LX3JL/xlxd
1
0
Fork 0
mirror of https://github.com/LX3JL/xlxd.git synced 2026-04-21 06:13:43 +00:00
Code Issues Projects Releases Packages Wiki Activity

XSS Vulnerability Patches and Security Enhancements for Dashboard2

Browse source
This commit is contained in:
Andy Taylor 2025-10-14 12:25:26 +01:00
parent 129f1257b4
commit 61204c3ed4
11 changed files with 127 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

33
dashboard2/index.php
View file

@ -1,4 +1,5 @@
<?php
session_start();
/*
* This dashboard is being developed by the DVBrazil Team as a courtesy to
@ -9,12 +10,12 @@
if (file_exists("./pgs/functions.php")) {
require_once("./pgs/functions.php");
} else {
die("functions.php does not exist.");
die("Required file not found.");
}
if (file_exists("./pgs/config.inc.php")) {
require_once("./pgs/config.inc.php");
} else {
die("config.inc.php does not exist.");
die("Required file not found.");
}
if (!class_exists('ParseXML')) require_once("./pgs/class.parsexml.php");
@ -44,7 +45,7 @@ if ($CallingHome['Active']) {
@fwrite($Ressource, "\n" . '$Hash = "' . $Hash . '";');
@fwrite($Ressource, "\n\n" . '?>');
@fclose($Ressource);
@exec("chmod 777 " . $CallingHome['HashFile']);
@exec("chmod 600 " . $CallingHome['HashFile']);
$CallHomeNow = true;
}
} else {
@ -79,12 +80,11 @@ if ($CallingHome['Active']) {
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="<?php echo $PageOptions['MetaDescription']; ?>"/>
<meta name="keywords" content="<?php echo $PageOptions['MetaKeywords']; ?>"/>
<meta name="author" content="<?php echo $PageOptions['MetaAuthor']; ?>"/>
<meta name="revisit" content="<?php echo $PageOptions['MetaRevisit']; ?>"/>
<meta name="robots" content="<?php echo $PageOptions['MetaAuthor']; ?>"/>
<meta name="description" content="<?php echo SafeOutputAttr($PageOptions['MetaDescription']); ?>"/>
<meta name="keywords" content="<?php echo SafeOutputAttr($PageOptions['MetaKeywords']); ?>"/>
<meta name="author" content="<?php echo SafeOutputAttr($PageOptions['MetaAuthor']); ?>"/>
<meta name="revisit" content="<?php echo SafeOutputAttr($PageOptions['MetaRevisit']); ?>"/>
<meta name="robots" content="<?php echo SafeOutputAttr($PageOptions['MetaAuthor']); ?>"/>
<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
<title><?php echo $Reflector->GetReflectorName(); ?> Reflector Dashboard</title>
<link rel="icon" href="./favicon.ico" type="image/vnd.microsoft.icon">
@ -113,8 +113,8 @@ if ($CallingHome['Active']) {
if (($_SERVER['REQUEST_METHOD'] === 'POST') || isset($_GET['do'])) {
echo '
document.location.href = "./index.php';
if (isset($_GET['show'])) {
echo '?show=' . $_GET['show'];
if (isset($_GET['show']) && $_GET['show'] !== '') {
echo '?show=' . SafeOutput($_GET['show']);
}
echo '";';
} else {
@ -194,6 +194,15 @@ if ($CallingHome['Active']) {
}
}
// Whitelist allowed values
if (!isset($_GET['show'])) {
$_GET['show'] = '';
}
$allowed_shows = ['users', 'repeaters', 'liveircddb', 'peers', 'reflectors', ''];
if (!in_array($_GET['show'], $allowed_shows, true)) {
$_GET['show'] = '';
}
switch ($_GET['show']) {
case 'users' :
require_once("./pgs/users.php");
@ -222,7 +231,7 @@ if ($CallingHome['Active']) {
<footer class="footer">
<div class="container">
<p><a href="mailto:<?php echo $PageOptions['ContactEmail']; ?>"><?php echo $PageOptions['ContactEmail']; ?></a>
<p><a href="mailto:<?php echo SafeOutputAttr($PageOptions['ContactEmail']); ?>"><?php echo SafeOutput($PageOptions['ContactEmail']); ?></a>
</p>
</div>
</footer>