GVI-2010-02 : Multiple vulnerabilities in Open-AudIT
====================================================
1 Overview
----------
Excerpt from http://www.open-audit.org :
"Open-AudIT is an application to tell you exactly what is on your
network, how
it is configured and when it changes. Open-AudIT will run on Windows and
Linux
systems. Essentially, Open-AudIT is a database of information, that can be
queried via a web interface."
2 Description
-------------
Multiple security issues were discovered which can be categorized as :
- Lack of Authentication
- SQL Injection
- Cross-Site Scripting
- Local File Include
3 Details
---------
Product : Open-AudiT
Versions : 20081013, 20091223-RC
Vulnerability Type : authentication, SQLi, XSS, LFI
Discovered by : Sébastien Duquette (virtualguardian.ca)
Original Advisory :
http://www.gardienvirtuel.ca/wp-content/uploads/2010/05/GVI-2010-02-EN.txt
4 Timeline
----------
Patches were sent to the vendor. The vendor said that they are focussing on
version 2 of the product. Patches are not applied at disclosure date.
Vendor informed : December 12th, 2009
Vendor Response : December 13th, 2009
Update request : January 14th, 2010
Vendor response : January 14th, 2010
Update request : February 19th, 2010
Vendor response : February 21th, 2010
Patches sent : March 29th, 2010
Public Disclosure : May 20th, 2010
5 Analysis
----------
5.1 Lack of Authentication
--------------------------
When the "Use Passwords" option is activated, Open-AudIT requires a user and
password to be provided to access the web administrative interface. However,
several scripts will not properly verify authentication before accepting
requests.
This allows an attacker to add or remove information in the database
concerning
the audited systems, obtain or modify system configurations like SMTP or
LDAP
server addresses etc.
Also, the "backup" folder has user access rights by default, allowing
anyone to
grab any backup contained in the folder.
Please note that this problem is not fixed by the patch provided with this
advisory. To perform the inventorying on machines, Open-AudIT uses
vbscript on
Windows and bash scripts Linux and sends the data back via HTTP POST
requests.
The scripts currently do not support HTTP authentication.
------------------------------
| Affected scripts |
|------------------------------|
| upgrade.php |
| admin_config_data.php |
| delete_system.php |
| admin_delete_all_systems.php |
| admin_nmap_input.php |
| admin_pc_add_2.php |
| delete_other.php |
| delete_missed_audit.php |
| ldap_audit_script.php |
| ldap_login.php |
| ldap_logout.php |
| list.php |
| list_export.php |
| system_post.php |
| system_export.php |
| php.php |
------------------------------
5.1.1 Proof of concept
----------------------
Obtain the address of the LDAP server
admin_config_data.php?sub=f1
Delete a system by it's ID
delete_system.php?pc=<ID>
5.2 SQL Injection
-----------------
Most SQL queries in the application do not sanitize the parameters. As an
example, here is an excerpt from the system_post.php file :
$sql = "UPDATE other SET other_network_name = '" .
$_REQUEST['other_network_name'] . "',";
Please refer to the provided patch for the complete list of affected
queries.
5.2.1 Proof of concept
----------------------
This request will output the name of the mysql user and current database
admin_config_data.php?sub=f8&ldap_path_id=1%20UNION%20SELECT%20user%28%29,
%20database%28%29
This request will return a text file with the list of all audited systems
list_export.php?filename=export&sql=SELECT%2B%252A%2BFROM%2B%2560system
5.3 Cross-Site Scripting
------------------------
Some instances of Cross-Site scripting were found in Open-AudIT. Below is a
table summarizing the affected variables.
------------------------------
| Script | Variable |
------------------------------
| include_lang.php | language |
| list.php | view |
------------------------------
5.3.1 Proof of concept
----------------------
list.php?view=%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E
5.4 Local File Include
----------------------
The include_lang.php script is vulnerable to local file include. Let's
take a
look at the code :
<?php
if(!isset($language) or $language=="") $GLOBALS["language"]="en";
$language_file="./lang/".$GLOBALS["language"].".inc";
if(is_file($language_file)){
include($language_file);
}else{
....
