version 1.2

.htaccess

@@ -28,7 +28,7 @@ ErrorDocument 500 /error/500/
 RewriteRule ^login/dashboard/$ dashboard/ [R]
 RewriteRule ^logout/dashboard/$ dashboard/ [R]
 # search override
-RewriteRule ^tools/search/(.*)/(.*)/(.*)/(.*)$ index.php?page=tools&section=search&addresses=$1&subnets=$2&vlans=$3&ip=$4 [L]
+RewriteRule ^tools/search/(.*)/(.*)/(.*)/(.*)/(.*)$ index.php?page=tools&section=search&addresses=$1&subnets=$2&vlans=$3&vrf=$4&ip=$5 [L]
 
 # Rewrites
 RewriteRule ^(.*)/(.*)/(.*)/(.*)/(.*)/$ index.php?page=$1&section=$2&subnetId=$3&sPage=$4&ipaddrid=$5 [L]

INSTALL.txt

+#
+# phpipam update instructions
+#
+please follow this instructions:
+
 http://phpipam.net/documents/installation/
\ No newline at end of file

README

@@ -53,7 +53,7 @@ API guide
 
 Update
 =======
-- see UPDATE file for details
+- http://phpipam.net/documents/upgrade/
 
 Demo page
 ============
@@ -63,6 +63,10 @@ Default user
 ============
 Admin / ipamadmin
 
+Reset admin password
+====================
+php functions/scripts/reset-admin-password.php
+
 Changelog
 =========
 See misc/CHANGELOG

UPDATE

 #
 # phpipam update instructions
 #
+please follow this instructions:
 
-phpIPAM supports upgrading only to 2 older release, for example only version >= 0.9 can be upgraded to 1.1.
-
+http://phpipam.net/documents/upgrade/
\ No newline at end of file
-
-It is recommended that you backup the old phpipam database before you upgrade to new version (change username and pass to ones in config.php):
-	/usr/bin/mysqldump -u ipv6 -pipv6admin phpipam > <my_backup_dir>/phpipam_<version>_migration_backup.db
-
-Backup phpipam files:
-	mv <mywebdir>/phpipam <myphpipamdir>/phpipam-<version>
-
-
-#
-# !!! important !!!
-#
-
-since version 0.7 phpipam uses mod_rewrite to handle url's. Please make sure you meet the following requirements:
-	1.) Apache2 with mod_rewrite support
-	2.) "AllowOverride all" set in vhost config for mod_rewrite to work
-	
-In case your URL for phpipam is not root please set the following variables (example for /phpipam/):
-	3.) Set BASE in config.php to /phpipam/
-	4.) RewriteBase /phpipam/ in .htaccess
-
-
-#
-# a) Automatic upgrade procedure
-#
-
-	1.) Extract files form tar package:
-		tar -xvf phpipam-1.1.tar
-	2.) Set database connection settings in config.php;
-	3.) Open phpipam in browser and update database;
-
- 
-
-#
-# b) Manual upgrade procedure
-#
-	1.) Extract files form tar package:
-		tar -xvf phpipam-1.1.tar
-	2.) Set database connection settings in config.php;
-	3.) Manual database structure update
-		Update database structure by importing database scheme for your version.
-		If you have version 1.0 and want to upgrade to 1.1 use all update files form UPDATE-v1.0.sql on;
-			mysql -u root -p phpipam < db/UPDATE-v1.01.sql
-			mysql -u root -p phpipam < db/UPDATE-v1.02.sql
-			...
\ No newline at end of file

app/admin/api/edit-result.php

@@ -16,6 +16,9 @@ $Result 	= new Result ();
 # verify that user is logged in
 $User->check_user_session();
 
+# validate csrf cookie
+$_POST['csrf_cookie']==$_SESSION['csrf_cookie'] ? :                      $Result->show("danger", _("Invalid CSRF cookie"), true);
+
 /* checks */
 $error = array();
 

app/admin/api/edit.php

@@ -16,6 +16,9 @@ $Result 	= new Result ();
 # verify that user is logged in
 $User->check_user_session();
 
+# create csrf token
+$csrf = $User->create_csrf_cookie ();
+
 # ID must be numeric
 if($_POST['action']!="add" && !is_numeric($_POST['appid'])) { $Result->show("danger", _("Invalid ID"), true, true); }
 
