About page

From: kkalev Date: Mon, 26 Jul 2004 20:37:38 +0000 (+0000) Subject: * A LOT of security related fixes. Now dialupadmin should hopefully be secure enough to X-Git-Url: https://git.entuzijast.net/?a=commitdiff_plain;h=03a400b6e44f227b44ff8d56cd2625db9fc2bafc;p=freeradius-dialup-admin.git * A LOT of security related fixes. Now dialupadmin should hopefully be secure enough to be accessed by normal users (not administrators). * Move a few elements in the CSS file from the body tag. Suggestion by Gary McKinney * Update FAQ about using php with no sql support. * Allow the user to select between viewing FAQ,HOWTO or README in the help page. * Use $_SERVER instead of $HTTP_SERVER_VARS --- diff --git a/Changelog b/Changelog index 0020ba9..24bf5bd 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,10 @@ +Ver 1.75: +* A LOT of security related fixes. Now dialupadmin should hopefully be secure enough to + be accessed by normal users (not administrators). +* Move a few elements in the CSS file from the body tag. Suggestion by Gary McKinney +* Update FAQ about using php with no sql support. +* Allow the user to select between viewing FAQ,HOWTO or README in the help page. +* Use $_SERVER instead of $HTTP_SERVER_VARS Ver 1.72: * Move the xlat function to a separate file in lib/xlat.php3 * Add a lib/sql/nas_list.php3 to also get the nas list from sql (naslist.conf still works) @@ -20,6 +27,8 @@ Ver 1.72: * Set general_restrict_nasadmin_access to no by default. It causes confusion. * Set the general_username_mappings_file variable * Fix a small error in lib/sql/find.php3. This closes bug #103 +* Add a small note in the FAQ about checking for sql/ldap driver availability in PHP if the user get's + a blank white page back. Ver 1.70: * Add the /bin postgresql compatibility patch from Guy Fraser * Add ldap_userdn as a configuration directive. If set we use that for diff --git a/conf/config.php3 b/conf/config.php3 index 1001eab..adc99ae 100644 --- a/conf/config.php3 +++ b/conf/config.php3 @@ -9,12 +9,17 @@ if( $curVer >= $testVer ) # If using sessions set use_session to 1 to also cache the config file # $use_session = 0; +unset($config); +unset($nas_list); if ($use_session){ // Start session @session_start(); + if (isset($_SESSION['config'])) + $config = $_SESSION['config']; + if (isset($_SESSION['nas_list'])) + $nas_list = $_SESSION['nas_list']; } if (!isset($config)){ - unset($nas_list); $ARR=file("../conf/admin.conf"); $EXTRA_ARR = array(); foreach($ARR as $val) { @@ -61,10 +66,12 @@ if (!isset($config)){ if ($use_session == 0 && $config[general_use_session] == 'yes'){ // Start session @session_start(); + if (isset($nas_list)) + session_register('nas_list'); } //Make sure we are only passed allowed strings in username if ($login != '') - $login = preg_replace("/[^\w\s\.\/\@\:]\-i\=/",'',$login); + $login = preg_replace("/[^\w\s\.\/\@\:]/",'',$login); if ($login != '' && $config[general_strip_realms] == 'yes'){ $realm_del = ($config[general_realm_delimiter] != '') ? $config[general_realm_delimiter] : '@'; @@ -73,6 +80,9 @@ if ($login != '' && $config[general_strip_realms] == 'yes'){ if (count($new) == 2) $login = ($realm_for == 'suffix') ? $new[0] : $new[1]; } +unset($mappings); +if (isset($_SESSION['mappings'])) + $mappings = $_SESSION['mappings']; if (!isset($mappings) && $config[general_username_mappings_file] != ''){ $ARR = file($config[general_username_mappings_file]); foreach($ARR as $val){ diff --git a/doc/FAQ b/doc/FAQ index 9c2b211..7c7b13c 100644 --- a/doc/FAQ +++ b/doc/FAQ @@ -81,6 +81,13 @@ Set general_prefered_lang to en If you are using sessions then remember to use the 'Clear Cache' page after making any changes +> +> When i try to access a dynamic web page it only shows a blank white page +> + +You may have not enabled support for the corresponding sql driver in PHP. If you are also using ldap, check for +php ldap support. + > > It is still not working > diff --git a/htdocs/about.html b/htdocs/about.html index 8e4201e..65172e8 100644 --- a/htdocs/about.html +++ b/htdocs/about.html @@ -3,7 +3,7 @@ About page - + diff --git a/htdocs/accounting.php3 b/htdocs/accounting.php3 index db57b45..5f618cb 100644 --- a/htdocs/accounting.php3 +++ b/htdocs/accounting.php3 @@ -15,7 +15,7 @@ else{ - + Could not include SQL library functions. Aborting @@ -33,6 +33,8 @@ $link = @da_sql_pconnect ($config) or die('cannot connect to sql databse'); $fields = @da_sql_list_fields($config[sql_accounting_table],$link,$config); $no_fields = @da_sql_num_fields($fields,$config); +unset($items); + for($i=0;$i<$no_fields;$i++){ $key = strtolower(@da_sql_field_name($fields,$i,$config)); $val = $sql_attrs[$key][desc]; @@ -109,7 +111,7 @@ EOM; - + - +

