* Add general_restrict_badusers_access directive. If set to yes we only allow each administrator
access to their own entries in the badusers table
* Add a username.mappings table. We are able to map each administrator username to additional queries
on the accounting and user settings tables.
* Add an sql_accounting_extra_query directive. If set this query is included in all
queries to the accounting tables.
Combined with admin username mappings we are able to easily restrict access on specific accounting data
to each administrator.
* Escape bad characters in the $login variable
* Add a da_sql_escape_string function. We use that for every element we pass to sql queries in order to
protect ourselves from sql injection.
* Use the ldap_userdn directive where applicable in the functions.php3 file
* Add an sql_xlat function
TODO: Check out the sql queries in lin/sql for sql injection.
* Add ldap_userdn as a configuration directive. If set we use that for
user DN's (variables supported) instead of performing and ldap search for
each user. That can be somewhat faster.
+* Add a check_user_passwd() and a get_user_dn() functions in lib/ldap/functions.php3
+* Add general_restrict_badusers_access directive. If set to yes we only allow each administrator
+ access to their own entries in the badusers table
+* Add a username.mappings table. We are able to map each administrator username to additional queries
+ on te accounting and user settings tables.
+* Add an sql_extra_query directive. If set this query is included in all queries to the accounting tables.
+ Combined with admin username mappings we are able to easily restrict access on specific accounting data
+ to each administrator.
+* Escape bad characters in the $login variable
+* Add a da_sql_escape_string function. We use that for every element we pass to sql queries in order to
+ protect ourselves from sql injection.
+* Use the ldap_userdn directive where applicable in the functions.php3 file
+* Add an sql_xlat function
+
+TODO: Check out the sql queries in lin/sql for sql injection.
+
Ver 1.68:
* Huge PostgreSQL compatibility patch by Guy Fraser <guy@incentre.net>
* Also support the Crypt-Password attribute in lib/sql/password_check.php3. Patch by Guy Fraser <guy@incentre.net>
#
#
-# Determines if the administrator will be able to change the user password through
+# Determines if the administrator will be able to see and change the user password through
# the user edit page
general_show_user_password: yes
# this to work :-)
#
general_stats_use_totacct: no
+#
+# If set to yes then we only allow each administrator to examine it's own entries
+# in the badusers table
+#
+general_restrict_badusers_access: no
INCLUDE: %{general_base_dir}/conf/naslist.conf
# Variables supported:
# %u: username
# %U: username provided though http authentication
+# %mu: mappings for userdb
+# %ma: mappings for accounting
#
# One use of this would be to restrict access to only the user's belonging to
# a specific administrator like this:
# and sql_password. That way multiple admins with different rights
# on the sql database can connect through one dialup_admin interface.
#sql_use_http_credentials: yes
+#
+# If set the query will be added to all of the queries on the accounting
+# table
+#sql_accounting_extra_query: %ma
#
// Start session
@session_start();
}
+//Make sure we are only passed allowed strings in username
+if ($login != '')
+ $login = preg_replace("/[^\w\s\.\/\@\:]\-i\=/",'',$login);
+
if ($login != '' && $config[general_strip_realms] == 'yes'){
$realm_del = ($config[general_realm_delimiter] != '') ? $config[general_realm_delimiter] : '@';
$realm_for = ($config[general_realm_format] != '') ? $config[general_realm_format] : 'suffix';
if (count($new) == 2)
$login = ($realm_for == 'suffix') ? $new[0] : $new[1];
}
+if (!isset($mappings) && $config[general_username_mappings_file] != ''){
+ $ARR = file($config[general_username_mappings_file]);
+ foreach($ARR as $val){
+ $val=chop($val);
+ if (ereg('^[[:space:]]*#',$val) || ereg('^[[:space:]]*$',$val))
+ continue;
+ list($key,$realm,$v)=split(":[[:space:]]*",$val,2);
+ if ($realm == 'accounting' || $realm == 'userdb')
+ $mappings["$key"][$realm] = $v;
+ }
+ if ($config[general_use_session] == 'yes')
+ session_register('mappings');
+}
?>
are welcome.
* Parse the radius dictionary files so that we can show a pull down menu of possible values
for various attributes.
