Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reflected cross site scripting in /report #1496

Open
zwxxb opened this issue Feb 1, 2023 · 0 comments
Open

Reflected cross site scripting in /report #1496

zwxxb opened this issue Feb 1, 2023 · 0 comments

Comments

@zwxxb
Copy link

zwxxb commented Feb 1, 2023

hello i noticed in the /report route that the passphrase variable is being reflected to the front page without , and that allow an attacker to execute arbitrary js

if (! in_array($_POST['passphrase'], $auth_list)) {
                $this->error('passphrase "'.$_POST['passphrase'].'" not accepted');
            }

a simple htmlspecialchars($_POST['passphrase']); could do the job i guess

Good day .
tuxudo added a commit to tuxudo/munkireport-php that referenced this issue Feb 23, 2023
@tuxudo
Fixing issue munkireport#1496
5787d17
@tuxudo tuxudo mentioned this issue Mar 6, 2023
Merged
bochoven added a commit that referenced this issue Jun 18, 2023
@tuxudo @bochoven
@MagerValp @b-reich
Python 3 for MunkiReport v5 (#1498)
ea84ac4 
* Merge 5.6.5 (#1407)

* Update composer.json

* Updated CHANGELOG

* Bump version to 5.6.5

* Release version 5.6.5.

* Bumping to v5.6.6 for development.

* Update third party module repos (#1408)

* Decode subprocess output

* Use munki-python for munki postflight script

* Make munki postflight py3 compatible (#1456)

* Decode subprocess output

* Use munki-python for munki postflight script

* Remove unused shebangs

* Update hashbang to munkireport-python2

* First pass at py3 compatibility

* Bytes vs strings fixes

* Fix logic errors

* Rename await_sym

* Change hashbang to munkireport-python3

* Update CHANGELOG.md

* 5.x-Py3 (#49)

* Fix release script for 5.x

* Add tar to release

* Fix running system_profiler on Apple Silicon Macs (#1477)

Only needed for MR 5.x

* Fix docker compose image (#1466)

* fix docker image

* fix not needed detail

* Update changelog

---------

Co-authored-by: Arjen <[email protected]>
Co-authored-by: Benjamin Reich <[email protected]>
Co-authored-by: Arjen van Bochoven <[email protected]>

* First merge of latest munkilib

* Update prefs.py

* Update reportcommon.py

* Update report_broken_client

* Update munkireport-runner

now with more options! :D

* Add osutils.py

* Add wrappers.py

* Update reportcommon.py

* Clean up logging

* Add removal of python 2 check

* Update install_script.php

* Update composer.json

* Update base autopkg recipe

 and do not set base url in post installs script

* Fix uploading of data

* Update reportcommon.py

* Summary

* Fixing issue #1496

* Cleanup and fix CPU arch checks

* Update composer

* Change error to warning on duplicate runs

* Clean up post install script

* Update CHANGELOG.md

* Update munkireport-runner

* Update reportcommon.py

* Update MR version

* Python 3 support files

* Update reportcommon.py

* Fix issue reading binary files

* Fix for installing via script

* Updated munkilib files to 6.2.1

* Add more config output

* Update munkireport-runner

* Module Marketplace now shows pre-release modules

* Module Marketplace now check module search paths

* Fix Python 2 remover and uninstallation options

* More —show-config results

* Update munkireport-runner

* Update munkireport-runner

* Clean up System Status page

* Add `post_max_size` and `upload_max_filesize`

* Now detects and mitigates low PHP upload size

* PHP 8 Compatibility

* Update for PHP 8

* Update CHANGELOG.md

* Update reportcommon.py

* Update reportcommon.py

* Update Dashboard.php

* Remove default installed 3rd party modules

* PHP 8 compatibility fixes

* Update README.md

* Update munkireport-runner

* Update to use doctrine/dbal

* Update reportcommon.py

* Update SeedCommand.php

* Update processor.stub

---------

Co-authored-by: Arjen van Bochoven <[email protected]>
Co-authored-by: Per Olofsson <[email protected]>
Co-authored-by: Arjen <[email protected]>
Co-authored-by: Benjamin Reich <[email protected]>
Co-authored-by: Arjen van Bochoven <[email protected]>
bochoven added a commit that referenced this issue Jun 20, 2023
@bochoven @MagerValp
@tuxudo @b-reich @sphen13
5.x (#1512)
c5d2709 
* Bumping to v5.7.2 for development.