diff --git a/htdocs/badusers.php3 b/htdocs/badusers.php3 index fa560a9..c179a8c 100644 --- a/htdocs/badusers.php3 +++ b/htdocs/badusers.php3 @@ -13,7 +13,7 @@ else{ - + Could not include SQL library functions. Aborting @@ -48,7 +48,7 @@ echo << - +

@@ -79,7 +79,7 @@ if ($link){ $row = @da_sql_fetch_array($search,$config); if ($row[id] == $row_id){ $admin = "$row[Admin]"; - if (($admin != '-' && $HTTP_SERVER_VARS["PHP_AUTH_USER"] == $admin) || $admin == '-'){ + if (($admin != '-' && $_SERVER["PHP_AUTH_USER"] == $admin) || $admin == '-'){ $sql_servers = array(); if ($config[sql_extra_servers] != '') $sql_servers = explode(' ',$config[sql_extra_servers]); @@ -137,7 +137,7 @@ EOM; - + Could not include SQL library functions. Aborting @@ -25,7 +25,7 @@ echo << - +

@@ -41,8 +41,10 @@ include("../html/user_toolbar.html.php3"); $open_sessions = 0; $sql_extra_query = ''; -if ($config[sql_accounting_extra_query] != '') +if ($config[sql_accounting_extra_query] != ''){ $sql_extra_query = xlat($config[sql_accounting_extra_query],$login,$config); + $sql_extra_query = da_sql_escape_string($sql_extra_query); +} print << diff --git a/htdocs/content.html b/htdocs/content.html index d8fa823..cbc05c4 100644 --- a/htdocs/content.html +++ b/htdocs/content.html @@ -1,5 +1,5 @@ - +

A web based administration interface for the freeradius radius server diff --git a/htdocs/failed_logins.php3 b/htdocs/failed_logins.php3 index f9dc7b9..d2ee47e 100644 --- a/htdocs/failed_logins.php3 +++ b/htdocs/failed_logins.php3 @@ -15,7 +15,7 @@ else{ - + Could not include SQL library functions. Aborting @@ -25,8 +25,10 @@ EOM; } $now = time(); -if ($last == 0) +if (!isset($last)) $last = ($config[general_most_recent_fl]) ? $config[general_most_recent_fl] : 5; +if (!is_numeric($last)) + $last = 5; $start = $now - ($last*60); $now_str = date($config[sql_full_date_format],$now); $prev_str = date($config[sql_full_date_format],$start); @@ -52,6 +54,10 @@ if ($server != '' && $server != 'all'){ $server_str = "AND nasipaddress = '$server'"; } +unset($da_name_cache); +if (isset($_SESSION['da_name_cache'])) + $da_name_cache = $_SESSION['da_name_cache']; + ?> @@ -59,7 +65,7 @@ if ($server != '' && $server != 'all'){ - +