+* Check the sql user code for sql injections
require('../conf/config.php3');
require('../lib/functions.php3');
+require('../lib/sql/functions.php3');
require('../lib/acctshow.php3');
if (is_file("../lib/sql/drivers/$config[sql_type]/functions.php3"))
if ($queryflag == 1){
$i = 1;
while (${"item_of_w$i"}){
+ $op_found = 0;
+ foreach ($operators as $operator){
+ if (${"operator_of_w$i"} == $operator){
+ $op_found = 1;
+ break;
+ }
+ }
+ if (!$op_found)
+ die("Operator passed is not valid. Exiting abnormaly.");
+ ${"item_of_w$i"} = preg_replace('/\s/','',${"item_of_w$i});
+ ${"value_of_w$i"} = da_sql_escape_string(${"value_of_w$i"});
$where .= ($i == 1) ? ' WHERE ' . ${"item_of_w$i"} . ' ' . ${"operator_of_w$i"} . " '" . ${"value_of_w$i"} . "'" :
' AND ' . ${"item_of_w$i"} . ' ' . ${"operator_of_w$i"} . " '" . ${"value_of_w$i"} . "'" ;
$i++;
foreach ($accounting_show_attrs as $val)
$query_view .= $val . ',';
$query_view = ereg_replace(',$','',$query_view);
-$query="SELECT $query_view FROM $config[sql_accounting_table] $where ORDER BY $order LIMIT $maxresults;";
+$sql_extra_query = '';
+if ($config[sql_accounting_extra_query] != '')
+ $sql_extra_query = sql_xlat($config[sql_accounting_extra_query],$login,$config);
+$query="SELECT $query_view FROM $config[sql_accounting_table] $where $sql_extra_query ORDER BY $order LIMIT $maxresults;";
echo <<<EOM
<html>
$now = time();
$now_str = ($now_str != '') ? "$now_str" : date($config[sql_date_format],$now + 86400);
$prev_str = ($prev_str != '') ? "$prev_str" : "0001-01-01 00:00:00";
+
+$now_str = da_sql_escape_string($now_str);
+$prev_str = da_sql_escape_string($prev_str);
+
$num = 0;
$pagesize = ($pagesize) ? $pagesize : 10;
+if (!is_int($pagesize))
+ $pagesize = 10;
$limit = ($pagesize == 'all') ? '' : "LIMIT $pagesize";
$selected[$pagesize] = 'selected';
$login = ($login != '') ? $login : 'anyone';
<?php
$auth_user = $HTTP_SERVER_VARS["PHP_AUTH_USER"];
+if ($config[general_restrict_badusers_access] == 'yes'){
+ $auth_user = da_sql_escape_string($auth_user);
+ $extra_query = "AND Admin == '$auth_user'";
+}
$link = @da_sql_pconnect($config);
if ($link){
$search = @da_sql_query($link,$config,
"SELECT * FROM $config[sql_badusers_table]
- WHERE UserName $usercheck AND Date <= '$now_str'
+ WHERE UserName $usercheck $extra_query AND Date <= '$now_str'
AND Date >= '$prev_str' ORDER BY Date $order $limit;");
if ($search){
while( $row = @da_sql_fetch_array($search,$config) ){
$open_sessions = 0;
+$sql_extra_query = '';
+if ($config[sql_accounting_extra_query] != '')
+ $sql_extra_query = sql_xlat($config[sql_accounting_extra_query],$login,$config);
+
print <<<EOM
</table>
if ($link){
$res = @da_sql_query($link,$config,
"DELETE FROM $config[sql_accounting_table]
- WHERE username='$login' AND acctstoptime = 0;");
+ WHERE username='$login' AND acctstoptime = 0 $sql_extra_query;");
if ($res)
echo "<b>Deleted open sessions from accounting table</b><br>\n";
else
if ($link){
$search = @da_sql_query($link,$config,
"SELECT COUNT(*) AS counter FROM $config[sql_accounting_table]
- WHERE username = '$login' AND acctstoptime IS NULL;");
+ WHERE username = '$login' AND acctstoptime IS NULL $sql_extra_query;");
if ($search){
if ($row = @da_sql_fetch_array($search,$config))
$open_sessions = $row[counter];
$start = $now - ($last*60);
$now_str = date($config[sql_full_date_format],$now);
$prev_str = date($config[sql_full_date_format],$start);
+
+$now_str = da_sql_escape_string($now_str);
