clones/librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-09-21 18:38:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Prevent unauthorized access to device graphs

Browse Source 
Users could access info for the wrong device by piggyback on port permissions
This commit is contained in:
Jellyfrog 2020-06-30 13:35:45 +02:00
parent 4da411c839
commit 659325d5d0
2 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
app/Http/Controllers/DeviceController.php
View File

@ -72,6 +72,12 @@ class DeviceController extends Controller
if ($current_tab == 'port') {
$vars = Url::parseLegacyPath($request->path());
$port = Port::findOrFail($vars->get('port'));
// This prevents users from traversal device id's by piggybacking on the auth for the specified port
if ($port->device_id !== $device_id) {
abort(404);
}
$this->authorize('view', $port);
} else {
$this->authorize('view', $device);

4
html/graph.php
View File

@ -17,9 +17,7 @@ $start = microtime(true);
$init_modules = array('web', 'graphs', 'auth');
require realpath(__DIR__ . '/..') . '/includes/init.php';
$auth = Auth::check() || is_client_authorized($_SERVER['REMOTE_ADDR']);
if (!$auth) {
if (!(Auth::check() || is_client_authorized($_SERVER['REMOTE_ADDR']))) {
die('Unauthorized');
}