@@ -97,9 +103,11 @@ if ($acct_attrs['fl'][2] != '') echo "\n"; if ($acct_attrs['fl'][7] != '') echo "\n"; if ($acct_attrs['fl'][8] != '') echo "\n"; if ($acct_attrs['fl'][9] != '') echo "\n"; -$sql_extra_query = ''; -if ($config[sql_accounting_extra_query] != '') +unset($sql_extra_query); +if ($config[sql_accounting_extra_query] != ''){ $sql_extra_query = xlat($config[sql_accounting_extra_query],$login,$config); + $sql_extra_query = da_sql_escape_string($sql_extra_query); +} ?> diff --git a/htdocs/find.php3 b/htdocs/find.php3 index 94c6ed6..bde88d5 100644 --- a/htdocs/find.php3 +++ b/htdocs/find.php3 @@ -10,7 +10,7 @@ $max = ($max_results) ? $max_results : 40; - +

" . $acct_attrs['fl'][2] . "	" . $acct_attrs['fl'][7] . "	" . $acct_attrs['fl'][8] . "	" . $acct_attrs['fl'][9] . "

@@ -36,6 +36,7 @@ $max = ($max_results) ? $max_results : 40; - + This page is only available if you are using sql as general library type @@ -19,6 +19,7 @@ EOM; exit(); } +unset($group_members); if (is_file("../lib/$config[general_lib_type]/group_info.php3")){ include("../lib/$config[general_lib_type]/group_info.php3"); if ($group_exists == 'no'){ @@ -27,7 +28,7 @@ if (is_file("../lib/$config[general_lib_type]/group_info.php3")){ - + Group Name @@ -48,7 +49,7 @@ EOM; - +

diff --git a/htdocs/group_new.php3 b/htdocs/group_new.php3 index 8a1fadd..fe0d6e1 100644 --- a/htdocs/group_new.php3 +++ b/htdocs/group_new.php3 @@ -11,7 +11,7 @@ if ($config[general_lib_type] != 'sql'){ - + This page is only available if you are using sql as general library type @@ -39,7 +39,7 @@ if ($config[general_lib_type] == 'sql' && $config[sql_use_operators] == 'true'){ - +

diff --git a/htdocs/help/help.php3 b/htdocs/help/help.php3 index 54cca94..725797f 100644 --- a/htdocs/help/help.php3 +++ b/htdocs/help/help.php3 @@ -26,14 +26,36 @@

diff --git a/htdocs/login_time_create.php3 b/htdocs/login_time_create.php3 index 39e437a..3c2e1da 100644 --- a/htdocs/login_time_create.php3 +++ b/htdocs/login_time_create.php3 @@ -4,7 +4,7 @@ - + NAS Administration Page - + Could not include SQL library functions. Aborting @@ -17,13 +17,13 @@ EOM; exit(); } if ($config[general_restrict_nasadmin_access] == 'yes'){ - $auth_user = $HTTP_SERVER_VARS["PHP_AUTH_USER"]; + $auth_user = $_SERVER["PHP_AUTH_USER"]; if ($auth_user == '' || $mappings[$auth_user][nasadmin] != 'yes'){ echo <<NAS Administration Page - + Access is not allowed to this username. @@ -64,6 +64,14 @@ if ($link){ if ($nasname == '' || $nassecret == '' || $nasshortname == '') $msg = "Error. Required fields are not set
\n"; else{ + $nasshortname = da_sql_escape_string($nasshortname); + $nastype = da_sql_escape_string($nastype); + $nasportnum = da_sql_escape_string($nasportnum); + $nassecret = da_sql_escape_string($nassecret); + $nascommunity = da_sql_escape_string($nascommunity); + $nasdescription = da_sql_escape_string($nasdescription); + $nasname = da_sql_escape_string($nasname); + $res = @da_sql_query($link,$config, "INSERT INTO $config[sql_nas_table] (nasname,shortname,type,ports,secret,community,description) @@ -81,6 +89,14 @@ if ($link){ if ($nassecret == '' || $nasshortname == '') $msg = "Error. Required fields are not set
\n"; else{ + $nasshortname = da_sql_escape_string($nasshortname); + $nastype = da_sql_escape_string($nastype); + $nasportnum = da_sql_escape_string($nasportnum); + $nassecret = da_sql_escape_string($nassecret); + $nascommunity = da_sql_escape_string($nascommunity); + $nasdescription = da_sql_escape_string($nasdescription); + $nasname = da_sql_escape_string($nasname); + $res = @da_sql_query($link,$config, "UPDATE $config[sql_nas_table] SET shortname = '$nasshortname', @@ -131,7 +147,7 @@ else NAS Administration Page - +

