mirror of
https://github.com/LX3JL/xlxd.git
synced 2025-12-05 23:32:00 +01:00
283 lines
8.7 KiB
Plaintext
283 lines
8.7 KiB
Plaintext
xlx db v2.4.5
|
||
Fix liveircddb page broken by CSP security headers
|
||
|
||
- "pgs/ircddb_proxy.php" (NEW)
|
||
* Added transparent proxy for live.ircddb.net to resolve CSP and mixed-content issues
|
||
* Proxies all requests through local server, rewriting URLs to maintain functionality
|
||
* Supports both HTTP and HTTPS dashboard deployments
|
||
* Defaults to live.ircddb.net:8080, configurable via $PageOptions['IRCDDB']['URL']
|
||
* Default page ircddblive5.html, configurable via $PageOptions['IRCDDB']['Page']
|
||
|
||
- "pgs/liveircddb.php"
|
||
* Changed iframe source from direct external URL to local proxy
|
||
|
||
xlx db v2.4.4
|
||
SECURITY UPDATE - Minor upgrade to further improve dashboard security
|
||
|
||
- "index.php"
|
||
* Added additional security headders to improve security score for dashbaord application.
|
||
* Add Content Security Policy
|
||
* Add Permissions Policy
|
||
* Add Transport Security Policy
|
||
|
||
xlx db v2.4.3
|
||
|
||
SECURITY UPDATE - All files updated to fix vulnerabilities
|
||
|
||
This release addresses multiple security vulnerabilities including XSS (Cross-Site Scripting),
|
||
command injection, path traversal, and SSRF (Server-Side Request Forgery) attacks.
|
||
|
||
Files Changed and Security Fixes:
|
||
|
||
- "functions.php"
|
||
* Added sanitize_output() and sanitize_attribute() helper functions for XSS prevention
|
||
* Added validate_callsign(), validate_module(), validate_protocol() input validation functions
|
||
* Replaced exec() call in GetSystemUptime() with secure file reading from /proc/uptime
|
||
* Added input validation and shell argument escaping to VNStatGetData()
|
||
* Added array bounds checking to ParseTime() to prevent errors on malformed input
|
||
|
||
- "class.interlink.php"
|
||
* Added input validation to SetName() - validates reflector name format
|
||
* Added input validation to SetAddress() - validates IP addresses and hostnames
|
||
* Added input validation to AddModule(), RemoveModule(), and HasModuleEnabled()
|
||
|
||
- "class.node.php"
|
||
* Added input validation in constructor for all parameters
|
||
* IP addresses validated with filter_var()
|
||
* Protocol validated against whitelist
|
||
* Callsign format validated with regex
|
||
* LinkedModule validated as single A-Z letter
|
||
|
||
- "class.parsexml.php"
|
||
* Added element name sanitization to prevent XML injection
|
||
|
||
- "class.peer.php"
|
||
* Added input validation in constructor for all parameters
|
||
* Same validation as class.node.php for consistency
|
||
|
||
- "class.reflector.php"
|
||
* Added path traversal prevention to SetXMLFile(), SetPIDFile(), and SetFlagFile()
|
||
* Added SSRF protection to CallHome() - blocks internal/private IP addresses
|
||
* Added validation to ReadInterlinkFile() to prevent path traversal
|
||
* Added XML entity encoding to PrepareInterlinkXML() and PrepareReflectorXML()
|
||
* Added URL validation to SetCallingHome()
|
||
* Added missing InterlinkCount(), GetInterlink(), and IsInterlinked() methods
|
||
|
||
- "class.station.php"
|
||
* Added input validation in constructor for all parameters
|
||
* Callsign format validation
|
||
* Module validation
|
||
|
||
- "modules.php"
|
||
* All output wrapped with sanitize_output() to prevent XSS
|
||
|
||
- "peers.php"
|
||
* All peer data output sanitized with sanitize_output() and sanitize_attribute()
|
||
* URL and callsign outputs properly escaped
|
||
|
||
- "reflectors.php"
|
||
* All XML element data sanitized before output
|
||
* Dashboard URLs and reflector names properly escaped
|
||
|
||
- "repeaters.php"
|
||
* Added input validation for filter parameters
|
||
* All node/repeater data sanitized before output
|
||
* Flag images and URLs properly escaped
|
||
* IP addresses sanitized
|
||
|
||
- "traffic.php"
|
||
* Added strict whitelist validation for interface parameter
|
||
* Interface names validated against configured list only
|
||
|
||
- "users.php"
|
||
* Added input validation for filter parameters
|
||
* All station/user data sanitized before output
|
||
* Callsigns, suffixes, and module names properly escaped
|
||
|
||
- "index.php"
|
||
* Added secure session configuration (HttpOnly, SameSite, Secure flags)
|
||
* Added security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy)
|
||
* Added whitelist validation for 'show' parameter
|
||
* Added validation for 'do' and 'callhome' parameters
|
||
* All configuration values sanitized before output to HTML
|
||
* JavaScript injection prevented in page refresh code
|
||
* All meta tags properly escaped
|
||
|
||
Security Vulnerabilities Fixed:
|
||
- XSS (Cross-Site Scripting) - All user input and XML data now properly escaped
|
||
- Command Injection - Removed unsafe exec() calls, added shell argument escaping
|
||
- Path Traversal - File paths validated and restricted to expected directories
|
||
- SSRF (Server-Side Request Forgery) - CallHome validates URLs and blocks internal IPs
|
||
- Session Hijacking - Added HttpOnly, SameSite, and Secure cookie flags
|
||
- XML Injection - Element names sanitized, content stripped of tags
|
||
|
||
xlx db v2.4.1
|
||
|
||
you can now hide the liveircddb menu button, if you are running your db in https.