If we can somehow manage to modify the language value, a local file include
would be possible by using a directory traversal. It so happens that the
setup.php script is not disabled or deleted once the installation is
completed
and allows an unauthenticated user to modify the language value. See the
proof
of concept below.
5.4.1 Proof of concept
----------------------
Create a file named /tmp/test containing some php code. Send a POST
request to
setup.php with the following parameters :
- language = %2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2ftest
- step = 2
The script will then be included on pretty much every page.
Solution
--------
The flaws disclosed in this advisory are unpatched at the day of the
release.
We provide a patch against the latest version of the software. Please
note that
this patch was not extensively tested and does not fix all the issues.
It is
provided solely as a reference.
diff openaudit-rc/admin_config_data.php openaudit-patched//admin_config_data.php
107c107
< $sql = "SELECT * FROM ldap_paths WHERE
ldap_paths_connection_id='".$ConnectionGuid."'";
---
> $sql = "SELECT * FROM ldap_paths WHERE
> ldap_paths_connection_id='".mysql_real_escape_string($ConnectionGuid)."'";
>
239,240c239,240
< $sql = "UPDATE `ldap_connections` SET
`ldap_connections_nc`='".$domain_nc."',`ldap_connections_fqdn`='".$fqdn."',";
< $sql .=
"`ldap_connections_server`='".$_GET["ldap_connection_server"]."',`ldap_connections_user`=AES_ENCRYPT('".$_GET["ldap_connection_user"]."','".$aes_key."'),";
---
> $sql = "UPDATE `ldap_connections` SET
> `ldap_connections_nc`='".mysql_real_escape_string($domain_nc)."',`ldap_connections_fqdn`='".mysql_real_escape_string($fqdn)."',";
> $sql .=
> "`ldap_connections_server`='".mysql_real_escape_string($_GET["ldap_connection_server"])."',`ldap_connections_user`=AES_ENCRYPT('".$_GET["ldap_connection_user"]."','".$aes_key."'),";
242c242
< $sql .= "WHERE
ldap_connections_id='".$_GET["ldap_connection_id"]."'";
---
> $sql .= "WHERE
> ldap_connections_id='".mysql_real_escape_string($_GET["ldap_connection_id"])."'";
>
249c249
< $sql .= "VALUES
('".$domain_nc."','".$fqdn."','".$_GET["ldap_connection_server"]."',";
---
> $sql .= "VALUES
> ('".mysql_real_escape_string($domain_nc)."','".mysql_real_escape_string($fqdn)."','".mysql_real_escape_string($_GET["ldap_connection_server"])."',";
347c347
< AND
ldap_connections.ldap_connections_id='".$_GET["ldap_connection_id"]."'";
---
> AND
> ldap_connections.ldap_connections_id='".mysql_real_escape_string($_GET["ldap_connection_id"])."'";
355c355
< AND
ldap_connections.ldap_connections_id='".$_GET["ldap_connection_id"]."'";
---
> AND
> ldap_connections.ldap_connections_id='".mysql_real_escape_string($_GET["ldap_connection_id"])."'";
362c362
< AND
ldap_connections.ldap_connections_id='".$_GET["ldap_connection_id"]."'";
---
> AND
> ldap_connections.ldap_connections_id='".mysql_real_escape_string($_GET["ldap_connection_id"])."'";
367c367
< WHERE
ldap_connections.ldap_connections_id='".$_GET["ldap_connection_id"]."'";
---
> WHERE
> ldap_connections.ldap_connections_id='".mysql_real_escape_string($_GET["ldap_connection_id"])."'";