* Update changelog

* Add <tbody> to detail widget
Fixes #1464

* Add providing js in client detail yaml

* Fix cpu arch misreporting with relocatable python 2 on arm (#1467)

* Fix release script for 5.x

* Add tar to release

* Fix running system_profiler on Apple Silicon Macs (#1477)

Only needed for MR 5.x

* Fix docker compose image (#1466)

* fix docker image

* fix not needed detail

* Update changelog

* Python 3 for MunkiReport v5 (#1498)

* Merge 5.6.5 (#1407)

* Update composer.json

* Updated CHANGELOG

* Bump version to 5.6.5

* Release version 5.6.5.

* Bumping to v5.6.6 for development.

* Update third party module repos (#1408)

* Decode subprocess output

* Use munki-python for munki postflight script

* Make munki postflight py3 compatible (#1456)

* Decode subprocess output

* Use munki-python for munki postflight script

* Remove unused shebangs

* Update hashbang to munkireport-python2

* First pass at py3 compatibility

* Bytes vs strings fixes

* Fix logic errors

* Rename await_sym

* Change hashbang to munkireport-python3

* Update CHANGELOG.md

* 5.x-Py3 (#49)

* Fix release script for 5.x

* Add tar to release

* Fix running system_profiler on Apple Silicon Macs (#1477)

Only needed for MR 5.x

* Fix docker compose image (#1466)

* fix docker image

* fix not needed detail

* Update changelog

---------

Co-authored-by: Arjen <[email protected]>
Co-authored-by: Benjamin Reich <[email protected]>
Co-authored-by: Arjen van Bochoven <[email protected]>

* First merge of latest munkilib

* Update prefs.py

* Update reportcommon.py

* Update report_broken_client

* Update munkireport-runner

now with more options! :D

* Add osutils.py

* Add wrappers.py

* Update reportcommon.py

* Clean up logging

* Add removal of python 2 check

* Update install_script.php

* Update composer.json

* Update base autopkg recipe

 and do not set base url in post installs script

* Fix uploading of data

* Update reportcommon.py

* Summary

* Fixing issue #1496

* Cleanup and fix CPU arch checks

* Update composer

* Change error to warning on duplicate runs

* Clean up post install script

* Update CHANGELOG.md

* Update munkireport-runner

* Update reportcommon.py

* Update MR version

* Python 3 support files

* Update reportcommon.py

* Fix issue reading binary files

* Fix for installing via script

* Updated munkilib files to 6.2.1

* Add more config output

* Update munkireport-runner

* Module Marketplace now shows pre-release modules

* Module Marketplace now check module search paths

* Fix Python 2 remover and uninstallation options

* More —show-config results

* Update munkireport-runner

* Update munkireport-runner

* Clean up System Status page

* Add `post_max_size` and `upload_max_filesize`

* Now detects and mitigates low PHP upload size

* PHP 8 Compatibility

* Update for PHP 8

* Update CHANGELOG.md

* Update reportcommon.py

* Update reportcommon.py

* Update Dashboard.php

* Remove default installed 3rd party modules

* PHP 8 compatibility fixes

* Update README.md

* Update munkireport-runner

* Update to use doctrine/dbal

* Update reportcommon.py

* Update SeedCommand.php

* Update processor.stub

---------

Co-authored-by: Arjen van Bochoven <[email protected]>
Co-authored-by: Per Olofsson <[email protected]>
Co-authored-by: Arjen <[email protected]>
Co-authored-by: Benjamin Reich <[email protected]>
Co-authored-by: Arjen van Bochoven <[email protected]>

* Add tuxudo/nudge and tuxudo/touch_id module repos (#1478)

* Add tuxudo/nudge and tuxudo/touch_id module repos

* Add jc0b/kandji

* Add jc0b/jamf_protect

* Removed mbp15_battery_repair_program and ssd_service_program

modules deprecated and will not be updated to v6 or Python 3

* Add joncrain/nomad

* Update module_repos.yml

* Add tuxudo/firmware

* Remove CristianNic/archiware_p5

* Update build-release-tag.yml

Update php version to 8.2

* Update php version in dockerfile

* Update composer.json to use new warranty module (#1509)

* Update composer.json to use new warranty module

* Update module_marketplace.php

fixes issues with beta/pre-release modules

* Update module_marketplace.php

Increase beta padding to account for unexpected versioning

* Update github-registry.yml

Update docker actions to latest version

* Update build-release-tag.yml

Update docker actions to latest version

* Update github-registry.yml

Update actions/checkout to v3

* Update build-release-tag.yml

Update checkout to v3

* Merge main with 5.x (#1510)

* Merge 5.6.5 (#1407)

* Update composer.json

* Updated CHANGELOG

* Bump version to 5.6.5

* Release version 5.6.5.

* Bumping to v5.6.6 for development.

* Update third party module repos (#1408)

* Make munki postflight py3 compatible (#1456)

* Decode subprocess output

* Use munki-python for munki postflight script

* Update composer.json (#1424)

hautelook/phpass was deleted. linking to fork.