+$prev_str = da_sql_escape_string($prev_str);
+
$pagesize = ($pagesize) ? $pagesize : 10;
+if (!is_int($pagesize))
+ $pagesize = 10;
$limit = ($pagesize == 'all') ? '' : "LIMIT $pagesize";
$selected[$pagesize] = 'selected';
$order = ($order != '') ? $order : $config[general_accounting_info_order];
if ($order != 'desc' && $order != 'asc')
$order = 'desc';
$selected[$order] = 'selected';
-if ($callerid != '')
+if ($callerid != ''){
+ $callerid = da_sql_escape_string($callerid);
$callerid_str = "AND callingstationid = '$callerid'";
-if ($server != '' && $server != 'all')
+}
+if ($server != '' && $server != 'all'){
+ $server = da_sql_escape_string($server);
$server_str = "AND nasipaddress = '$server'";
+}
?>
if ($acct_attrs['fl'][7] != '') echo "<th>" . $acct_attrs['fl'][7] . "</th>\n";
if ($acct_attrs['fl'][8] != '') echo "<th>" . $acct_attrs['fl'][8] . "</th>\n";
if ($acct_attrs['fl'][9] != '') echo "<th>" . $acct_attrs['fl'][9] . "</th>\n";
+$sql_extra_query = '';
+if ($config[sql_accounting_extra_query] != '')
+ $sql_extra_query = sql_xlat($config[sql_accounting_extra_query],$login,$config);
?>
</tr>
WHERE acctstoptime <= '$now_str' AND acctstoptime >= '$prev_str'
AND (acctterminatecause LIKE 'Login-Incorrect%' OR
acctterminatecause LIKE 'Invalid-User%' OR
- acctterminatecause LIKE 'Multiple-Logins%') $callerid_str $server_str
+ acctterminatecause LIKE 'Multiple-Logins%') $callerid_str $server_str $sql_extra_query
ORDER BY acctstoptime $order $limit;");
if ($search){
while( $row = @da_sql_fetch_array($search,$config) ){
$i++;
}
ksort($servers);
-if ($server != 'all' && $server != '')
+if ($server != 'all' && $server != ''){
+ $server = da_sql_escape_string($server);
$s = "AND nasipaddress = '$server'";
+}
+$sql_extra_query = '';
+if ($config[sql_accounting_extra_query] != '')
+ $sql_extra_query = sql_xlat($config[sql_accounting_extra_query],$login,$config);
$link = @da_sql_pconnect($config);
if ($link){
if ($config[general_stats_use_totacct] == 'yes')
$search = @da_sql_query($link,$config,
"SELECT $res[1],$res[2],$res[3] FROM $config[sql_total_accounting_table]
- $sql_val[user] AND acctdate = '$day' $s;");
+ $sql_val[user] AND acctdate = '$day' $s $sql_extra_query;");
else
$search = @da_sql_query($link,$config,
"SELECT $res[1],$res[2],$res[3] FROM $config[sql_accounting_table]
$sql_val[user] AND acctstoptime >= '$day 00:00:00'
- AND acctstoptime <= '$day 23:59:59' $s;");
+ AND acctstoptime <= '$day 23:59:59' $s $sql_extra_query;");
if ($search){
$row = @da_sql_fetch_array($search,$config);
$data[$day][1] = $row[res_1];
<html>
<?php
require('../lib/functions.php3');
+require('../lib/sql/functions.php3');
require('../lib/attrshow.php3');
if (is_file("../lib/sql/drivers/$config[sql_type]/functions.php3"))
$prev_str = ($prev_str != '') ? "$prev_str" : date($config[sql_date_format], $now - 604800 );
$num = 0;
$pagesize = ($pagesize) ? $pagesize : 10;
+if (!is_int($pagesize))
+ $pagesize = 10;
$limit = ($pagesize == 'all') ? '' : "LIMIT $pagesize";
$selected[$pagesize] = 'selected';
$order = ($order != '') ? $order : $config[general_accounting_info_order];
if ($order != 'desc' && $order != 'asc')
$order = 'desc';
$selected[$order] = 'selected';
+$now_str = da_sql_escape_string($now_str);
+$prev_str = da_sql_escape_string($prev_str);
echo <<<EOM
if ($acct_attrs['ua']["$i"] != '')
echo "<th>" . $acct_attrs['ua']["$i"] . "</th>\n";
}
+$sql_extra_query = '';