396c396
< WHERE ldap_connections_id='".$_GET["ldap_connection_id"]."'";
---
> WHERE
> ldap_connections_id='".mysql_real_escape_string($_GET["ldap_connection_id"])."'";
434c434
< $sql = "SELECT ldap_connections_nc FROM ldap_connections WHERE
ldap_connections_id='".$_GET["ldap_connection_id"]."'";
---
> $sql = "SELECT ldap_connections_nc FROM ldap_connections WHERE
> ldap_connections_id='".mysql_real_escape_string($_GET["ldap_connection_id"])."'";
493c493
< $sql = "SELECT ldap_paths_dn, ldap_paths_audit FROM ldap_paths WHERE
ldap_paths_id=".$_GET["ldap_path_id"];
---
> $sql = "SELECT ldap_paths_dn, ldap_paths_audit FROM ldap_paths WHERE
> ldap_paths_id=".intval($_GET["ldap_path_id"]);
538c538
< AND ldap_paths.ldap_paths_id='".$_GET["ldap_path_id"]."'";
---
> AND
> ldap_paths.ldap_paths_id='".mysql_real_escape_string($_GET["ldap_path_id"])."'";
545c545
< AND ldap_paths.ldap_paths_id='".$_GET["ldap_path_id"]."'";
---
> AND
> ldap_paths.ldap_paths_id='".mysql_real_escape_string($_GET["ldap_path_id"])."'";
549c549
< $sql = "DELETE FROM ldap_paths WHERE
ldap_paths.ldap_paths_id='".$_GET["ldap_path_id"]."'";
---
> $sql = "DELETE FROM ldap_paths WHERE
> ldap_paths.ldap_paths_id='".mysql_real_escape_string($_GET["ldap_path_id"])."'";
556c556
< ?>
\ No newline at end of file
---
> ?>
Common subdirectories: openaudit-rc/backup and openaudit-patched//backup
diff openaudit-rc/delete_other.php openaudit-patched//delete_other.php
6c6,7
<
---
>
> $other = mysql_real_escape_string($_GET['other']);
10c11
< $query = "DELETE FROM other WHERE other_id = '" . $_GET['other'] .
"'";
---
> $query = "DELETE FROM other WHERE other_id = '" . $other . "'";
diff openaudit-rc/delete_system.php openaudit-patched//delete_system.php
9c9,12
< $query = "select system_name from system where system_uuid='" .
$_GET['pc'] . "'";
---
>
> $pc = mysql_real_escape_string($_GET['pc']);
>
> $query = "select system_name from system where system_uuid='" . $pc . "'";
14c17
< $query = "DELETE FROM battery WHERE battery_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM battery WHERE battery_uuid = '" . $pc . "'";
17c20
< $query = "DELETE FROM bios WHERE bios_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM bios WHERE bios_uuid = '" . $pc . "'";
20c23
< $query = "DELETE FROM browser_helper_objects WHERE bho_uuid = '" .
$_GET['pc'] . "'";
---
> $query = "DELETE FROM browser_helper_objects WHERE bho_uuid = '" . $pc .
> "'";
23c26
< $query = "DELETE FROM firewall_auth_app WHERE firewall_app_uuid = '" .
$_GET['pc'] . "'";
---
> $query = "DELETE FROM firewall_auth_app WHERE firewall_app_uuid = '" .
> $pc . "'";
26c29
< $query = "DELETE FROM firewall_ports WHERE port_uuid = '" . $_GET['pc'] .
"'";
---
> $query = "DELETE FROM firewall_ports WHERE port_uuid = '" . $pc . "'";
29c32
< $query = "DELETE FROM firewire WHERE fw_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM firewire WHERE fw_uuid = '" . $pc . "'";
32c35
< $query = "DELETE FROM floppy WHERE floppy_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM floppy WHERE floppy_uuid = '" . $pc . "'";
35c38
< $query = "DELETE FROM graphs_disk WHERE disk_uuid = '" . $_GET['pc'] .