|
||
|
||
- "config.inc.php
|
||
- "index.php"
|
||
|
||
xlx db v2.4.0
|
||
|
||
- "config.inc.php"
|
||
- "index.php"
|
||
- "js"
|
||
- "layout.css"
|
||
|
||
xlx db v2.3.9
|
||
|
||
redesign for the callinghome.php
|
||
|
||
- "config.inc.php"
|
||
- "index.php"
|
||
- "functions.php"
|
||
|
||
xlx db v2.3.8
|
||
|
||
add support for network traffic statistics via vnstat.
|
||
|
||
- "config.inc.php"
|
||
- "index.php"
|
||
- "functions.php"
|
||
|
||
add traffic.php
|
||
|
||
xlx db v2.3.7
|
||
|
||
add background color change on active page.
|
||
|
||
- "config.inc.php"
|
||
- "layout.css"
|
||
- "index.php"
|
||
|
||
xlx db v2.3.6
|
||
|
||
add xlx reflector version to calling home.
|
||
|
||
- "config.inc.php"
|
||
- "class.reflector.php"
|
||
|
||
xlx db v2.3.5
|
||
|
||
now the page refresh is now suspended until you leave the filte fields.
|
||
|
||
- "index.php"
|
||
- "users.php"
|
||
- "config.inc.php"
|
||
|
||
xlx db v2.3.4
|
||
|
||
add filter function to the dashboard. It can be enabled or disabled via the config.inc.php
|
||
|
||
- "index.php"
|
||
- "users.php"
|
||
- "config.inc.php" $PageOptions['UserPage']['ShowFilter'] added
|
||
- "layout.css"
|
||
|
||
xlx db v2.3.3
|
||
|
||
now displays always the correct module for the last heard station.
|
||
db v2.3.3 requires xlxd v1.4.1
|
||
|
||
- "class.station.php"
|
||
- "class.reflector.php"
|
||
- "users.php"
|
||
|
||
xlx db v2.3.2
|
||
|
||
add random id for nodes, to show the correct linked module for multiple nodes with
|
||
the same call signe linked to different modules.
|
||
|
||
- "class.node.php"
|
||
- "class.reflector.php"
|
||
- "users.php"
|
||
|
||
xlx db v2.3.1
|
||
|
||
- "config.inc.php" $CallingHome['InterlinkFile'] added
|
||
- "index.php" added support for interlink visualization
|
||
- "class.reflector.php" callingHome redisigned for interlink visualization
|
||
- "class.interlink.php" interlink visualization
|
||
|
||
xlx db v2.2.3
|
||
|
||
- "config.inc.php" $CallingHome['HashFile'] and $CallingHome['OverrideIPAddress'] added
|
||
- "index.php" supports new variables from config.inc.php
|
||
- "class.reflector.php" supports new variables from config.inc.php
|
||
- "country.csv " prefixes update
|
||
|
||
xlx db v2.2.2
|
||
|
||
This version is a major release with voluntary self-registration feature build in.
|
||
You need to edit the conf.inc.php to your needs.
|
||
On the first run your personal hash to access the database is place in the server’s /tmp folder.
|
||
Take care to make a backup of this file because this folder is cleaned up after a server reboot.
|
||
|
||
This version is a major release
|
||
|
||
xlx db v2.1.6
|
||
|
||
With this version of the dashboard, serveral parameters
|
||
are free configurable.
|
||
Changes are made in "config.inc.php"
|
||
|
||
- "config.inc.php"
|
||
- "index.php"
|
||
- "users.php"
|
||
- "peers.php
|
||
- "repeaters.php"
|
||
|
||
xlx db v2.1.5
|
||
|
||
- "class.node.php" added "get prefix
|
||
- "repeaters.php" check for XRF or REF link
|
||
- "country.csv " prefixes update + gate symbol
|
||
- "flags" gate.png
|
||
|
||
xlx db v2.1.4
|
||
|
||
- "class.reflector.php" improved the flag search
|
||
- "country.csv" added serveral prefixes
|
||
- "flags" added Puerto Ricco and Åland Islands
|
||
|
||
xlx db v2.1.3
|
||
|
||
- "index.php" added support for multiradio repeaters
|
||
- "users.php" added support for multiradio repeaters
|
||
- "class.reflector.php" added support for multiradio repeaters
|
||
- "repeaters.php" added suffix "D" for "dongle"
|
||
|
||
xlx db v2.1.2
|
||
|
||
- "index.php" bugfix to correct an error if XLX name is equal to XLX000
|
||
|
||
xlx db v2.1.1
|
||
|
||
- "peers.php" added hyperlink to the peers ip address
|
||
|
||
xlx db v2.1.0
|
||
|
||
- "index.php"
|
||
button "Peers" added
|
||
button "Repeaters/Nodes" shows now the number of connected devices
|
||
moved XLX name, version and service uptime to improve view on mobile devices
|
||
|
||
- "class.peer.php" added
|
||
|
||
- "peers.php" added
|
||
|
||
- "repeaters.php" limits nodes show up to 100 nodes
|
||
|
||
xlx db v2.0.6
|
||
|
||
- "index.php" now reads out the XLX service uptime and not the server uptime
|
||
- "country.csv" prefixes update
|
||
- "class.reflector.php" flags showing improvements
|
||
- "users.php" limits user show up to 40 users
|
||
- "repeaters.php" limits nodes show up to 40 nodes
|
||
|
||
xlx db v2.0.5
|
||
|
||
- "class.reflector.php" extra callsign checking
|