("Invalid port")." ($p)", true);
$Result->show("danger", _("Invalid port").' ('.escape_input($p).')', true);
}
}
$_POST['port'] = str_replace(";",",",$_POST['port']);
Expand Down
7 changes: 2 additions & 5 deletions app/subnets/scan/subnet-scan-execute-snmp-arp.php
Expand Up @@ -4,11 +4,8 @@
* Discover new hosts with snmp
*******************************/

# verify that user is logged in
$User->check_user_session();

# create csrf token
$csrf = $User->Crypto->csrf_cookie ("create", "scan");
# Check we have been included and not called directly
if (!isset($subnet_scan_execute_included)) { $Result->show("danger", _("Invalid request"), true); }

//title
print "<h5>"._('Scan results').":</h5><hr>";
Expand Down
7 changes: 2 additions & 5 deletions app/subnets/scan/subnet-scan-execute-snmp-mac.php
Expand Up @@ -4,11 +4,8 @@
* Discover new hosts with snmp
*******************************/

# verify that user is logged in
$User->check_user_session();

# create csrf token
$csrf = $User->Crypto->csrf_cookie ("create", "scan");
# Check we have been included and not called directly
if (!isset($subnet_scan_execute_included)) { $Result->show("danger", _("Invalid request"), true); }

//title
print "<h5>"._('Scan results').":</h5><hr>";
Expand Down
3 changes: 3 additions & 0 deletions app/subnets/scan/subnet-scan-execute-update-icmp.php
Expand Up @@ -4,6 +4,9 @@
* Update alive status of all hosts in subnet
***************************/

# Check we have been included and not called directly
if (!isset($subnet_scan_execute_included)) { $Result->show("danger", _("Invalid request"), true); }

# validate subnetId and type
if(!is_numeric($_POST['subnetId'])) { $Result->show("danger", "Invalid subnet Id", true); die(); }

Expand Down
4 changes: 2 additions & 2 deletions app/subnets/scan/subnet-scan-execute-update-snmp-arp.php
Expand Up @@ -4,8 +4,8 @@
* Discover new hosts with snmp
*******************************/

# verify that user is logged in
$User->check_user_session();
# Check we have been included and not called directly
if (!isset($subnet_scan_execute_included)) { $Result->show("danger", _("Invalid request"), true); }

# scan disabled
if ($User->settings->enableSNMP!="1") { $Result->show("danger", "SNMP module disbled", true); }
Expand Down
25 changes: 10 additions & 15 deletions app/subnets/scan/subnet-scan-execute.php
Expand Up @@ -24,6 +24,9 @@
# check maintaneance mode
$User->check_maintaneance_mode ();

# validate csrf cookie
$User->Crypto->csrf_cookie ("validate", "scan", $_POST['csrf_cookie']) === false ? $Result->show("danger", _("Invalid CSRF cookie"), true) : "";

# subnet Id must be a integer
if(!is_numeric($_POST['subnetId'])) { $Result->show("danger", _("Invalid ID"), true); }

Expand All @@ -43,29 +46,21 @@
# verify php path
if(!file_exists($Scan->php_exec)) { $Result->show("danger", _("Invalid php path"), true, true); }

# scan
switch ($_POST['type']) {
$type = $_POST['type'];

switch ($type) {
#scan
case "scan-icmp":
include("subnet-scan-execute-scan-icmp.php");
break;
case "scan-telnet":
include("subnet-scan-execute-scan-telnet.php");
break;
case "snmp-arp":
include("subnet-scan-execute-snmp-arp.php");
break;
case "snmp-mac":
include("subnet-scan-execute-snmp-mac.php");
break;
case "snmp-route-all":
include("subnet-scan-execute-snmp-route-all.php");
break;
# discovery
case "update-icmp":
include("subnet-scan-execute-update-icmp.php");
break;
case "update-snmp-arp":
include("subnet-scan-execute-update-snmp-arp.php");
$csrf = $_POST['csrf_cookie'];
$subnet_scan_execute_included = true;
require("subnet-scan-execute-$type.php");
break;
default:
$Result->show("danger", _("Invalid scan type"), true);
Expand Down
2 changes: 1 addition & 1 deletion app/subnets/scan/subnet-scan-result.php
Expand Up @@ -29,7 +29,7 @@
case "snmp-mac":
case "snmp-route-all":
$subnet_scan_result_included = true;
include("subnet-scan-result-$type.php");
require("subnet-scan-result-$type.php");
break;
default:
$Result->show("danger", _("Invalid scan type"), true);
Expand Down
4 changes: 3 additions & 1 deletion app/subnets/scan/subnet-scan.php
Expand Up @@ -17,6 +17,8 @@
# verify that user is logged in
$User->check_user_session();