"'";
---
> $query = "DELETE FROM graphs_disk WHERE disk_uuid = '" . $pc . "'";
38c41
< $query = "DELETE FROM groups WHERE groups_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM groups WHERE groups_uuid = '" . $pc . "'";
41c44
< $query = "DELETE FROM hard_drive WHERE hard_drive_uuid = '" . $_GET['pc']
. "'";
---
> $query = "DELETE FROM hard_drive WHERE hard_drive_uuid = '" . $pc . "'";
44c47
< $query = "DELETE FROM iis WHERE iis_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM iis WHERE iis_uuid = '" . $pc . "'";
47c50
< $query = "DELETE FROM iis_ip WHERE iis_ip_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM iis_ip WHERE iis_ip_uuid = '" . $pc . "'";
50c53
< $query = "DELETE FROM iis_vd WHERE iis_vd_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM iis_vd WHERE iis_vd_uuid = '" . $pc . "'";
53c56
< $query = "DELETE FROM invoice WHERE invoice_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM invoice WHERE invoice_uuid = '" . $pc . "'";
56c59
< $query = "DELETE FROM keyboard WHERE keyboard_uuid = '" . $_GET['pc'] .
"'";
---
> $query = "DELETE FROM keyboard WHERE keyboard_uuid = '" . $pc . "'";
59c62
< $query = "DELETE FROM manual_software WHERE man_soft_uuid = '" .
$_GET['pc'] . "'";
---
> $query = "DELETE FROM manual_software WHERE man_soft_uuid = '" . $pc .
> "'";
62c65
< $query = "DELETE FROM mapped WHERE mapped_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM mapped WHERE mapped_uuid = '" . $pc . "'";
65c68
< $query = "DELETE FROM media WHERE media_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM media WHERE media_uuid = '" . $pc . "'";
68c71
< $query = "DELETE FROM memory WHERE memory_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM memory WHERE memory_uuid = '" . $pc . "'";
71c74
< $query = "DELETE FROM modem WHERE modem_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM modem WHERE modem_uuid = '" . $pc . "'";
74c77
< $query = "DELETE FROM monitor WHERE monitor_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM monitor WHERE monitor_uuid = '" . $pc . "'";
77c80
< $query = "DELETE FROM mouse WHERE mouse_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM mouse WHERE mouse_uuid = '" . $pc . "'";
80c83
< $query = "DELETE FROM ms_keys WHERE ms_keys_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM ms_keys WHERE ms_keys_uuid = '" . $pc . "'";
83c86
< $query = "DELETE FROM network_card WHERE net_uuid = '" . $_GET['pc'] .
"'";
---
> $query = "DELETE FROM network_card WHERE net_uuid = '" . $pc . "'";
86c89
< $query = "DELETE FROM nmap_ports WHERE nmap_other_id = '" . $_GET['pc'] .
"'";
---
> $query = "DELETE FROM nmap_ports WHERE nmap_other_id = '" . $pc . "'";
89c92
< $query = "DELETE FROM notes WHERE notes_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM notes WHERE notes_uuid = '" . $pc . "'";
92c95
< $query = "DELETE FROM optical_drive WHERE optical_drive_uuid = '" .
$_GET['pc'] . "'";
---
> $query = "DELETE FROM optical_drive WHERE optical_drive_uuid = '" . $pc .
> "'";
95c98
< $query = "DELETE FROM partition WHERE partition_uuid = '" . $_GET['pc'] .
"'";
---
> $query = "DELETE FROM partition WHERE partition_uuid = '" . $pc . "'";
98c101
< $query = "DELETE FROM passwords WHERE passwords_uuid = '" . $_GET['pc'] .
"'";
---
> $query = "DELETE FROM passwords WHERE passwords_uuid = '" . $pc . "'";
101c104
< $query = "DELETE FROM processor WHERE processor_uuid = '" . $_GET['pc'] .
"'";
---
> $query = "DELETE FROM processor WHERE processor_uuid = '" . $pc . "'";
104c107
< $query = "DELETE FROM scsi_controller WHERE scsi_controller_uuid = '" .