+if ($config[sql_accounting_extra_query] != '')
+ $sql_extra_query = sql_xlat($config[sql_accounting_extra_query],$login,$config);
?>
</tr>
$search = @da_sql_query($link,$config,
"SELECT * FROM $config[sql_accounting_table]
WHERE username = '$login' AND acctstarttime <= '$now_str'
- AND acctstarttime >= '$prev_str' ORDER BY acctstarttime $order $limit;");
+ AND acctstarttime >= '$prev_str' $sql_extra_query ORDER BY acctstarttime $order $limit;");
if ($search){
while( $row = @da_sql_fetch_array($search,$config) ){
$tr_color='white';
$date = strftime('%A, %e %B %Y, %T %Z');
+$sql_extra_query = '';
+if ($config[sql_accounting_extra_query] != '')
+ $sql_extra_query = sql_xlat($config[sql_accounting_extra_query],$login,$config);
+
$link = @da_sql_pconnect($config);
$link2 = connect2db($config);
$tot_in = $tot_rem = 0;
$search = @da_sql_query($link,$config,
"SELECT DISTINCT username,acctstarttime,framedipaddress,callingstationid
FROM $config[sql_accounting_table] WHERE
- acctstoptime IS NULL AND nasipaddress = '$name_data' $extra
+ acctstoptime IS NULL AND nasipaddress = '$name_data' $extra $sql_extra_query
GROUP BY username ORDER BY acctstarttime;");
if ($search){
$now = time();
$now -= 604800;
$start = date($config[sql_date_format],$now);
}
+$start = da_sql_escape_string($start);
+$stop = da_sql_escape_string($stop);
$pagesize = ($pagesize) ? $pagesize : 10;
+if (!is_int($pagesize))
+ $pagezise = 10;
$limit = ($pagesize == 'all') ? '' : "LIMIT $pagesize";
$selected[$pagesize] = 'selected';
$order = ($order) ? $order : $config[general_accounting_info_order];
$order_attr = ($sortby == 'num') ? 'connnum' : 'conntotduration';
else
$order_attr = 'connnum';
-if ($server != '' && $server != 'all')
+if ($server != '' && $server != 'all'){
+ $server = da_sql_escape_string($server);
$server_str = "AND nasipaddress = '$server'";
+}
$login_str = ($login) ? "AND username = '$login' " : '';
$selected[$order] = 'selected';
$selected[$sortby] = 'selected';
+$sql_extra_query = '';
+if ($config[sql_accounting_extra_query] != '')
+ $sql_extra_query = sql_xlat($config[sql_accounting_extra_query],$login,$config);
+
?>
<head>
if ($link){
$search = @da_sql_query($link,$config,
"SELECT * FROM $config[sql_total_accounting_table]
- WHERE acctdate >= '$start' AND acctdate <= '$stop' $server_str $login_str
+ WHERE acctdate >= '$start' AND acctdate <= '$stop' $server_str $login_str $sql_extra_query
ORDER BY $order_attr $order $limit;");
if ($search){
<tr><td>
<?php
-if ($server == '')
+if ($server == '' || !preg_match('/^[\w\.]+$/',$server))
$server = $config[general_radius_server];
-if ($port == 0)
+if ($port == 0 || !is_int($port))
$port = $config[general_radius_server_port];
if ($auth_proto == '')
$auth_proto = $config[general_radius_server_auth_proto];
}
else{
fwrite($fp, "User-Name = \"$login\"\n");
- if ($auth_proto == 'pap')
- fwrite($fp, "User-Password = \"$passwd\"\n");
- else if ($auth_proto == 'chap')
+ if ($auth_proto == 'chap')
fwrite($fp, "CHAP-Password = \"$passwd\"\n");
+ else
+ fwrite($fp, "User-Password = \"$passwd\"\n");
if (strlen($extra))
fwrite($fp,$extra);
pclose($fp);
<?php
+function ldap_xlat($filter,$login,$config)
+{
+ $string = $filter;
+ if ($filter != ''){
+ $string = preg_replace('/%u/',$login,$string);
+ $string = preg_replace('/%U/',$HTTP_SERVER_VARS["PHP_AUTH_USER"],$string);
+ $string = preg_replace('/%ma/',$mappings[$http_user][accounting],$string);
+ $string = preg_replace('/%mu/',$mappings[$http_user][userdb],$string);
