Skip to content

Commit

Permalink
Bugfix: Directory traversal possible in RIPE query
Browse files Browse the repository at this point in the history 
Reported by AL-KASSAR, Feras
  • Loading branch information
@GaryAllan
GaryAllan committed Mar 6, 2023
1 parent 16e7a94 commit 4f1fb98
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 2 deletions.
14 changes: 12 additions & 2 deletions functions/classes/class.Subnets.php
View file
Expand Up @@ -3574,7 +3574,7 @@ private function query_ripe ($subnet) {
// not existings
if ($ripe_result['result_code']==404) {
// return array
return array("result"=>"error", "error"=>$ripe_result['result']->errormessages->errormessage[0]->text);
return array("result"=>"error", "error"=>$ripe_result['error_msg']);
}
// fail
if ($ripe_result['result_code']!==200) {
Expand Down Expand Up @@ -3657,6 +3657,16 @@ private function query_arin ($subnet) {
* @return array
*/
private function ripe_arin_fetch ($network, $type, $subnet) {
// Validate $subnet
$cidr = array_pad(explode("/", $subnet), 2, null);
if (
(sizeof($cidr) > 2) ||
(filter_var($cidr[0], FILTER_VALIDATE_IP) === false) ||
(!is_null($cidr[1]) && filter_var($cidr[1], FILTER_VALIDATE_INT) === false)
) {
return ["result_code" => 404, "error_msg" => _("Invalid request")];
}

// set url
$url = $network=="ripe" ? "https://rest.db.ripe.net/ripe/$type/$subnet" : "https://whois.arin.net/rest/nets;q=$subnet?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2";

Expand All @@ -3677,7 +3687,7 @@ private function ripe_arin_fetch ($network, $type, $subnet) {
*/
public function ripe_fetch_subnets ($as) {
// numeric check
if(!is_numeric($as)) {
if(filter_var($as, FILTER_VALIDATE_INT) === false) {
$this->Result->show("danger", _("Invalid AS"), false);
}
//open connection
Expand Down
1 change: 1 addition & 0 deletions misc/CHANGELOG
View file
Expand Up @@ -8,6 +8,7 @@
Security Fixes:
----------------------------
+ SQL injection in custom field enum/set types;
+ Directory traversal possible in RIPE query;
+ XSS (reflected) in 'bw-calulator-result.php';
+ XSS (reflected) by invalid email address response;
+ XSS (reflected) by /app/tools/subnet-masks/popup.php (#3738);
Expand Down

0 comments on commit 4f1fb98

Please sign in to comment.