$_GET['pc'] . "'";
---
> $query = "DELETE FROM scsi_controller WHERE scsi_controller_uuid = '" .
> $pc . "'";
107c110
< $query = "DELETE FROM scsi_device WHERE scsi_device_uuid = '" .
$_GET['pc'] . "'";
---
> $query = "DELETE FROM scsi_device WHERE scsi_device_uuid = '" . $pc . "'";
110c113
< $query = "DELETE FROM service WHERE service_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM service WHERE service_uuid = '" . $pc . "'";
113c116
< $query = "DELETE FROM shares WHERE shares_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM shares WHERE shares_uuid = '" . $pc . "'";
116c119
< $query = "DELETE FROM software WHERE software_uuid = '" . $_GET['pc'] .
"'";
---
> $query = "DELETE FROM software WHERE software_uuid = '" . $pc . "'";
119c122
< $query = "DELETE FROM sound WHERE sound_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM sound WHERE sound_uuid = '" . $pc . "'";
122c125
< $query = "DELETE FROM startup WHERE startup_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM startup WHERE startup_uuid = '" . $pc . "'";
125c128
< $query = "DELETE FROM system WHERE system_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM system WHERE system_uuid = '" . $pc . "'";
128c131
< $query = "DELETE FROM system_audits WHERE system_audits_uuid = '" .
$_GET['pc'] . "'";
---
> $query = "DELETE FROM system_audits WHERE system_audits_uuid = '" . $pc .
> "'";
131c134
< $query = "DELETE FROM system_man WHERE system_man_uuid = '" . $_GET['pc']
. "'";
---
> $query = "DELETE FROM system_man WHERE system_man_uuid = '" . $pc . "'";
137c140
< $query = "DELETE FROM tape_drive WHERE tape_drive_uuid = '" . $_GET['pc']
. "'";
---
> $query = "DELETE FROM tape_drive WHERE tape_drive_uuid = '" . $pc . "'";
140c143
< $query = "DELETE FROM usb WHERE usb_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM usb WHERE usb_uuid = '" . $pc . "'";
143c146
< $query = "DELETE FROM users WHERE users_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM users WHERE users_uuid = '" . $pc . "'";
146c149
< $query = "DELETE FROM video WHERE video_uuid = '" . $_GET['pc'] . "'";
---
> $query = "DELETE FROM video WHERE video_uuid = '" . $pc . "'";
Common subdirectories: openaudit-rc/images and openaudit-patched//images
Common subdirectories: openaudit-rc/images-systems and
openaudit-patched//images-systems
diff openaudit-rc/include_lang.php openaudit-patched//include_lang.php
3c3,7
< $language_file="./lang/".$GLOBALS["language"].".inc";
---
> $language_file=realpath("./lang/".$GLOBALS["language"].".inc");
> $language_dir = getcwd() . "/lang/";
> if(strncmp($language_file, $language_dir, strlen($language_dir)) != 0) {
> die("Directory Traversal attempt Detected!");
> }
7c11
< die("Language-File not found: ".$language_file);
---
> die("Language-File not found: ".htmlentities($language_file));
Common subdirectories: openaudit-rc/javascript and openaudit-patched//javascript
Common subdirectories: openaudit-rc/lang and openaudit-patched//lang
Common subdirectories: openaudit-rc/lib and openaudit-patched//lib
diff openaudit-rc/list.php openaudit-patched//list.php
24c24
< $include_filename = "list_viewdef_".$_REQUEST["view"].".php";
---
> $include_filename = realpath(getcwd() .
> "/list_viewdef_".$_REQUEST["view"].".php");
26c26
< $include_filename = "list_viewdef_all_systems.php";
---
> $include_filename = realpath(getcwd() . "/list_viewdef_all_systems.php");
27a28,33
>
> $view_dir = getcwd();
> if(strncmp($include_filename, $view_dir, strlen($view_dir)) != 0) {
> die("Directory Traversal attempt Detected!");
> }
>
Common subdirectories: openaudit-rc/OpenOffice and openaudit-patched//OpenOffice
Common subdirectories: openaudit-rc/scripts and openaudit-patched//scripts
diff openaudit-rc/system_export.php openaudit-patched//system_export.php
86c86
< #$pdf=header_footer($pdf);
---
> $pdf=header_footer($pdf);
120c120
< $include_filename = "system_viewdef_".$_REQUEST["view"].".php";
---
> $include_filename = getcwd() .