-
-For now we just include the README file

 
+Please choose which file you wish to read:


+
+
+


+
+
 
++

diff --git a/htdocs/session_destroy.php3 b/htdocs/session_destroy.php3 index 589f75b..7934552 100644 --- a/htdocs/session_destroy.php3 +++ b/htdocs/session_destroy.php3 @@ -8,7 +8,7 @@ session_destroy(); Session Cache Destroy Page - + Session Cache Destroyed diff --git a/htdocs/show_groups.php3 b/htdocs/show_groups.php3 index eba5f5a..b652cab 100644 --- a/htdocs/show_groups.php3 +++ b/htdocs/show_groups.php3 @@ -12,7 +12,7 @@ else{ - + Could not include SQL library functions. Aborting @@ -26,7 +26,7 @@ EOM; - +

diff --git a/htdocs/stats.php3 b/htdocs/stats.php3 index a933350..7f2c07c 100644 --- a/htdocs/stats.php3 +++ b/htdocs/stats.php3 @@ -9,7 +9,7 @@ require_once('../lib/xlat.php3'); - + - + Could not include SQL library functions. Aborting @@ -40,6 +40,10 @@ $selected[$order] = 'selected'; $now_str = da_sql_escape_string($now_str); $prev_str = da_sql_escape_string($prev_str); +unset($da_name_cache); +if (isset($_SESSION['da_name_cache'])) + $da_name_cache = $_SESSION['da_name_cache']; + echo << @@ -47,7 +51,7 @@ echo << - +

diff --git a/htdocs/user_admin.php3 b/htdocs/user_admin.php3 index 8c21348..18b0fa3 100644 --- a/htdocs/user_admin.php3 +++ b/htdocs/user_admin.php3 @@ -16,7 +16,7 @@ if (is_file("../lib/$config[general_lib_type]/user_info.php3")){ - + User Name @@ -38,7 +38,7 @@ else{ - + Could not include SQL library functions. Aborting diff --git a/htdocs/user_delete.php3 b/htdocs/user_delete.php3 index bf63795..6edd647 100644 --- a/htdocs/user_delete.php3 +++ b/htdocs/user_delete.php3 @@ -24,7 +24,7 @@ echo << - +

diff --git a/htdocs/user_edit.php3 b/htdocs/user_edit.php3 index 9f3bde3..2daad56 100644 --- a/htdocs/user_edit.php3 +++ b/htdocs/user_edit.php3 @@ -39,7 +39,7 @@ else - +

diff --git a/htdocs/user_finger.php3 b/htdocs/user_finger.php3 index f9da841..36242f5 100644 --- a/htdocs/user_finger.php3 +++ b/htdocs/user_finger.php3 @@ -29,7 +29,7 @@ if (is_file("../lib/sql/drivers/$config[sql_type]/functions.php3")) include_once("../lib/sql/drivers/$config[sql_type]/functions.php3"); else{ echo << + Could not include SQL library functions. Aborting @@ -41,8 +41,10 @@ EOM; $date = strftime('%A, %e %B %Y, %T %Z'); $sql_extra_query = ''; -if ($config[sql_accounting_extra_query] != '') +if ($config[sql_accounting_extra_query] != ''){ $sql_extra_query = xlat($config[sql_accounting_extra_query],$login,$config); + $sql_extra_query = da_sql_escape_string($sql_extra_query); +} $link = @da_sql_pconnect($config); $link2 = connect2db($config); @@ -127,7 +129,7 @@ if (isset($usage_summary)){ } ?> - +

diff --git a/htdocs/user_info.php3 b/htdocs/user_info.php3 index 03d8266..f5868cb 100644 --- a/htdocs/user_info.php3 +++ b/htdocs/user_info.php3 @@ -8,7 +8,7 @@ require('../conf/config.php3'); Personal information page - +

