From 1b59cdb7feeffb4f973e9314b11d8ca05267d682 Mon Sep 17 00:00:00 2001
From: Maximilien Bersoult <mbersoult@centreon.com>
Date: Mon, 30 Apr 2018 12:26:26 +0200
Subject: [PATCH] fix(sec): Fix SQL Injection in administration logs

* Fix SQL Injection in Administration logs in search fields
---
 .../configChangelog/viewLogs.ihtml            |  6 +++---
 .../configChangelog/viewLogs.php              | 21 +++++++++++--------
 2 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/www/include/Administration/configChangelog/viewLogs.ihtml b/www/include/Administration/configChangelog/viewLogs.ihtml
index 70deff5242..0d76a131fe 100644
--- a/www/include/Administration/configChangelog/viewLogs.ihtml
+++ b/www/include/Administration/configChangelog/viewLogs.ihtml
@@ -11,8 +11,8 @@
             <td></td>
         </tr>
         <tr>
-            <td><input type='text' name='searchO' value='{$searchO}' /></td>
-            <td><input type='text' name='searchU' value='{$searchU}' /></td>
+            <td><input type='text' name='searchO' value="{$searchO}" /></td>
+            <td><input type='text' name='searchU' value="{$searchU}" /></td>
             <td><select name='otype'>{$obj_type}</select></td>
             <td><input type='submit' class="btc bt_success" name='SearchB' value='{$Search}' /></td>
         </tr>
@@ -29,7 +29,7 @@
 <table class="ListTable">
     <tr class="ListHeader">
         <td class="ListColHeaderCenter" style='width:120px'>{t}Date{/t}</td>
-        <td class="ListColHeaderCenter" style="white-space:nowrap;">{t}Modificaton type{/t}</td>       
+        <td class="ListColHeaderCenter" style="white-space:nowrap;">{t}Modificaton type{/t}</td>
         <td class="ListColHeaderCenter" style="white-space:nowrap;">{t}Objects{/t}</td>
         <td class="ListColHeaderCenter" style="white-space:nowrap;">{t}Object Name{/t}</td>
         <td class="ListColHeaderCenter" style="white-space:nowrap;">{t}Authors{/t}</td>
diff --git a/www/include/Administration/configChangelog/viewLogs.php b/www/include/Administration/configChangelog/viewLogs.php
index 83312fa182..5df5fec59b 100644
--- a/www/include/Administration/configChangelog/viewLogs.php
+++ b/www/include/Administration/configChangelog/viewLogs.php
@@ -43,8 +43,11 @@ function searchUserName($user_name)
 {
     global $pearDB;
     $str = "";
-  
-    $DBRES = $pearDB->query("SELECT contact_id FROM contact WHERE contact_name LIKE '%".$user_name."%' OR contact_alias LIKE '%".$user_name."%'");
+
+    $DBRES = $pearDB->query("SELECT contact_id
+        FROM contact
+        WHERE contact_name LIKE '%" . $pearDB->escape($user_name) . "%'
+            OR contact_alias LIKE '%" . $pearDB->escape($user_name) . "%'");
     while ($row = $DBRES->fetchRow()) {
         if ($str != "") {
             $str .= ", ";
@@ -166,7 +169,7 @@ if ($searchO) {
     } else {
         $query .= " AND ";
     }
-    $query .= " object_name LIKE '%".$searchO."%' ";
+    $query .= " object_name LIKE '%" . $pearDB->escape($searchO) . "%' ";
 }
 if ($searchU) {
     if ($where_flag) {
@@ -313,8 +316,8 @@ $tpl->assign('form', $renderer->toArray());
 $tpl->assign('search_object_str', _("Object"));
 $tpl->assign('search_user_str', _("User"));
 $tpl->assign('Search', _('Search'));
-$tpl->assign('searchO', $searchO);
-$tpl->assign('searchU', $searchU);
+$tpl->assign('searchO', htmlentities($searchO));
+$tpl->assign('searchU', htmlentities($searchU));
 $tpl->assign('obj_str', _("Object Type"));
 $tpl->assign('type_id', $otype);
 
@@ -322,8 +325,8 @@ $tpl->assign('event_type', _("Event Type"));
 $tpl->assign('time', _("Time"));
 $tpl->assign('contact', _("Contact"));
 
-/* 
- * Pagination 
+/*
+ * Pagination
  */
 $tpl->assign('limit', $limit);
 $tpl->assign('rows', $rows);
@@ -339,13 +342,13 @@ if (isset($_POST['searchO']) || isset($_POST['searchU']) || isset($_POST['otype'
     $listAction = $centreon->CentreonLogAction->listAction($_GET['object_id'], $_GET['object_type']);
     $listModification = array();
     $listModification = $centreon->CentreonLogAction->listModification($_GET['object_id'], $_GET['object_type']);
-  
+
     if (isset($listAction)) {
         $tpl->assign("action", $listAction);
     }
     if (isset($listModification)) {
         $tpl->assign("modification", $listModification);
     }
-  
+
     $tpl->display("viewLogsDetails.ihtml");
 }
-- 
GitLab