> "system_viewdef_".$_REQUEST["view"].".php";
123a124,130
>
> $include_dir = getcwd();
> if(strncmp($include_filename, $include_dir, strlen($language_dir)) != 0) {
> die("Directory Traversal attempt Detected!");
> }
>
>
diff openaudit-rc/system_post.php openaudit-patched//system_post.php
17c17
< $sql = "UPDATE other SET other_network_name = '" .
$_REQUEST['other_network_name'] . "',";
---
> $sql = "UPDATE other SET other_network_name = '" .
> mysql_real_escape_string($_REQUEST['other_network_name']) . "',";
19,30c19,30
< $sql .= " other_mac_address = '" . $_REQUEST['other_mac_address'] .
"',";
< $sql .= " other_p_port_name = '" . $_REQUEST['other_p_port_name'] .
"',";
< $sql .= " other_description = '" . $_REQUEST['other_description'] .
"',";
< $sql .= " other_serial = '" . $_REQUEST['other_serial'] . "',";
< $sql .= " other_manufacturer = '" . $_REQUEST['other_manufacturer'] .
"',";
< $sql .= " other_model='" . $_REQUEST['other_model'] . "',";
< $sql .= " other_type='" . $_REQUEST['other_type'] . "',";
< $sql .= " other_location='" . $_REQUEST['other_location'] . "',";
< $sql .= " other_date_purchased='" . $_REQUEST['other_date_purchased']
. "',";
< $sql .= " other_value='" . $_REQUEST['other_value'] . "',";
< $sql .= " other_linked_pc='" . $_REQUEST['other_linked_pc'] . "' ";
< $sql .= " WHERE other_id='" . $_REQUEST['other'] . "'";
---
> $sql .= " other_mac_address = '" .
> mysql_real_escape_string($_REQUEST['other_mac_address']) . "',";
> $sql .= " other_p_port_name = '" .
> mysql_real_escape_string($_REQUEST['other_p_port_name']) . "',";
> $sql .= " other_description = '" .
> mysql_real_escape_string($_REQUEST['other_description']) . "',";
> $sql .= " other_serial = '" .
> mysql_real_escape_string($_REQUEST['other_serial']) . "',";
> $sql .= " other_manufacturer = '" .
> mysql_real_escape_string($_REQUEST['other_manufacturer']) . "',";
> $sql .= " other_model='" .
> mysql_real_escape_string($_REQUEST['other_model']) . "',";
> $sql .= " other_type='" .
> mysql_real_escape_string($_REQUEST['other_type']) . "',";
> $sql .= " other_location='" .
> mysql_real_escape_string($_REQUEST['other_location']) . "',";
> $sql .= " other_date_purchased='" .
> mysql_real_escape_string($_REQUEST['other_date_purchased']) . "',";
> $sql .= " other_value='" .
> mysql_real_escape_string($_REQUEST['other_value']) . "',";
> $sql .= " other_linked_pc='" .
> mysql_real_escape_string($_REQUEST['other_linked_pc']) . "' ";
> $sql .= " WHERE other_id='" .
> mysql_real_escape_string($_REQUEST['other']) . "'";
38,43c38,43
< $sql .= " monitor_uuid = '" . $_REQUEST['monitor_uuid'] . "', ";
< $sql .= " monitor_date_purchased = '" .
$_REQUEST['monitor_date_purchased'] . "', ";
< $sql .= " monitor_purchase_order_number = '" .
