LX3JL/xlxd
1
0
Fork 0
mirror of https://github.com/LX3JL/xlxd.git synced 2025-12-06 07:42:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
xlxd/dashboard1/changes.txt

261 lines
7.8 KiB
Plaintext
Raw Normal View History

Add files via upload
2025-10-21 14:13:41 +02:00
xlx db v2.4.3
SECURITY UPDATE - All files updated to fix vulnerabilities
This release addresses multiple security vulnerabilities including XSS (Cross-Site Scripting),
command injection, path traversal, and SSRF (Server-Side Request Forgery) attacks.
Files Changed and Security Fixes:
- "functions.php"
* Added sanitize_output() and sanitize_attribute() helper functions for XSS prevention
* Added validate_callsign(), validate_module(), validate_protocol() input validation functions
* Replaced exec() call in GetSystemUptime() with secure file reading from /proc/uptime
* Added input validation and shell argument escaping to VNStatGetData()
* Added array bounds checking to ParseTime() to prevent errors on malformed input
- "class.interlink.php"
* Added input validation to SetName() - validates reflector name format
* Added input validation to SetAddress() - validates IP addresses and hostnames
* Added input validation to AddModule(), RemoveModule(), and HasModuleEnabled()
- "class.node.php"
* Added input validation in constructor for all parameters
* IP addresses validated with filter_var()
* Protocol validated against whitelist
* Callsign format validated with regex
* LinkedModule validated as single A-Z letter
- "class.parsexml.php"
* Added element name sanitization to prevent XML injection
- "class.peer.php"
* Added input validation in constructor for all parameters
* Same validation as class.node.php for consistency
- "class.reflector.php"
* Added path traversal prevention to SetXMLFile(), SetPIDFile(), and SetFlagFile()
* Added SSRF protection to CallHome() - blocks internal/private IP addresses
* Added validation to ReadInterlinkFile() to prevent path traversal
* Added XML entity encoding to PrepareInterlinkXML() and PrepareReflectorXML()
* Added URL validation to SetCallingHome()
* Added missing InterlinkCount(), GetInterlink(), and IsInterlinked() methods
- "class.station.php"
* Added input validation in constructor for all parameters
* Callsign format validation
* Module validation
- "modules.php"
* All output wrapped with sanitize_output() to prevent XSS
- "peers.php"
* All peer data output sanitized with sanitize_output() and sanitize_attribute()
* URL and callsign outputs properly escaped
- "reflectors.php"
* All XML element data sanitized before output
* Dashboard URLs and reflector names properly escaped
- "repeaters.php"
* Added input validation for filter parameters
* All node/repeater data sanitized before output
* Flag images and URLs properly escaped
* IP addresses sanitized
- "traffic.php"
* Added strict whitelist validation for interface parameter
* Interface names validated against configured list only
- "users.php"
* Added input validation for filter parameters
* All station/user data sanitized before output
* Callsigns, suffixes, and module names properly escaped
- "index.php"
* Added secure session configuration (HttpOnly, SameSite, Secure flags)
* Added security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy)
* Added whitelist validation for 'show' parameter
* Added validation for 'do' and 'callhome' parameters
* All configuration values sanitized before output to HTML
* JavaScript injection prevented in page refresh code
* All meta tags properly escaped
Security Vulnerabilities Fixed:
- XSS (Cross-Site Scripting) - All user input and XML data now properly escaped
- Command Injection - Removed unsafe exec() calls, added shell argument escaping
- Path Traversal - File paths validated and restricted to expected directories
- SSRF (Server-Side Request Forgery) - CallHome validates URLs and blocks internal IPs
- Session Hijacking - Added HttpOnly, SameSite, and Secure cookie flags
- XML Injection - Element names sanitized, content stripped of tags
xlx db v2.4.1
you can now hide the liveircddb menu button, if you are running your db in https.
- "config.inc.php
- "index.php"
xlx db v2.4.0
- "config.inc.php"
- "index.php"
- "js"
- "layout.css"
xlx db v2.3.9
redesign for the callinghome.php
- "config.inc.php"
- "index.php"
- "functions.php"
xlx db v2.3.8
add support for network traffic statistics via vnstat.
- "config.inc.php"
- "index.php"
- "functions.php"
add traffic.php
xlx db v2.3.7
add background color change on active page.
- "config.inc.php"
- "layout.css"
- "index.php"
xlx db v2.3.6
add xlx reflector version to calling home.
- "config.inc.php"
- "class.reflector.php"
xlx db v2.3.5
now the page refresh is now suspended until you leave the filte fields.
- "index.php"
- "users.php"
- "config.inc.php"
xlx db v2.3.4
add filter function to the dashboard. It can be enabled or disabled via the config.inc.php
- "index.php"
- "users.php"
- "config.inc.php" $PageOptions['UserPage']['ShowFilter'] added
- "layout.css"
xlx db v2.3.3
now displays always the correct module for the last heard station.
db v2.3.3 requires xlxd v1.4.1
- "class.station.php"
- "class.reflector.php"
- "users.php"
xlx db v2.3.2
add random id for nodes, to show the correct linked module for multiple nodes with
the same call signe linked to different modules.
- "class.node.php"
- "class.reflector.php"
- "users.php"
xlx db v2.3.1
- "config.inc.php" $CallingHome['InterlinkFile'] added
- "index.php" added support for interlink visualization
- "class.reflector.php" callingHome redisigned for interlink visualization
- "class.interlink.php" interlink visualization
xlx db v2.2.3
- "config.inc.php" $CallingHome['HashFile'] and $CallingHome['OverrideIPAddress'] added
- "index.php" supports new variables from config.inc.php
- "class.reflector.php" supports new variables from config.inc.php
- "country.csv " prefixes update
xlx db v2.2.2
This version is a major release with voluntary self-registration feature build in.
You need to edit the conf.inc.php to your needs.
On the first run your personal hash to access the database is place in the servers /tmp folder.
Take care to make a backup of this file because this folder is cleaned up after a server reboot.
This version is a major release
xlx db v2.1.6
With this version of the dashboard, serveral parameters
are free configurable.
Changes are made in "config.inc.php"
- "config.inc.php"
- "index.php"
- "users.php"
- "peers.php
- "repeaters.php"
xlx db v2.1.5
- "class.node.php" added "get prefix
- "repeaters.php" check for XRF or REF link
- "country.csv " prefixes update + gate symbol
- "flags" gate.png
xlx db v2.1.4
- "class.reflector.php" improved the flag search
- "country.csv" added serveral prefixes
- "flags" added Puerto Ricco and Åland Islands
xlx db v2.1.3
- "index.php" added support for multiradio repeaters
- "users.php" added support for multiradio repeaters
- "class.reflector.php" added support for multiradio repeaters
- "repeaters.php" added suffix "D" for "dongle"
xlx db v2.1.2
- "index.php" bugfix to correct an error if XLX name is equal to XLX000
xlx db v2.1.1
- "peers.php" added hyperlink to the peers ip address
xlx db v2.1.0
- "index.php"
button "Peers" added
button "Repeaters/Nodes" shows now the number of connected devices
moved XLX name, version and service uptime to improve view on mobile devices
- "class.peer.php" added
- "peers.php" added
- "repeaters.php" limits nodes show up to 100 nodes
xlx db v2.0.6
- "index.php" now reads out the XLX service uptime and not the server uptime
- "country.csv" prefixes update
- "class.reflector.php" flags showing improvements
- "users.php" limits user show up to 40 users
- "repeaters.php" limits nodes show up to 40 nodes
xlx db v2.0.5
- "class.reflector.php" extra callsign checking
Reference in a new issue Copy permalink