Merge pull request #1609 from OCSInventory-NG/security

Security fixes
OCSInventory-NG · Jul 8, 2024 · 50564a7 · 50564a7
2 parents 7dfcb4d + af2da8d
commit 50564a7
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 12 deletions.
diff --git a/backend/AUTH/methode/local.php b/backend/AUTH/methode/local.php
@@ -68,7 +68,7 @@
         }
     }
 
-    if ($login_status == true || (isset($rowOp->PASSWD) && hash(PASSWORD_CRYPT, $mdp) == $rowOp->PASSWD)) {
+    if ($login_status == true || (isset($rowOp->PASSWD) && hash(PASSWORD_CRYPT, $mdp) === $rowOp->PASSWD)) {
         $login_successful = "OK";
         $user_group = $rowOp->USER_GROUP;
         $type_log = 'CONNEXION';

diff --git a/plugins/main_sections/ms_computer/ms_computer_views.php b/plugins/main_sections/ms_computer/ms_computer_views.php
@@ -52,7 +52,7 @@ function show_computer_title($computer) {
     global $l;
 
     echo '<h3>';
-    echo $computer->NAME;
+    echo preg_replace("/[^A-Za-z0-9-_\.]/", "", $computer->NAME);
     echo '</h3>';
 }
 

diff --git a/plugins/main_sections/ms_export/ms_export_snmp_conf.php b/plugins/main_sections/ms_export/ms_export_snmp_conf.php
@@ -35,31 +35,34 @@
 function SnmpConfToXml($conf_choice) {
     $plural = $conf_choice[0];
     $singular = $conf_choice[1];
+    $id = null;
+
+    if(isset($_GET['id']) && $_GET['id'] != "") {
+        $id = preg_replace('/[^0-9]/', '', $_GET['id']); 
+    }
 
     if ($plural == "TYPES") {
         $sql = "SELECT t.TYPE_NAME, tc.CONDITION_OID, tc.CONDITION_VALUE, t.TABLE_TYPE_NAME, l.LABEL_NAME, c.OID, c.RECONCILIATION FROM snmp_types t LEFT JOIN snmp_configs c ON t.ID = c.TYPE_ID LEFT JOIN snmp_labels l ON l.ID = c.LABEL_ID LEFT JOIN snmp_types_conditions tc ON tc.TYPE_ID = t.ID";
     } else if ($plural == "COMMUNITIES") {
         $sql = "SELECT VERSION,NAME,USERNAME,AUTHPASSWD,LEVEL,AUTHPROTO,PRIVPASSWD,PRIVPROTO FROM snmp_communities";
-    } else if ($plural == "CONFS" && isset($_GET['id']) && $_GET['id'] != "") {
+    } else if ($plural == "CONFS" && !is_null($id)) {
         // special treatment if we are retrieving the scan configuration for a specific device or group
         // if the value of conf has been customized, we retrieve it but if not, we use the default value
-        $sql = "SELECT NAME, IVALUE, TVALUE FROM devices WHERE NAME LIKE 'SCAN_%' AND HARDWARE_ID=".$_GET['id'];
+        $sql = "SELECT NAME, IVALUE, TVALUE FROM devices WHERE NAME LIKE 'SCAN_%' AND HARDWARE_ID=".$id;
 
         $sql_default = "SELECT NAME, IVALUE, TVALUE FROM config WHERE NAME LIKE 'SCAN_%'";
 
     } else if ($plural == "CONFS") { 
         $sql = "SELECT NAME, IVALUE, TVALUE FROM config WHERE NAME LIKE 'SCAN_%'";
     } else if ($plural == "SUBNETS") {
-        $sql = "SELECT TVALUE FROM devices WHERE HARDWARE_ID=".$_GET['id']." AND NAME='SNMP_NETWORK'";
+        $sql = "SELECT TVALUE FROM devices WHERE HARDWARE_ID=".$id." AND NAME='SNMP_NETWORK'";
     }
 
     if (isset($sql) && $sql != "" && !isset($sql_default)) {
         $result = mysql2_query_secure($sql, $_SESSION['OCS']["readServer"]);
         $xml = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n";
         $xml .= "<".$plural.">\n";
         while ($row = mysqli_fetch_array($result)) {
-
-
             // the subnets are stored in a single field separated by a comma so we need to split them into different subnet tags
             if ($plural == "SUBNETS") {
                 $subnets = explode(",", $row['TVALUE']);
@@ -77,10 +80,6 @@ function SnmpConfToXml($conf_choice) {
                 }
                 $xml .= "TYPE=\"".$singular."\" />\n";
             }
-
-
-
-
         }
         $xml .= "</".$plural.">\n";
 

diff --git a/require/function_table_html.php b/require/function_table_html.php
@@ -1462,7 +1462,7 @@ function ajaxfiltre($queryDetails,$tab_options){
 		$queryDetails .= " HAVING ";
 		$index =0;
 		foreach($tab_options['visible_col'] as $column){
-			$cname = $tab_options['columns'][$column]['name'];
+			$cname = preg_replace("/[^A-Za-z0-9\._]/", "", $tab_options['columns'][$column]['name']);
 			$account_select = null;
 
 			// Special treatment if accountinfo select type
@@ -1561,6 +1561,11 @@ function ajaxsort(&$tab_options) {
 			if (!empty($tab_options["replace_query_arg"][$name]) && (preg_match('/([A-Za-z0-9_-]+\.[A-Za-z0-9_-]+|^[A-Za-z0-9_-]+$)/', $tab_options["replace_query_arg"][$name], $cleanreplace) || preg_match('/(?<!\([^()])(?![^()]*\))(?<=\bas\s)(\w+)/i', $tab_options["replace_query_arg"][$name], $cleanreplace))) {
 				$cleanname = $cleanreplace[0];
 			}
+
+			if(isset($v['dir'])) {
+				$v['dir'] = preg_replace("/([^A-Za-z])/", "", $v['dir']);
+			}
+
 			// field name is IP format alike
 			if (in_array(mb_strtoupper($cleanname),$tab_iplike)) {
 				$tri .= " INET_ATON(".$cleanname.") ".$v['dir'].", ";
@@ -1581,6 +1586,7 @@ function ajaxsort(&$tab_options) {
 				}
 			}
 		}
+
 		$tri = rtrim($tri, ", ");
 	}
 

diff --git a/require/softwares/SoftwareCategory.php b/require/softwares/SoftwareCategory.php
@@ -56,6 +56,8 @@ public function onglet_cat(){
      * @return boolean
      */
     public function add_category($catName, $osVersion){
+        $catName = preg_replace("/[^A-zA-Z0-9\.-_]/", "", $catName);
+
         $sql_verif = "SELECT `CATEGORY_NAME` FROM `software_categories` WHERE `CATEGORY_NAME` = '%s'";
         $arg_verif = array($catName);
         $result_verif = mysql2_query_secure($sql_verif, $_SESSION['OCS']["readServer"], $arg_verif);