N°8201 - [CVE_Request]_Cross-Site-Script Reflected(XSS Reflected at the name="attr_installed" (Low or Medium)

N°8168 - Stored XSS in portals lnk
N°8313 - edit dashboard (fix broken test)
2026-02-19 18:34:12 +01:00 · 2025-05-23 10:06:01 +02:00 · 2025-05-23 08:42:56 +02:00 · 2025-05-16 14:05:55 +02:00 · 2025-05-16 14:05:55 +02:00 · 2025-05-16 14:05:55 +02:00
9 changed files with 37 additions and 51 deletions
--- a/application/dashboard.class.inc.php
+++ b/application/dashboard.class.inc.php
@@ -529,10 +529,7 @@ EOF
 	 */
 	public function Render($oPage, $bEditMode = false, $aExtraParams = array(), $bCanEdit = true)
 	{
-		if (!array_key_exists('dashboard_div_id', $aExtraParams))
-		{
-			$aExtraParams['dashboard_div_id'] = utils::Sanitize($this->GetId(), '', 'element_identifier');
-		}
+		$aExtraParams['dashboard_div_id'] = utils::Sanitize($aExtraParams['dashboard_div_id'] ?? null, $this->GetId(), utils::ENUM_SANITIZATION_FILTER_ELEMENT_IDENTIFIER);

 		$oPage->add('<div class="dashboard-title-line"><div class="dashboard-title">'.htmlentities(Dict::S($this->sTitle), ENT_QUOTES, 'UTF-8', false).'</div></div>');

@@ -1002,7 +999,7 @@ EOF
 		$sSelectorHtml .= '</div>';
 		$sSelectorHtml = addslashes($sSelectorHtml);
 		$sFile = addslashes($this->GetDefinitionFile());
-		$sReloadURL = $this->GetReloadURL();
+		$sReloadURL = json_encode($this->GetReloadURL());

 		$oPage->add_ready_script(
 <<<EOF
@@ -1059,7 +1056,7 @@ EOF
 		$oPage->add_linked_script(utils::GetAbsoluteUrlAppRoot().'js/jquery.iframe-transport.js');
 		$oPage->add_linked_script(utils::GetAbsoluteUrlAppRoot().'js/jquery.fileupload.js');
 		$sEditMenu = "<div id=\"DashboardMenu\"><ul><li><i class=\"top-right-icon icon-additional-arrow fas fa-pencil-alt\"></i><ul>";
-	
+
 		$aActions = array();
 		$sFile = addslashes($this->sDefinitionFile);
 		$sJSExtraParams = json_encode($aExtraParams);
@@ -1091,6 +1088,7 @@ EOF
 	
 EOF
 		);
+        $sReloadURL = json_encode($this->GetReloadURL());
 		$oPage->add_script(
 <<<EOF
 function EditDashboard(sId, sDashboardFile, aExtraParams)
@@ -1188,7 +1186,7 @@ EOF
 		$oPage->add('</div>');
 		$oPage->add('<div id="event_bus"/>'); // For exchanging messages between the panes, same as in the designer
 		$oPage->add('</div>');
-		
+
 		$sDialogTitle = Dict::S('UI:DashboardEdit:Title');
 		$sOkButtonLabel = Dict::S('UI:Button:Save');
 		$sCancelButtonLabel = Dict::S('UI:Button:Cancel');
@@ -1200,7 +1198,7 @@ EOF
 		$sTitle = json_encode($this->sTitle);
 		$sFile = json_encode($this->GetDefinitionFile());
 		$sUrl = utils::GetAbsoluteUrlAppRoot().'pages/ajax.render.php';
-		$sReloadURL = $this->GetReloadURL();
+		$sReloadURL = json_encode($this->GetReloadURL());

 		$sExitConfirmationMessage = addslashes(Dict::S('UI:NavigateAwayConfirmationMessage'));
 		$sCancelConfirmationMessage = addslashes(Dict::S('UI:CancelConfirmationMessage'));
--- a/application/utils.inc.php
+++ b/application/utils.inc.php
@@ -432,8 +432,8 @@ class utils