@@ -53,6 +56,7 @@ if($_POST['action']!="add") {
 	    	<input type="text" name="app_id" class="form-control input-sm" value="<?php print @$api->app_id; ?>" <?php if($_POST['action'] == "delete") print "readonly"; ?>>
 	        <input type="hidden" name="id" value="<?php print $api->id; ?>">
     		<input type="hidden" name="action" value="<?php print $_POST['action']; ?>">
+    		<input type="hidden" name="csrf_cookie" value="<?php print $csrf; ?>">
 	    </td>
        	<td class="info2"><?php print _('Enter application identifier'); ?></td>
     </tr>

app/admin/authentication-methods/edit-AD.php

@@ -65,6 +65,7 @@ $delete = $_POST['action']=="delete" ? "disabled" : "";
 			<input type="hidden" name="type" value="AD">
 			<input type="hidden" name="id" value="<?php print @$method_settings->id; ?>">
 			<input type="hidden" name="action" value="<?php print @$_POST['action']; ?>">
+			<input type="hidden" name="csrf_cookie" value="<?php print $csrf; ?>">
 		</td>
 		<td class="info2"><?php print _('Enter domain controllers, separated by ;'); ?>
 		</td>

app/admin/authentication-methods/edit-LDAP.php

@@ -75,6 +75,7 @@ $delete = $_POST['action']=="delete" ? "disabled" : "";
 			<input type="hidden" name="type" value="LDAP">
 			<input type="hidden" name="id" value="<?php print @$method_settings->id; ?>">
 			<input type="hidden" name="action" value="<?php print @$_POST['action']; ?>">
+			<input type="hidden" name="csrf_cookie" value="<?php print $csrf; ?>">
 		</td>
 		<td class="info2"><?php print _('LDAP hosts, separated by a semicolon (;)'); ?>
 		</td>

app/admin/authentication-methods/edit-NetIQ.php

@@ -65,6 +65,7 @@ $delete = $_POST['action']=="delete" ? "disabled" : "";
 			<input type="hidden" name="type" value="NetIQ">
 			<input type="hidden" name="id" value="<?php print @$method_settings->id; ?>">
 			<input type="hidden" name="action" value="<?php print @$_POST['action']; ?>">
+			<input type="hidden" name="csrf_cookie" value="<?php print $csrf; ?>">
 		</td>
 		<td class="info2"><?php print _('Enter domain controllers, separated by ;'); ?>
 		</td>

app/admin/authentication-methods/edit-Radius.php

@@ -60,6 +60,7 @@ $delete = $_POST['action']=="delete" ? "disabled" : "";
 			<input type="hidden" name="type" value="Radius">
 			<input type="hidden" name="id" value="<?php print @$method_settings->id; ?>">
 			<input type="hidden" name="action" value="<?php print @$_POST['action']; ?>">
+			<input type="hidden" name="csrf_cookie" value="<?php print $csrf; ?>">
 		</td>
 		<td class="info2"><?php print _('Enter Radius server'); ?>
 		</td>

app/admin/authentication-methods/edit-result.php

@@ -17,6 +17,9 @@ $Result 	= new Result ();
 # verify that user is logged in
 $User->check_user_session();
 
+# validate csrf cookie
+$_POST['csrf_cookie']==$_SESSION['csrf_cookie'] ? :                      $Result->show("danger", _("Invalid CSRF cookie"), true);
+
 # get action
 $action = $_POST['action'];
 

app/admin/authentication-methods/edit.php

 <?php
 
-
 /* functions */
 require( dirname(__FILE__) . '/../../../functions/functions.php');
 
@@ -14,6 +13,9 @@ $Log 		= new Logging ($Database, $User->settings);
 # verify that user is logged in
 $User->check_user_session();
 
+# create csrf token
+$csrf = $User->create_csrf_cookie ();
+
 # if edit check if protected?
 if($_POST['action']!="add") {
 	$auth_method = $Admin->fetch_object("usersAuthMethod", "id", $_POST['id']);

app/admin/custom-fields/edit-result.php

@@ -16,6 +16,9 @@ $Result 	= new Result ();
 # verify that user is logged in
 $User->check_user_session();
 
+# validate csrf cookie
+$_POST['csrf_cookie']==$_SESSION['csrf_cookie'] ? :                         $Result->show("danger", _("Invalid CSRF cookie"), true);
+
 
 /* checks */
 if($_POST['action'] == "delete") {

app/admin/custom-fields/edit.php

@@ -26,6 +26,9 @@ $Result 	= new Result ();
 # verify that user is logged in
 $User->check_user_session();
 