+ }
+
+ return $string;
+}
+
function da_ldap_bind($ds,$config)
{
if ($ds){
{
if ($ds){
$attrs = array('cn');
- $sr=@ldap_search($ds,"$config[ldap_base]", "uid=" . $user,$attrs);
+ if ($config[ldap_userdn] == ''){
+ if ($config[ldap_filter] != '')
+ $filter = ldap_xlat($config[ldap_filter],$login,$config);
+ else
+ $filter = 'uid=' . $login;
+ }
+ else
+ $filter = ldap_xlat($config[ldap_userdn],$login,$config);
+ if ($config[ldap_debug] == 'true'){
+ if ($config[ldap_userdn] == '')
+ print "<b>DEBUG(LDAP): Search Query: BASE='$config[ldap_base]',FILTER='$filter'</b><br>\n";
+ else
+ print "<b>DEBUG(LDAP): Search Query: BASE='$filter',FILTER='(objectclass=radiusprofile)'</b><br>\n";
+ }
+ if ($config[ldap_userdn] == '')
+ $sr=@ldap_search($ds,"$config[ldap_base]", $filter,$attrs);
+ else
+ $sr=@ldap_read($ds,$filter, '(objectclass=radiusprofile)',$attrs);
$info = @ldap_get_entries($ds, $sr);
$cn = $info[0]["cn"][0];
if ($cn != '' && $decode_normal == 1)
}
}
-function closedb($ds,$config)
+function get_user_dn($ds,$user,$config)
{
- if ($ds)
- @ldap_close($ds);
+ if ($ds){
+ $attrs = array('dn');
+ if ($config[ldap_userdn] == ''){
+ if ($config[ldap_filter] != '')
+ $filter = ldap_xlat($config[ldap_filter],$login,$config);
+ else
+ $filter = 'uid=' . $login;
+ }
+ else
+ $filter = ldap_xlat($config[ldap_userdn],$login,$config);
+ if ($config[ldap_debug] == 'true'){
+ if ($config[ldap_userdn] == '')
+ print "<b>DEBUG(LDAP): Search Query: BASE='$config[ldap_base]',FILTER='$filter'</b><br>\n";
+ else
+ print "<b>DEBUG(LDAP): Search Query: BASE='$filter',FILTER='(objectclass=radiusprofile)'</b><br>\n";
+ }
+ if ($config[ldap_userdn] == '')
+ $sr=@ldap_search($ds,"$config[ldap_base]", $filter,$attrs);
+ else
+ $sr=@ldap_read($ds,$filter, '(objectclass=radiusprofile)',$attrs);
+ $entry = ldap_first_entry($ds, $sr);
+ if ($entry)
+ $dn = ldap_get_dn($ds,$entry);
+ return $dn;
+ }
}
-function ldap_xlat($filter,$login,$config)
+
+function check_user_passwd($dn,$passwd,$config)
{
- $string = $filter;
- if ($filter != ''){
- $string = preg_replace('/%u/',$login,$string);
- $string = preg_replace('/%U/',$HTTP_SERVER_VARS["PHP_AUTH_USER"],$string);
+ $ds=@ldap_connect("$config[ldap_server]");
+ if ($ds && $dn != '' && $passwd != ''){
+ $r = @ldap_bind($ds,$dn,$passwd);
+ if ($r)
+ return TRUE;
+ else
+ return FALSE;
}
+ else
+ return FALSE;
- return $string;
+ return FALSE;
+}
+
+function closedb($ds,$config)
+{
+ if ($ds)
+ @ldap_close($ds);
}
?>
return @mysql_close($link);
}
+function da_sql_escape_string($string)
+{
+ return @mysql_escape_string($string);
+}
+
function da_sql_query($link,$config,$query)
{
- @mysql_escape_string($query);
if ($config[sql_debug] == 'true')
print "<b>DEBUG(SQL,MYSQL DRIVER): Query: <i>$query</i></b><br>\n";
return @mysql_db_query($config[sql_database],$query,$link);
@pg_close($link);
}
+function da_sql_escape_string($string)
+{
+ return addslashes($string);
+}
+
function da_sql_query($link,$config,$query)
{
if ($config[sql_debug] == 'true')
{
return 1;
}
+function sql_xlat($filter,$login,$config)
+{
+ $string = $filter;
+ $http_user = $HTTP_SERVER_VARS["PHP_AUTH_USER"];
+ if ($filter != ''){
+ $string = preg_replace('/%u/',$login,$string);
+ $string = preg_replace('/%U/',$http_user,$string);
+ $string = preg_replace('/%m/',$mappings[$http_user],$string);
+ }
+
+ return $string;
+}
?>
projects / freeradius-dialup-admin.git / commitdiff