$_REQUEST['monitor_purchase_order_number'] . "', ";
< $sql .= " monitor_value = '" . $_REQUEST['monitor_value'] . "', ";
< $sql .= " monitor_description = '" . $_REQUEST['monitor_description']
. "' ";
< $sql .= " WHERE monitor_id = '" . $_REQUEST['monitor'] . "' ";
---
> $sql .= " monitor_uuid = '" .
> mysql_real_escape_string($_REQUEST['monitor_uuid']) . "', ";
> $sql .= " monitor_date_purchased = '" .
> mysql_real_escape_string($_REQUEST['monitor_date_purchased']) . "', ";
> $sql .= " monitor_purchase_order_number = '" .
> mysql_real_escape_string($_REQUEST['monitor_purchase_order_number']) . "', ";
> $sql .= " monitor_value = '" .
> mysql_real_escape_string($_REQUEST['monitor_value']) . "', ";
> $sql .= " monitor_description = '" .
> mysql_real_escape_string($_REQUEST['monitor_description']) . "' ";
> $sql .= " WHERE monitor_id = '" .
> mysql_real_escape_string($_REQUEST['monitor']) . "' ";
51,56c51,56
< $sql .= "`system_man_value` = '" . $_REQUEST['system_man_value'] .
"', ";
< $sql .= "`system_man_description` = '" .
$_REQUEST['system_man_description'] . "', ";
< $sql .= "`system_man_location` = '" .
$_REQUEST['system_man_location'] . "', ";
< $sql .= "`system_man_serial_number` = '" .
$_REQUEST['system_man_serial_number'] . "', ";
< $sql .= "`system_man_date_of_purchase` = '" .
$_REQUEST['system_man_date_of_purchase'] . "'";
< $sql .= " WHERE `system_man_uuid` = '" . $_REQUEST['pc'] . "' ";
---
> $sql .= "`system_man_value` = '" .
> mysql_real_escape_string($_REQUEST['system_man_value']) . "', ";
> $sql .= "`system_man_description` = '" .
> mysql_real_escape_string($_REQUEST['system_man_description']) . "', ";
> $sql .= "`system_man_location` = '" .
> mysql_real_escape_string($_REQUEST['system_man_location']) . "', ";
> $sql .= "`system_man_serial_number` = '" .
> mysql_real_escape_string($_REQUEST['system_man_serial_number']) . "', ";
> $sql .= "`system_man_date_of_purchase` = '" .
> mysql_real_escape_string($_REQUEST['system_man_date_of_purchase']) . "'";
> $sql .= " WHERE `system_man_uuid` = '" .
> mysql_real_escape_string($_REQUEST['pc']) . "' ";
74c74
< $sql .= "`auth_username` = '" . $_REQUEST['auth_username'] . "', ";
---
> $sql .= "`auth_username` = '" .
> mysql_real_escape_string($_REQUEST['auth_username']) . "', ";
76,79c76,79
< $sql .= "`auth_realname` = '" . $_REQUEST['auth_realname'] . "', ";
< $sql .= "`auth_enabled` = '" . $_REQUEST['auth_enabled'] . "', ";
< $sql .= "`auth_admin` = '" . $_REQUEST['auth_admin'] . "'";
< $sql .= " WHERE `auth_id` = '" . $_REQUEST['user'] . "' ";
---
> $sql .= "`auth_realname` = '" .
> mysql_real_escape_string($_REQUEST['auth_realname']) . "', ";
> $sql .= "`auth_enabled` = '" .
> mysql_real_escape_string($_REQUEST['auth_enabled']) . "', ";
> $sql .= "`auth_admin` = '" .
> mysql_real_escape_string($_REQUEST['auth_admin']) . "'";
> $sql .= " WHERE `auth_id` = '" .
> mysql_real_escape_string($_REQUEST['user']) . "' ";
Common subdirectories: openaudit-rc/Tutorials and openaudit-patched//Tutorials
diff openaudit-rc/upgrade.php openaudit-patched//upgrade.php
26a27
> include "include.php";
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
