From 7176e44386d634c9285013877c688a48bd7f0bb1 Mon Sep 17 00:00:00 2001 From: LX1IQ Date: Tue, 21 Oct 2025 14:13:41 +0200 Subject: [PATCH] Add files via upload --- dashboard1/changes.txt | 260 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 260 insertions(+) create mode 100644 dashboard1/changes.txt diff --git a/dashboard1/changes.txt b/dashboard1/changes.txt new file mode 100644 index 0000000..78bc117 --- /dev/null +++ b/dashboard1/changes.txt @@ -0,0 +1,260 @@ +xlx db v2.4.3 + +SECURITY UPDATE - All files updated to fix vulnerabilities + +This release addresses multiple security vulnerabilities including XSS (Cross-Site Scripting), +command injection, path traversal, and SSRF (Server-Side Request Forgery) attacks. + +Files Changed and Security Fixes: + +- "functions.php" + * Added sanitize_output() and sanitize_attribute() helper functions for XSS prevention + * Added validate_callsign(), validate_module(), validate_protocol() input validation functions + * Replaced exec() call in GetSystemUptime() with secure file reading from /proc/uptime + * Added input validation and shell argument escaping to VNStatGetData() + * Added array bounds checking to ParseTime() to prevent errors on malformed input + +- "class.interlink.php" + * Added input validation to SetName() - validates reflector name format + * Added input validation to SetAddress() - validates IP addresses and hostnames + * Added input validation to AddModule(), RemoveModule(), and HasModuleEnabled() + +- "class.node.php" + * Added input validation in constructor for all parameters + * IP addresses validated with filter_var() + * Protocol validated against whitelist + * Callsign format validated with regex + * LinkedModule validated as single A-Z letter + +- "class.parsexml.php" + * Added element name sanitization to prevent XML injection + +- "class.peer.php" + * Added input validation in constructor for all parameters + * Same validation as class.node.php for consistency + +- "class.reflector.php" + * Added path traversal prevention to SetXMLFile(), SetPIDFile(), and SetFlagFile() + * Added SSRF protection to CallHome() - blocks internal/private IP addresses + * Added validation to ReadInterlinkFile() to prevent path traversal + * Added XML entity encoding to PrepareInterlinkXML() and PrepareReflectorXML() + * Added URL validation to SetCallingHome() + * Added missing InterlinkCount(), GetInterlink(), and IsInterlinked() methods + +- "class.station.php" + * Added input validation in constructor for all parameters + * Callsign format validation + * Module validation + +- "modules.php" + * All output wrapped with sanitize_output() to prevent XSS + +- "peers.php" + * All peer data output sanitized with sanitize_output() and sanitize_attribute() + * URL and callsign outputs properly escaped + +- "reflectors.php" + * All XML element data sanitized before output + * Dashboard URLs and reflector names properly escaped + +- "repeaters.php" + * Added input validation for filter parameters + * All node/repeater data sanitized before output + * Flag images and URLs properly escaped + * IP addresses sanitized + +- "traffic.php" + * Added strict whitelist validation for interface parameter + * Interface names validated against configured list only + +- "users.php" + * Added input validation for filter parameters + * All station/user data sanitized before output + * Callsigns, suffixes, and module names properly escaped + +- "index.php" + * Added secure session configuration (HttpOnly, SameSite, Secure flags) + * Added security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy) + * Added whitelist validation for 'show' parameter + * Added validation for 'do' and 'callhome' parameters + * All configuration values sanitized before output to HTML + * JavaScript injection prevented in page refresh code + * All meta tags properly escaped + +Security Vulnerabilities Fixed: +- XSS (Cross-Site Scripting) - All user input and XML data now properly escaped +- Command Injection - Removed unsafe exec() calls, added shell argument escaping +- Path Traversal - File paths validated and restricted to expected directories +- SSRF (Server-Side Request Forgery) - CallHome