diff --git a/htdocs/user_new.php3 b/htdocs/user_new.php3 index ef70d45..71ccb57 100644 --- a/htdocs/user_new.php3 +++ b/htdocs/user_new.php3 @@ -23,7 +23,7 @@ if ($config[general_lib_type] == 'sql' && $config[sql_use_operators] == 'true'){ - + - + Could not include SQL library functions. Aborting @@ -35,7 +35,9 @@ $stop = da_sql_escape_string($stop); $pagesize = ($pagesize) ? $pagesize : 10; if (!is_numeric($pagesize)) $pagezise = 10; -$limit = ($pagesize == 'all') ? '' : "LIMIT $pagesize"; +if ($pagesize > 100) + $pagesize = 100; +$limit = ($pagesize == 'all') ? 'LIMIT 100' : "LIMIT $pagesize"; $selected[$pagesize] = 'selected'; $order = ($order) ? $order : $config[general_accounting_info_order]; if ($order != 'desc' && $order != 'asc') @@ -54,8 +56,14 @@ $selected[$order] = 'selected'; $selected[$sortby] = 'selected'; $sql_extra_query = ''; -if ($config[sql_accounting_extra_query] != '') +if ($config[sql_accounting_extra_query] != ''){ $sql_extra_query = xlat($config[sql_accounting_extra_query],$login,$config); + $sql_extra_query = da_sql_escape_string($sql_extra_query); +} + +unset($da_name_cache); +if (isset($_SESSION['da_name_cache'])) + $da_name_cache = $_SESSION['da_name_cache']; ?> @@ -63,7 +71,7 @@ if ($config[sql_accounting_extra_query] != '') User Statistics - +

diff --git a/htdocs/user_test.php3 b/htdocs/user_test.php3 index 34ed715..60c3519 100644 --- a/htdocs/user_test.php3 +++ b/htdocs/user_test.php3 @@ -13,7 +13,7 @@ echo << - +

diff --git a/html/buttons/default/buttons.html.php3 b/html/buttons/default/buttons.html.php3 index 7a7b9db..2777723 100644 --- a/html/buttons/default/buttons.html.php3 +++ b/html/buttons/default/buttons.html.php3 @@ -12,15 +12,15 @@ function myout(a) { } - +

\n"; +if ($_SERVER["PHP_AUTH_USER"]) + echo "\n"; ?>

Logged in as " . $HTTP_SERVER_VARS["PHP_AUTH_USER"] . "...

Logged in as " . $_SERVER["PHP_AUTH_USER"] . "...