+# create csrf token
+$csrf = $User->create_csrf_cookie ();
+
 
 /* reset field name for add! */
 if($_POST['action'] == "add") 	{ $_POST['fieldName'] = ""; }
@@ -53,6 +56,7 @@ $fieldval = (array) $Tools->fetch_full_field_definition($_POST['table'], $_POST[
 			<input type="hidden" name="oldname" value="<?php print $_POST['oldname']; ?>">
 			<input type="hidden" name="action" value="<?php print $_POST['action']; ?>">
 			<input type="hidden" name="table" value="<?php print $_POST['table']; ?>">
+			<input type="hidden" name="csrf_cookie" value="<?php print $csrf; ?>">
 		</td>
 	</tr>
 

app/admin/device-types/edit-result.php

@@ -16,6 +16,9 @@ $Result 	= new Result ();
 # verify that user is logged in
 $User->check_user_session();
 
+# validate csrf cookie
+$_POST['csrf_cookie']==$_SESSION['csrf_cookie'] ? :                             $Result->show("danger", _("Invalid CSRF cookie"), true);
+
 # ID must be numeric
 if($_POST['action']!="add" && !is_numeric($_POST['tid'])) 	{ $Result->show("danger", _("Invalid ID"), true); }
 

app/admin/device-types/edit.php

@@ -16,6 +16,9 @@ $Result 	= new Result ();
 # verify that user is logged in
 $User->check_user_session();
 
+# create csrf token
+$csrf = $User->create_csrf_cookie ();
+
 # ID must be numeric
 if($_POST['action']!="add" && !is_numeric($_POST['tid'])) { $Result->show("danger", _("Invalid ID"), true, true); }
 # set delete flag
@@ -46,6 +49,7 @@ if( ($_POST['action'] == "edit") || ($_POST['action'] == "delete") ) {
 		<td>
 			<input type="text" name="tname" class="form-control input-sm" placeholder="<?php print _('Name'); ?>" value="<?php print @$device->tname; ?>" <?php print $readonly; ?>>
 			<input type="hidden" name="action" value="<?php print $_POST['action']; ?>">
+			<input type="hidden" name="csrf_cookie" value="<?php print $csrf; ?>">
 			<?php
 			if( ($_POST['action'] == "edit") || ($_POST['action'] == "delete") ) {
 				print '<input type="hidden" name="tid" value="'. $_POST['tid'] .'">'. "\n";

app/admin/devices/edit-result.php

@@ -17,6 +17,9 @@ $Result 	= new Result ();
 # verify that user is logged in
 $User->check_user_session();
 
+# validate csrf cookie
+$_POST['csrf_cookie']==$_SESSION['csrf_cookie'] ? :                      $Result->show("danger", _("Invalid CSRF cookie"), true);
+
 
 # get modified details
 $device = $_POST;

app/admin/devices/edit.php

@@ -17,6 +17,9 @@ $Result 	= new Result ();
 # verify that user is logged in
 $User->check_user_session();
 
+# create csrf token
+$csrf = $User->create_csrf_cookie ();
+
 # fetch custom fields
 $custom = $Tools->fetch_custom_fields('devices');
 
@@ -115,6 +118,7 @@ $(document).ready(function(){
 				print '<input type="hidden" name="switchId" value="'. $_POST['switchId'] .'">'. "\n";
 			} ?>
 			<input type="hidden" name="action" value="<?php print $_POST['action']; ?>">
+			<input type="hidden" name="csrf_cookie" value="<?php print $csrf; ?>">
 		</td>
 	</tr>
 

app/admin/groups/edit-group-result.php

@@ -17,6 +17,9 @@ $Result 	= new Result ();
 # verify that user is logged in
 $User->check_user_session();
 
+# validate csrf cookie
+$_POST['csrf_cookie']==$_SESSION['csrf_cookie'] ? :                         $Result->show("danger", _("Invalid CSRF cookie"), true);
+
 
 # remove users from this group if delete and remove group from sections
 if($_POST['action'] == "delete") {

app/admin/groups/edit-group.php

@@ -16,6 +16,9 @@ $Result 	= new Result ();
 # verify that user is logged in
 $User->check_user_session();
 
+# create csrf token
+$csrf = $User->create_csrf_cookie ();
+
 # fetch group and set title
 if($_POST['action']=="add") {
 	$title = _('Add new group');
@@ -55,6 +58,7 @@ if($_POST['action']=="add") {
 
     		<input type="hidden" name="g_id" value="<?php print $_POST['id']; ?>">
     		<input type="hidden" name="action" value="<?php print $_POST['action']; ?>">
+    		<input type="hidden" name="csrf_cookie" value="<?php print $csrf; ?>">
     	</td>
     	<td class="info2"><?php print _('Enter description'); ?></td>
     </tr>