validates URLs and blocks internal IPs +- Session Hijacking - Added HttpOnly, SameSite, and Secure cookie flags +- XML Injection - Element names sanitized, content stripped of tags + +xlx db v2.4.1 + +you can now hide the liveircddb menu button, if you are running your db in https. + +- "config.inc.php +- "index.php" + +xlx db v2.4.0 + +- "config.inc.php" +- "index.php" +- "js" +- "layout.css" + +xlx db v2.3.9 + +redesign for the callinghome.php + +- "config.inc.php" +- "index.php" +- "functions.php" + +xlx db v2.3.8 + +add support for network traffic statistics via vnstat. + +- "config.inc.php" +- "index.php" +- "functions.php" + +add traffic.php + +xlx db v2.3.7 + +add background color change on active page. + +- "config.inc.php" +- "layout.css" +- "index.php" + +xlx db v2.3.6 + +add xlx reflector version to calling home. + +- "config.inc.php" +- "class.reflector.php" + +xlx db v2.3.5 + +now the page refresh is now suspended until you leave the filte fields. + +- "index.php" +- "users.php" +- "config.inc.php" + +xlx db v2.3.4 + +add filter function to the dashboard. It can be enabled or disabled via the config.inc.php + +- "index.php" +- "users.php" +- "config.inc.php" $PageOptions['UserPage']['ShowFilter'] added +- "layout.css" + +xlx db v2.3.3 + +now displays always the correct module for the last heard station. +db v2.3.3 requires xlxd v1.4.1 + +- "class.station.php" +- "class.reflector.php" +- "users.php" + +xlx db v2.3.2 + +add random id for nodes, to show the correct linked module for multiple nodes with +the same call signe linked to different modules. + +- "class.node.php" +- "class.reflector.php" +- "users.php" + +xlx db v2.3.1 + +- "config.inc.php" $CallingHome['InterlinkFile'] added +- "index.php" added support for interlink visualization +- "class.reflector.php" callingHome redisigned for interlink visualization +- "class.interlink.php" interlink visualization + +xlx db v2.2.3 + +- "config.inc.php" $CallingHome['HashFile'] and $CallingHome['OverrideIPAddress'] added +- "index.php" supports new variables from config.inc.php +- "class.reflector.php" supports new variables from config.inc.php +- "country.csv " prefixes update + +xlx db v2.2.2 + +This version is a major release with voluntary self-registration feature build in. +You need to edit the conf.inc.php to your needs. +On the first run your personal hash to access the database is place in the server’s /tmp folder. +Take care to make a backup of this file because this folder is cleaned up after a server reboot. + +This version is a major release + +xlx db v2.1.6 + +With this version of the dashboard, serveral parameters +are free configurable. +Changes are made in "config.inc.php" + +- "config.inc.php" +- "index.php" +- "users.php" +- "peers.php +- "repeaters.php" + +xlx db v2.1.5 + +- "class.node.php" added "get prefix +- "repeaters.php" check for XRF or REF link +- "country.csv " prefixes update + gate symbol +- "flags" gate.png + +xlx db v2.1.4 + +- "class.reflector.php" improved the flag search +- "country.csv" added serveral prefixes +- "flags" added Puerto Ricco and Åland Islands + +xlx db v2.1.3 + +- "index.php" added support for multiradio repeaters +- "users.php" added support for multiradio repeaters +- "class.reflector.php" added support for multiradio repeaters +- "repeaters.php" added suffix "D" for "dongle" + +xlx db v2.1.2 + +- "index.php" bugfix to correct an error if XLX name is equal to XLX000 + +xlx db v2.1.1 + +- "peers.php" added hyperlink to the peers ip address + +xlx db v2.1.0 + +- "index.php" + button "Peers" added + button "Repeaters/Nodes" shows now the number of connected devices + moved XLX name, version and service uptime to improve view on mobile devices + + - "class.peer.php" added + + - "peers.php" added + + - "repeaters.php" limits nodes show up to 100 nodes + +xlx db v2.0.6 + +- "index.php" now reads out the XLX service uptime and not the server uptime +- "country.csv" prefixes update +- "class.reflector.php" flags showing improvements +- "users.php" limits user show up to 40 users +- "repeaters.php" limits nodes show up to 40 nodes + +xlx db v2.0.5 + +- "class.reflector.php" extra callsign checking