diff --git a/html/user_admin.html.php3 b/html/user_admin.html.php3 index 2f1f85b..6309eed 100644 --- a/html/user_admin.html.php3 +++ b/html/user_admin.html.php3 @@ -4,7 +4,7 @@ echo <<user information for $cn - + EOM; if ($logged_now) diff --git a/lib/acctshow.php3 b/lib/acctshow.php3 index bb2b0e3..de39327 100644 --- a/lib/acctshow.php3 +++ b/lib/acctshow.php3 @@ -1,5 +1,8 @@ Lock Message should not be empty
\n"; else{ diff --git a/lib/attrshow.php3 b/lib/attrshow.php3 index 945a5fd..98f90e7 100644 --- a/lib/attrshow.php3 +++ b/lib/attrshow.php3 @@ -1,6 +1,9 @@ Invalid operator ($op_val) for attribute $key
\n"; continue; } - $op_val1 = "'$op_val'"; $op_val2 = ",'$op_val'"; } } + $op_val = da_sql_escape_string($op_val); + $sql_attr = da_sql_escape_string($sql_attr); + $val = da_sql_escape_string($val); + $op_val2 = da_sql_escape_string($op_val2); // if we have operators, the operator has changed and the corresponding value exists then update if ($use_ops && isset($item_vals["$key"][operator][$j]) && $op_val != $item_vals["$key"][operator][$j] ){ @@ -81,6 +84,7 @@ if ($link){ else{ if (isset($item_vals["$key"][$j])){ $old_val = $item_vals["$key"][$j]; + $old_val = da_sql_escape_string($old_val); $res = @da_sql_query($link,$config, "UPDATE $table SET value = '$val' WHERE $query_key = '$login' AND attribute = '$sql_attr' AND value = '$old_val';"); diff --git a/lib/sql/change_passwd.php3 b/lib/sql/change_passwd.php3 index 856b17b..5da1f82 100644 --- a/lib/sql/change_passwd.php3 +++ b/lib/sql/change_passwd.php3 @@ -20,6 +20,7 @@ if ($link){ if (is_file("../lib/crypt/$config[general_encryption_method].php3")){ include("../lib/crypt/$config[general_encryption_method].php3"); $passwd = da_encrypt($passwd); + $passwd = da_sql_escape_string($passwd); $res = @da_sql_query($link,$config, "SELECT value FROM $config[sql_check_table] WHERE username = '$login' AND attribute = '$config[sql_password_attribute]';"); diff --git a/lib/sql/create_group.php3 b/lib/sql/create_group.php3 index e37d7bb..22ecf69 100644 --- a/lib/sql/create_group.php3 +++ b/lib/sql/create_group.php3 @@ -12,6 +12,7 @@ if ($config[sql_use_operators] == 'true'){ $passwd_op = ",':='"; } $da_abort=0; +$op_val2 = ''; $link = @da_sql_pconnect($config); if ($link){ $Members = preg_split("/[\n\s]+/",$members,-1,PREG_SPLIT_NO_EMPTY); @@ -49,6 +50,7 @@ if ($link){ $op_name = $attrmap["$key"] . '_op'; $op_val = $$op_name; if ($op_val != ''){ + $op_val = da_sql_escape_string($op_val); if (check_operator($op_val,$type) == -1){ echo "Invalid operator ($op_val) for attribute $key
\n"; coninue; diff --git a/lib/sql/create_user.php3 b/lib/sql/create_user.php3 index ab6131d..1f3e876 100644 --- a/lib/sql/create_user.php3 +++ b/lib/sql/create_user.php3 @@ -12,11 +12,13 @@ if ($config[sql_use_operators] == 'true'){ $passwd_op = ",':='"; } $da_abort=0; +$op_val2 = ''; $link = @da_sql_pconnect($config); if ($link){ if (is_file("../lib/crypt/$config[general_encryption_method].php3")){ include("../lib/crypt/$config[general_encryption_method].php3"); $passwd = da_encrypt($passwd); + $passwd = da_sql_escape_string($passwd); $res = @da_sql_query($link,$config, "INSERT INTO $config[sql_check_table] (attribute,value,username $text) VALUES ('$config[sql_password_attribute]','$passwd','$login' $passwd_op);"); @@ -92,6 +94,7 @@ if ($link){ $op_name = $attrmap["$key"] . '_op'; $op_val = $$op_name; if ($op_val != ''){ + $op_val = da_sql_escape_string($op_val); if (check_operator($op_val,$type) == -1){ echo "Invalid operator ($op_val) for attribute $key
\n"; coninue; diff --git a/lib/sql/find.php3 b/lib/sql/find.php3 index 3eb6893..754fba9 100644 --- a/lib/sql/find.php3 +++ b/lib/sql/find.php3 @@ -6,11 +6,15 @@ else{ exit(); } +unset($found_users); + $link = @da_sql_pconnect($config); if ($link){ $search = da_sql_escape_string($search); if (!is_numeric($max_results)) $max_results = 10; + if ($max_results > 500) + $max_results = 10; if (($search_IN == 'name' || $search_IN == 'department' || $search_IN == 'username') && $config[sql_use_user_info_table] == 'true'){ $res = @da_sql_query($link,$config, @@ -31,6 +35,7 @@ if ($link){ } $table = ($attr_type[$radius_attr] == 'checkItem') ? $config[sql_check_table] : $config[sql_reply_table]; $attr = $attrmap[$radius_attr]; + $attr = da_sql_escape_string($attr); $res = @da_sql_query($link,$config, "SELECT username FROM $table WHERE attribute = '$attr' AND value LIKE '%$search%' LIMIT $max_results;"); if ($res){ diff --git a/lib/sql/nas_list.php3 b/lib/sql/nas_list.php3 index 6ac4ded..c7448d6 100644 --- a/lib/sql/nas_list.php3 +++ b/lib/sql/nas_list.php3 @@ -1,6 +1,9 @@