 			// For URL
 			case static::ENUM_SANITIZATION_FILTER_URL:
-                // N°6350 - returns only valid URLs
-				$retValue = filter_var($value, FILTER_VALIDATE_URL);
+				$retValue = filter_var($value, FILTER_SANITIZE_URL);
+				$retValue = filter_var($retValue, FILTER_VALIDATE_URL);
 				break;

 			default:
--- a/datamodels/2.x/itop-backup/dbrestore.class.inc.php
+++ b/datamodels/2.x/itop-backup/dbrestore.class.inc.php
@@ -53,14 +53,7 @@ class DBRestore extends DBBackup
 		$sUser = self::EscapeShellArg($this->sDBUser);
 		$sPwd = self::EscapeShellArg($this->sDBPwd);
 		$sDBName = self::EscapeShellArg($this->sDBName);
-		if (empty($this->sMySQLBinDir))
-		{
-			$sMySQLExe = 'mysql';
-		}
-		else
-		{
-			$sMySQLExe = '"'.$this->sMySQLBinDir.'/mysql"';
-		}
+		$sMySQLExe = DBBackup::MakeSafeMySQLCommand($this->sMySQLBinDir, 'mysql');
 		if (is_null($this->iDBPort))
 		{
 			$sPortOption = '';
--- a/datamodels/2.x/itop-backup/status.php
+++ b/datamodels/2.x/itop-backup/status.php
@@ -56,15 +56,7 @@ try
 	//
 	$sMySQLBinDir = MetaModel::GetConfig()->GetModuleSetting('itop-backup', 'mysql_bindir', '');
 	$sMySQLBinDir = utils::ReadParam('mysql_bindir', $sMySQLBinDir, true);
-	if (empty($sMySQLBinDir))
-	{
-		$sMySQLDump = 'mysqldump';
-	}
-	else
-	{
-		//echo 'Info - Found mysql_bindir: '.$sMySQLBinDir;
-		$sMySQLDump = '"'.$sMySQLBinDir.'/mysqldump"';
-	}
+	$sMySQLDump = DBBackup::MakeSafeMySQLCommand($sMySQLBinDir, 'mysqldump');
 	$sCommand = "$sMySQLDump -V 2>&1";

 	$aOutput = array();
--- a/pages/UI.php
+++ b/pages/UI.php
@@ -1989,7 +1989,7 @@ catch(CoreException $e)
 	{
 		$oP->add("<h1>".Dict::S('UI:FatalErrorMessage')."</h1>\n");
 	}	
-	$oP->error(Dict::Format('UI:Error_Details', $e->getHtmlDesc()));	
+	$oP->error(Dict::Format('UI:Error_Details', Str::pure2html($e->getHtmlDesc())));
 	$oP->output();

 	if (MetaModel::IsLogEnabledIssue())
@@ -2025,7 +2025,7 @@ catch(Exception $e)
 	require_once(APPROOT.'/setup/setuppage.class.inc.php');
 	$oP = new ErrorPage(Dict::S('UI:PageTitle:FatalError'));
 	$oP->add("<h1>".Dict::S('UI:FatalErrorMessage')."</h1>\n");	
-	$oP->error(Dict::Format('UI:Error_Details', $e->getMessage()));
+	$oP->error(Dict::Format('UI:Error_Details', Str::pure2html($e->getMessage())));
 	$oP->output();

 	if (MetaModel::IsLogEnabledIssue())
--- a/setup/backup.class.inc.php
+++ b/setup/backup.class.inc.php
@@ -104,6 +104,8 @@ class DBBackup
 	/** @var string */
 	protected $sDBName;
 	/** @var string */
+	protected $sMySQLBinDir = '';
+	/** @var string */
 	protected $sDBSubName;

 	/**
@@ -131,7 +133,6 @@ class DBBackup
 		$this->sDBSubName = $oConfig->get('db_subname');
 	}

-	protected $sMySQLBinDir = '';

 	/**
 	 * Create a normalized backup name, depending on the current date/time and Database
@@ -299,8 +300,9 @@ class DBBackup
 		}

 		$this->LogInfo("Starting backup of $this->sDBHost/$this->sDBName(suffix:'$this->sDBSubName')");
+		$sMySQLBinDir = utils::ReadParam('mysql_bindir', $this->sMySQLBinDir, true);

-		$sMySQLDump = $this->GetMysqldumpCommand();
+		$sMySQLDump = $this->MakeSafeMySQLCommand($sMySQLBinDir, 'mysqldump');

 		// Store the results in a temporary file
 		$sTmpFileName = self::EscapeShellArg($sBackupFileName);
@@ -557,20 +559,22 @@ EOF;

