From aba8af3bc0c711d366fc2734561a7ecb2b0d63cc Mon Sep 17 00:00:00 2001 From: David Anderson Date: Thu, 11 May 2017 21:14:15 -0700 Subject: [PATCH] admin web: fix a bug and security vulnerability In the "ops" web page showing results, the credit link was wrong. The page for grepping logs allowed people to run arbitrary shell commands. Use escapeshellcmd() to prevent this. However: the Ops interface lets you type in arbitrary SQL, which lets bad guys do all sorts of things. So you need to protect access to Ops very strongly. TODO: fix all vulnerabilities in ops/. Get rid of the DB browsing features; use phpmysqladmin. --- html/inc/db_ops.inc | 2 +- html/ops/show_log.php | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/html/inc/db_ops.inc b/html/inc/db_ops.inc index 2e9ff8238d..35053aa3eb 100644 --- a/html/inc/db_ops.inc +++ b/html/inc/db_ops.inc @@ -1162,7 +1162,7 @@ function show_result_short($result) { $validate_color = validate_color($result->validate_state); $host_user = host_user_link($result->hostid); $cpu_hours = sprintf("%.1f",$result->cpu_time / 3600); - $granted_credit = "id>".credit_str($result->granted_credit).""; + $granted_credit = "workunitid>".credit_str($result->granted_credit).""; $delete_state = file_delete_state_str($result->file_delete_state); echo " diff --git a/html/ops/show_log.php b/html/ops/show_log.php index d893bf1605..f2502513c8 100644 --- a/html/ops/show_log.php +++ b/html/ops/show_log.php @@ -28,12 +28,14 @@ if (!$log_dir) { } if( isset($_GET["f"]) ){ - $f = $_GET["f"]; + $f = $_GET["f"]; + $f = escapeshellcmd($f); } else { - $f = ""; + $f = ""; } if( isset($_GET["s"]) ){ $s = $_GET["s"]; + $s = escapeshellcmd($s); } else { $s = ""; }