HOR-3920 Unauthenticated calling of may Ajax pages with tracker_designer=1 (URL INJECTION)

- Add validation in sysGeneric with session PIN and CASE
2017-10-11 12:56:52 -04:00
parent 0fc897e90a
commit f8300900b5
2 changed files with 21 additions and 14 deletions
--- a/workflow/engine/controllers/admin.php
+++ b/workflow/engine/controllers/admin.php
@@ -196,15 +196,20 @@ class Admin extends Controller
        $this->render('extJs');
    }

-    function getSystemInfo ()
+    public function getSystemInfo()
    {
-        $this->setResponseType( 'json' );
-        $infoList = $this->_getSystemInfo();
-        $data = array ();
+        global $RBAC;
+        $RBAC->requirePermissions('PM_SETUP');

-        foreach ($infoList as $row) {
-            $data[] = array ('label' => $row[0],'value' => $row[1],'section' => $row[2]
-            );
+        $this->setResponseType('json');
+        $data = [];
+
+        foreach ($this->_getSystemInfo() as $row) {
+            $data[] = [
+                'label' => $row[0],
+                'value' => $row[1],
+                'section' => $row[2]
+            ];
        }
        return $data;
    }
--- a/workflow/public_html/sysGeneric.php
+++ b/workflow/public_html/sysGeneric.php
@@ -999,23 +999,25 @@ if (! defined( 'EXECUTE_BY_CRON' )) {
                }
            }

-            if ($bRedirect && !isset($_GET["tracker_designer"])) {
-                if (substr( SYS_SKIN, 0, 2 ) == 'ux' && SYS_SKIN != 'uxs') { // verify if the current skin is a 'ux' variant
+            if ($bRedirect &&
+                (!isset($_GET['tracker_designer']) || (!isset($_SESSION['CASE']) && !isset($_SESSION['PIN']))) &&
+                $_GET['tracker_designer'] !== 1) {
+                if (substr(SYS_SKIN, 0, 2) === 'ux' && SYS_SKIN !== 'uxs') { // verify if the current skin is a 'ux' variant
                    $loginUrl = 'main/login';
-                } else if (strpos( $_SERVER['REQUEST_URI'], '/home' ) !== false) { //verify is it is using the uxs skin for simplified interface
+                } else if (strpos($_SERVER['REQUEST_URI'], '/home') !== false) { //verify is it is using the uxs skin for simplified interface
                    $loginUrl = 'home/login';
                } else {
                    $loginUrl = 'login/login'; // just set up the classic login
                }

-                if (empty( $_POST )) {
-                    header( 'location: ' . SYS_URI . $loginUrl . '?u=' . urlencode( $_SERVER['REQUEST_URI'] ) );
+                if (empty($_POST)) {
+                    header('location: ' . SYS_URI . $loginUrl . '?u=' . urlencode($_SERVER['REQUEST_URI']));

                } else {
                    if ($isControllerCall) {
-                        header( "HTTP/1.0 302 session lost in controller" );
+                        header("HTTP/1.0 302 session lost in controller");
                    } else {
-                        header( 'location: ' . SYS_URI . $loginUrl );
+                        header('location: ' . SYS_URI . $loginUrl);
                    }
                }
                die();