Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 3134 → Rev 3135

/CHANGELOG
9,7 → 9,8
BUGS
- gammu systemd unit : it should wait mysqld to start
- update NTP option in DHCP response in coova conf file (alcasar-conf.sh)
WEB
SECURITY
- fixe a CSRF+RCE vulnerability in activity.php
-------------------- 3.6.0 --------------------
--------------- SVN revision: 3108 ------------
NEWS
/VERSION
1,0 → 0,0
3.6.0
3.6.1b
/alcasar.sh
460,6 → 460,9
secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
echo "secret_radius=$secretradius" >> $PASSWD_FILE
csrfkey=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
echo "# Key used to create CSRF-tokens in several ACC forms" >> $PASSWD_FILE
echo "csrf_key=$csrfkey" >> $PASSWD_FILE
chmod 640 $PASSWD_FILE
# copy scripts in in /usr/local/bin
cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
796,6 → 799,7
$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/welcome.php
$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/welcome.php
$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/welcome.php
$SED "s?^\$csrf_key = .*?\$csrf_key = \"$csrfkey\"\;?g" $DIR_ACC/manager/htdocs/activity.php
chown -R apache:apache $DIR_WEB/*
# copy & adapt "freeradius-web" files
cp -rf $DIR_CONF/freeradius-web/ /etc/
/web/acc/manager/htdocs/activity.php
28,6 → 28,8
}
fclose($file_conf);
 
$csrf_key = "";
$csrf_token = hash('sha256', $_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'].$_SERVER['REQUEST_URI'].$csrf_key);
$tmp = explode("/",$conf["PRIVATE_IP"]);
$private_ip=$tmp[0];
$intif = $conf["INTIF"];
113,8 → 115,8
}
 
if (isset($_POST['action'])){
if (filter_var(trim($_POST['mac_addr']), FILTER_VALIDATE_MAC) !== false){
$mac= trim($_POST['mac_addr']);
$mac= trim($_POST['mac_addr']);
if ((filter_var($mac, FILTER_VALIDATE_MAC) !== false) && (trim($_POST['post_csrf_token']) == $csrf_token)){
switch ($_POST['action']){
case "$l_disconnect" :
exec("sudo /usr/sbin/chilli_query logout ".$mac);
140,6 → 142,7
exec('sudo /usr/local/bin/alcasar-iot_capture.sh -k '.$mac.' &>/dev/null &');
break;
}
 
}
unset($_POST['mac_addr']);
}
223,6 → 226,7
echo "</td><td>";
echo "<form action=\"".$_SERVER['PHP_SELF']."\" method=\"POST\">";
echo "<input type=\"hidden\" name=\"mac_addr\" value=\"$detail[0]\">";
echo "<input type=\"hidden\" name=\"post_csrf_token\" value=\"$csrf_token\">";
if($IoT_capture == "on"){
if(exec('sudo /usr/local/bin/alcasar-iot_capture.sh -i '.$detail[0]) == "CaptureON"){
echo "<input type=\"submit\" onClick=\"document.getElementById('ldoverlay').style.display='block';\" name=\"action\" value=\"$l_stop_capture_disconnect\">";
247,6 → 251,7
echo "<td>";
echo "<form action=\"".$_SERVER['PHP_SELF']."\" method=\"POST\">";
echo "<input type=\"hidden\" name=\"mac_addr\" value=\"$detail[0]\">";
echo "<input type=\"hidden\" name=\"post_csrf_token\" value=\"$csrf_token\">";
echo "<input type=\"submit\" onClick=\"document.getElementById('ldoverlay').style.display='block';\" name=\"action\" value=\"$l_disconnect\">";
echo "</form></td>";
}
264,6 → 269,7
echo "<form action=\"".$_SERVER['PHP_SELF']."\" method=\"POST\">";
# Dissociate user (... or other) who is not connected yet
echo "<input type=\"hidden\" name=\"mac_addr\" value=\"$detail[0]\">";
echo "<input type=\"hidden\" name=\"post_csrf_token\" value=\"$csrf_token\">";
exec ("grep $detail[0] /usr/local/etc/alcasar-ethers-info", $mac_in_ether_file);
if (empty($mac_in_ether_file[1])){
echo "<input type=\"submit\" onClick=\"document.getElementById('ldoverlay').style.display='block';\" name=\"action\" value=\"$l_dissociate\">"; // Dissociate only MAC not in ether file (dhcp)