From db0b54369dda5abc8393db7f6fe96b54a471fa04 Mon Sep 17 00:00:00 2001
From: Charlene Auger <charlene.auger@factorfx.com>
Date: Tue, 11 Jun 2024 08:10:47 +0000
Subject: [PATCH 1/6] fix(softwarescategories): security fix in software
 category name

---
 require/softwares/SoftwareCategory.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/require/softwares/SoftwareCategory.php b/require/softwares/SoftwareCategory.php
index 0b8565c51..cd7242ae4 100644
--- a/require/softwares/SoftwareCategory.php
+++ b/require/softwares/SoftwareCategory.php
@@ -56,6 +56,8 @@ public function onglet_cat(){
      * @return boolean
      */
     public function add_category($catName, $osVersion){
+        $catName = preg_replace("/[^A-zA-Z0-9\.-_]/", "", $catName);
+
         $sql_verif = "SELECT `CATEGORY_NAME` FROM `software_categories` WHERE `CATEGORY_NAME` = '%s'";
         $arg_verif = array($catName);
         $result_verif = mysql2_query_secure($sql_verif, $_SESSION['OCS']["readServer"], $arg_verif);

From 567ed42f86b4b139e3bc2aeae345ab5d8c3ac2b1 Mon Sep 17 00:00:00 2001
From: Charlene Auger <charlene.auger@factorfx.com>
Date: Tue, 11 Jun 2024 08:32:22 +0000
Subject: [PATCH 2/6] fix(exportsnmpconf): security fix in snmp conf export

---
 .../ms_export/ms_export_snmp_conf.php           | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/plugins/main_sections/ms_export/ms_export_snmp_conf.php b/plugins/main_sections/ms_export/ms_export_snmp_conf.php
index 949c01fca..83095cdc9 100644
--- a/plugins/main_sections/ms_export/ms_export_snmp_conf.php
+++ b/plugins/main_sections/ms_export/ms_export_snmp_conf.php
@@ -35,22 +35,27 @@
 function SnmpConfToXml($conf_choice) {
     $plural = $conf_choice[0];
     $singular = $conf_choice[1];
+    $id = null;
+
+    if(isset($_GET['id']) && $_GET['id'] != "") {
+        $id = preg_replace('/[^0-9]/', '', $_GET['id']); 
+    }
 
     if ($plural == "TYPES") {
         $sql = "SELECT t.TYPE_NAME, tc.CONDITION_OID, tc.CONDITION_VALUE, t.TABLE_TYPE_NAME, l.LABEL_NAME, c.OID, c.RECONCILIATION FROM snmp_types t LEFT JOIN snmp_configs c ON t.ID = c.TYPE_ID LEFT JOIN snmp_labels l ON l.ID = c.LABEL_ID LEFT JOIN snmp_types_conditions tc ON tc.TYPE_ID = t.ID";
     } else if ($plural == "COMMUNITIES") {
         $sql = "SELECT VERSION,NAME,USERNAME,AUTHPASSWD,LEVEL,AUTHPROTO,PRIVPASSWD,PRIVPROTO FROM snmp_communities";
-    } else if ($plural == "CONFS" && isset($_GET['id']) && $_GET['id'] != "") {
+    } else if ($plural == "CONFS" && !is_null($id)) {
         // special treatment if we are retrieving the scan configuration for a specific device or group
         // if the value of conf has been customized, we retrieve it but if not, we use the default value
-        $sql = "SELECT NAME, IVALUE, TVALUE FROM devices WHERE NAME LIKE 'SCAN_%' AND HARDWARE_ID=".$_GET['id'];
+        $sql = "SELECT NAME, IVALUE, TVALUE FROM devices WHERE NAME LIKE 'SCAN_%' AND HARDWARE_ID=".$id;
 
         $sql_default = "SELECT NAME, IVALUE, TVALUE FROM config WHERE NAME LIKE 'SCAN_%'";
         
     } else if ($plural == "CONFS") { 
         $sql = "SELECT NAME, IVALUE, TVALUE FROM config WHERE NAME LIKE 'SCAN_%'";
     } else if ($plural == "SUBNETS") {
-        $sql = "SELECT TVALUE FROM devices WHERE HARDWARE_ID=".$_GET['id']." AND NAME='SNMP_NETWORK'";
+        $sql = "SELECT TVALUE FROM devices WHERE HARDWARE_ID=".$id." AND NAME='SNMP_NETWORK'";
     }
 
     if (isset($sql) && $sql != "" && !isset($sql_default)) {
@@ -58,8 +63,6 @@ function SnmpConfToXml($conf_choice) {
         $xml = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n";
         $xml .= "<".$plural.">\n";
         while ($row = mysqli_fetch_array($result)) {
-            
-
             // the subnets are stored in a single field separated by a comma so we need to split them into different subnet tags
             if ($plural == "SUBNETS") {
                 $subnets = explode(",", $row['TVALUE']);
@@ -77,10 +80,6 @@ function SnmpConfToXml($conf_choice) {
                 }
                 $xml .= "TYPE=\"".$singular."\" />\n";
             }
-
-            
-
-
         }
         $xml .= "</".$plural.">\n";
 