* Fix CHANGELOG

* Fix docker compose image (#1466)

* fix docker image

* fix not needed detail

* Update github-registry.yml

Update docker actions to latest version

* Update github-registry.yml

Update actions/checkout to v3

---------

Co-authored-by: tuxudo <[email protected]>
Co-authored-by: Per Olofsson <[email protected]>
Co-authored-by: Stephen Boyle <[email protected]>
Co-authored-by: Benjamin Reich <[email protected]>

* Update README.md

Remove old build links

* Update install_script.php

Update python symlink to point to the generic python symlink

* Update CHANGELOG.md (#1511)

Adds more v5.8 release notes

* Update make_munkireport_release.py

Add certifi to fix certificate issues

* Release version 5.8.0.

---------

Co-authored-by: Per Olofsson <[email protected]>
Co-authored-by: tuxudo <[email protected]>
Co-authored-by: Benjamin Reich <[email protected]>
Co-authored-by: Stephen Boyle <[email protected]>
mosen added a commit to mosen/munkireport-php that referenced this issue Jan 14, 2024
@mosen @bochoven
@MagerValp @b-reich
Reverted Dockerfile, need to re-examine changes between v5 and v6 for…
4e53887 
… ARM support

Dont supply example APP_KEY.
Fix layout glitch on filter modal
Fix hidden button on comment detail widget

Merge MunkiReport v6 (munkireport#1498) into v6 wip branch

Python 3 for MunkiReport v5 (munkireport#1498)

* Merge 5.6.5 (munkireport#1407)

* Update composer.json

* Updated CHANGELOG

* Bump version to 5.6.5

* Release version 5.6.5.

* Bumping to v5.6.6 for development.

* Update third party module repos (munkireport#1408)

* Decode subprocess output

* Use munki-python for munki postflight script

* Make munki postflight py3 compatible (munkireport#1456)

* Decode subprocess output

* Use munki-python for munki postflight script

* Remove unused shebangs

* Update hashbang to munkireport-python2

* First pass at py3 compatibility

* Bytes vs strings fixes

* Fix logic errors

* Rename await_sym

* Change hashbang to munkireport-python3

* Update CHANGELOG.md

* 5.x-Py3 (munkireport#49)

* Fix release script for 5.x

* Add tar to release

* Fix running system_profiler on Apple Silicon Macs (munkireport#1477)

Only needed for MR 5.x

* Fix docker compose image (munkireport#1466)

* fix docker image

* fix not needed detail

* Update changelog

---------

Co-authored-by: Arjen <[email protected]>
Co-authored-by: Benjamin Reich <[email protected]>
Co-authored-by: Arjen van Bochoven <[email protected]>

* First merge of latest munkilib

* Update prefs.py

* Update reportcommon.py

* Update report_broken_client

* Update munkireport-runner

now with more options! :D

* Add osutils.py

* Add wrappers.py

* Update reportcommon.py

* Clean up logging

* Add removal of python 2 check

* Update install_script.php

* Update composer.json

* Update base autopkg recipe

 and do not set base url in post installs script

* Fix uploading of data

* Update reportcommon.py

* Summary

* Fixing issue munkireport#1496

* Cleanup and fix CPU arch checks

* Update composer

* Change error to warning on duplicate runs

* Clean up post install script

* Update CHANGELOG.md

* Update munkireport-runner

* Update reportcommon.py

* Update MR version

* Python 3 support files

* Update reportcommon.py

* Fix issue reading binary files

* Fix for installing via script

* Updated munkilib files to 6.2.1

* Add more config output

* Update munkireport-runner

* Module Marketplace now shows pre-release modules

* Module Marketplace now check module search paths

* Fix Python 2 remover and uninstallation options

* More —show-config results

* Update munkireport-runner

* Update munkireport-runner

* Clean up System Status page

* Add `post_max_size` and `upload_max_filesize`

* Now detects and mitigates low PHP upload size

* PHP 8 Compatibility

* Update for PHP 8

* Update CHANGELOG.md

* Update reportcommon.py

* Update reportcommon.py

* Update Dashboard.php

* Remove default installed 3rd party modules

* PHP 8 compatibility fixes

* Update README.md

* Update munkireport-runner

* Update to use doctrine/dbal

* Update reportcommon.py

* Update SeedCommand.php

* Update processor.stub

---------

Co-authored-by: Arjen van Bochoven <[email protected]>
Co-authored-by: Per Olofsson <[email protected]>
Co-authored-by: Arjen <[email protected]>
Co-authored-by: Benjamin Reich <[email protected]>
Co-authored-by: Arjen van Bochoven <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zwxxb