# create csrf token
$csrf = $User->Crypto->csrf_cookie ("create", "scan");

# ID must be numeric
if(!is_numeric($_POST['subnetId'])) { $Result->show("danger", _("Invalid ID"), true, true); }
Expand Down Expand Up @@ -104,7 +106,7 @@
<div class="pFooter">
<div class="btn-group">
<button class="btn btn-sm btn-default hidePopups"><?php print _('Cancel'); ?></button>
<button class="btn btn-sm btn-default btn-success" id="subnetScanSubmit" data-subnetId='<?php print $_POST['subnetId']; ?>'><i class="fa fa-gears"></i> <?php print _('Scan subnet'); ?></button>
<button class="btn btn-sm btn-default btn-success" id="subnetScanSubmit" data-subnetId='<?php print $_POST['subnetId']; ?>' data-csrf-cookie='<?php print $csrf; ?>'><i class="fa fa-gears"></i> <?php print _('Scan subnet'); ?></button>
</div>

<div class="subnetTruncateResult"></div>
Expand Down
2 changes: 1 addition & 1 deletion functions/version.php
Expand Up @@ -4,7 +4,7 @@
/* set latest version */
define("VERSION_VISIBLE", "1.4"); //visible version in footer e.g 1.3.2
/* set latest revision */
define("REVISION", "030"); //increment on static content changes (js/css) or point releases to avoid caching issues
define("REVISION", "031"); //increment on static content changes (js/css) or point releases to avoid caching issues
/* set last possible upgrade */
define("LAST_POSSIBLE", "1.1"); //minimum required version to be able to upgrade

Expand Down
3 changes: 2 additions & 1 deletion js/magic.js
Expand Up @@ -732,12 +732,13 @@ $(document).on('click','#subnetScanSubmit', function() {
showSpinner();
$('#subnetScanResult').slideUp('fast');
var subnetId = $(this).attr('data-subnetId');
var csrf = $(this).attr('data-csrf-cookie');
var type = $('select[name=type]').find(":selected").val();
if($('input[name=debug]').is(':checked')) { var debug = 1; }
else { var debug = 0; }
var port = $('input[name=telnetports]').val();
$('#alert-scan').slideUp('fast');
$.post('app/subnets/scan/subnet-scan-execute.php', {subnetId:subnetId, type:type, debug:debug, port:port}, function(data) {
$.post('app/subnets/scan/subnet-scan-execute.php', {subnetId:subnetId, type:type, debug:debug, port:port, csrf_cookie:csrf}, function(data) {
$('#subnetScanResult').html(data).slideDown('fast');
hideSpinner();
}).fail(function(jqxhr, textStatus, errorThrown) { showError(jqxhr.statusText + "<br>Status: " + textStatus + "<br>Error: "+errorThrown); }); return false;
Expand Down
1 change: 1 addition & 0 deletions misc/CHANGELOG
Expand Up @@ -53,6 +53,7 @@
+ XSS in print-user.php, CSRF in user-edit.php (#2326);
+ Possible SQL injection in nat/item-add-submit.php (#2344);
+ Fixed possible file inclusion in editing authenticaiton methods;
+ XSS in subnet-scan-telnet.php, CSRF in subnet-scan-execute.php (#2327);

== 1.3.2

Expand Down

0 comments on commit fd37bd8

Please sign in to comment.