From edfb54341634ba1e0694d03f8928f500aceaa0f2 Mon Sep 17 00:00:00 2001
From: Charlene Auger <charlene.auger@factorfx.com>
Date: Tue, 11 Jun 2024 08:45:52 +0000
Subject: [PATCH 3/6] fix(computerview): fix security in computer details

---
 plugins/main_sections/ms_computer/ms_computer_views.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/main_sections/ms_computer/ms_computer_views.php b/plugins/main_sections/ms_computer/ms_computer_views.php
index 97bd45c2b..fdf102588 100644
--- a/plugins/main_sections/ms_computer/ms_computer_views.php
+++ b/plugins/main_sections/ms_computer/ms_computer_views.php
@@ -52,7 +52,7 @@ function show_computer_title($computer) {
     global $l;
 
     echo '<h3>';
-    echo $computer->NAME;
+    echo preg_replace("/[^A-Za-z0-9-_\.]/", "", $computer->NAME);
     echo '</h3>';
 }
 

From fe82745fb2a45f6e8c64223568c6f496a037e136 Mon Sep 17 00:00:00 2001
From: Charlene Auger <charlene.auger@factorfx.com>
Date: Thu, 13 Jun 2024 09:03:08 +0000
Subject: [PATCH 4/6] fix(visu_repart_tag): security fix on order by direction

---
 require/function_table_html.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/require/function_table_html.php b/require/function_table_html.php
index e326eb303..255d0fcb6 100644
--- a/require/function_table_html.php
+++ b/require/function_table_html.php
@@ -1561,6 +1561,11 @@ function ajaxsort(&$tab_options) {
 			if (!empty($tab_options["replace_query_arg"][$name]) && (preg_match('/([A-Za-z0-9_-]+\.[A-Za-z0-9_-]+|^[A-Za-z0-9_-]+$)/', $tab_options["replace_query_arg"][$name], $cleanreplace) || preg_match('/(?<!\([^()])(?![^()]*\))(?<=\bas\s)(\w+)/i', $tab_options["replace_query_arg"][$name], $cleanreplace))) {
 				$cleanname = $cleanreplace[0];
 			}
+
+			if(isset($v['dir'])) {
+				$v['dir'] = preg_replace("/([^A-Za-z])/", "", $v['dir']);
+			}
+
 			// field name is IP format alike
 			if (in_array(mb_strtoupper($cleanname),$tab_iplike)) {
 				$tri .= " INET_ATON(".$cleanname.") ".$v['dir'].", ";
@@ -1581,6 +1586,7 @@ function ajaxsort(&$tab_options) {
 				}
 			}
 		}
+
 		$tri = rtrim($tri, ", ");
 	}
 

From 44c9e9e5e710f059aee909c23957c7aa66f464a6 Mon Sep 17 00:00:00 2001
From: Charlene Auger <charlene.auger@factorfx.com>
Date: Thu, 13 Jun 2024 09:47:17 +0000
Subject: [PATCH 5/6] fix(search_filter): security fix on column name

---
 require/function_table_html.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/require/function_table_html.php b/require/function_table_html.php
index 255d0fcb6..5239f68cd 100644
--- a/require/function_table_html.php
+++ b/require/function_table_html.php
@@ -1462,7 +1462,7 @@ function ajaxfiltre($queryDetails,$tab_options){
 		$queryDetails .= " HAVING ";
 		$index =0;
 		foreach($tab_options['visible_col'] as $column){
-			$cname = $tab_options['columns'][$column]['name'];
+			$cname = preg_replace("/[^A-Za-z0-9\._]/", "", $tab_options['columns'][$column]['name']);
 			$account_select = null;
 
 			// Special treatment if accountinfo select type

From af2da8d0902a276cb7f45b6d8c40176676629062 Mon Sep 17 00:00:00 2001
From: Charlene Auger <charlene.auger@factorfx.com>
Date: Thu, 13 Jun 2024 12:07:07 +0000
Subject: [PATCH 6/6] fix(authentication): security fix on password comparision

---
 backend/AUTH/methode/local.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/AUTH/methode/local.php b/backend/AUTH/methode/local.php
index 9b49edb26..e0853d33d 100755
--- a/backend/AUTH/methode/local.php
+++ b/backend/AUTH/methode/local.php
@@ -68,7 +68,7 @@
         }
     }
 
-    if ($login_status == true || (isset($rowOp->PASSWD) && hash(PASSWORD_CRYPT, $mdp) == $rowOp->PASSWD)) {
+    if ($login_status == true || (isset($rowOp->PASSWD) && hash(PASSWORD_CRYPT, $mdp) === $rowOp->PASSWD)) {
         $login_successful = "OK";
         $user_group = $rowOp->USER_GROUP;
         $type_log = 'CONNEXION';