 	/**
 	 * @return string the command to launch mysqldump (without its params)
+	 * @throws \BackupException
 	 */
-	private function GetMysqldumpCommand()
+	public static function MakeSafeMySQLCommand($sMySQLBinDir, string $sCmd)
 	{
-		$sMySQLBinDir = utils::ReadParam('mysql_bindir', $this->sMySQLBinDir, true);
-		if (empty($sMySQLBinDir))
-		{
-			$sMysqldumpCommand = 'mysqldump';
+		if (empty($sMySQLBinDir)) {
+			$sMySQLCommand = $sCmd;
 		}
-		else
-		{
-			$sMysqldumpCommand = '"'.$sMySQLBinDir.'/mysqldump"';
+		else {
+			$sMySQLBinDir = escapeshellcmd($sMySQLBinDir);
+			$sMySQLCommand = '"'.$sMySQLBinDir.'/$sCmd"';
+			if (!file_exists($sMySQLCommand)) {
+				throw new BackupException("$sCmd not found in $sMySQLBinDir");
+			}
 		}

-		return $sMysqldumpCommand;
+		return $sMySQLCommand;
 	}
 }

--- a/setup/setuputils.class.inc.php
+++ b/setup/setuputils.class.inc.php
@@ -484,16 +484,15 @@ class SetupUtils
 		{
 			$sMySQLBinDir = MetaModel::GetConfig()->GetModuleSetting('itop-backup', 'mysql_bindir', '');
 		}
-
-		if (empty($sMySQLBinDir))
-		{
-			$sMySQLDump = 'mysqldump';
-		}
-		else
-		{
-			SetupPage::log('Info - Found mysql_bindir: '.$sMySQLBinDir);
-			$sMySQLDump = '"'.$sMySQLBinDir.'/mysqldump"';
+		try {
+			$sMySQLDump = DBBackup::MakeSafeMySQLCommand($sMySQLBinDir, 'mysqldump');
+		} catch (Exception $e) {
+			$aResult[] = new CheckResult(CheckResult::ERROR, $e->getMessage());
+			return $aResult;
 		}
+        if (!empty($sMySQLBinDir)) {
+            SetupPage::log('Info - Found mysql_bindir: '.$sMySQLBinDir);
+        }
 		$sCommand = "$sMySQLDump -V 2>&1";

 		$aOutput = array();
--- a/sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php
+++ b/sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php
@@ -611,7 +611,7 @@ JS
 					if ($oAttDef->IsExternalKey())
 					{
 						/** @var \AttributeExternalKey $oAttDef */
-						$aAttProperties['value'] = $oRemoteItem->Get($sAttCode . '_friendlyname');
+						$aAttProperties['value'] = \Str::pure2html($oRemoteItem->Get($sAttCode . '_friendlyname'));

 						// Checking if user can access object's external key
 						$sObjectUrl = ApplicationContext::MakeObjectUrl($oAttDef->GetTargetClass(), $oRemoteItem->Get($sAttCode));
--- a/tests/php-unit-tests/unitary-tests/application/utilsTest.php
+++ b/tests/php-unit-tests/unitary-tests/application/utilsTest.php
@@ -495,7 +495,7 @@ class utilsTest extends ItopTestCase
 			'good element_identifier' => ['element_identifier', 'AD05nb', 'AD05nb'],
 			'bad element_identifier' => ['element_identifier', 'AD05nb+', 'AD05nb'],
 			'good url' => ['url', 'https://www.w3schools.com', 'https://www.w3schools.com'],
-			'bad url' => ['url', 'https://www.w3schoo<EFBFBD><EFBFBD>ls.co<EFBFBD>m', null],
+			'bad url' => ['url', 'https//www.w3schools.com', null],
 			'raw_data' => ['raw_data', '<Test>\s😃😃😃', '<Test>\s😃😃😃'],
 		];
 	}
Author	SHA1	Message	Date
bdalsass	13239c2751	N°8201 - [CVE_Request]_Cross-Site-Script Reflected(XSS Reflected at the name="attr_installed" (Low or Medium)	2025-05-23 10:06:01 +02:00
bdalsass	81b20ee583	N°8168 - Stored XSS in portals lnk	2025-05-23 08:42:56 +02:00
bdalsass	38683c20b1	N°8313 - edit dashboard (fix broken test)	2025-05-16 14:05:55 +02:00
bdalsass	81791dd253	N°8313 - edit dashboard	2025-05-16 14:05:55 +02:00
bdalsass	e77e0eec9f	N°8355 - render_dashboard	2025-05-16 14:05:55 +02:00
jf-cbd	960133c0df	N°8379 - fix backup issue	2025-05-13 16:27:59 +02:00