SECURITY: Avoid simple sql injection when login in openvpn

This commit is contained in:
Chocobozzz 2016-01-20 20:51:07 +01:00
parent 76a7939748
commit be29274e43
5 changed files with 33 additions and 0 deletions

View File

@ -1,5 +1,15 @@
#!/bin/bash #!/bin/bash
. /etc/openvpn/scripts/config.sh . /etc/openvpn/scripts/config.sh
. /etc/openvpn/scripts/functions.sh
common_name=$(echap "$common_name")
trusted_ip=$(echap "$trusted_ip")
trusted_port=$(echap "$trusted_port")
ifconfig_pool_remote_ip=$(echap "$ifconfig_pool_remote_ip")
remote_port_1=$(echap "$remote_port_1")
bytes_received=$(echap "$bytes_received")
bytes_sent=$(echap "$bytes_sent")
# We insert data in the log table # We insert data in the log table
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "INSERT INTO log (log_id, user_id, log_trusted_ip, log_trusted_port, log_remote_ip, log_remote_port, log_start_time, log_end_time, log_received, log_send) VALUES(NULL, '$common_name','$trusted_ip', '$trusted_port','$ifconfig_pool_remote_ip', '$remote_port_1', now(),'0000-00-00 00:00:00', '$bytes_received', '$bytes_sent')" mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "INSERT INTO log (log_id, user_id, log_trusted_ip, log_trusted_port, log_remote_ip, log_remote_port, log_start_time, log_end_time, log_received, log_send) VALUES(NULL, '$common_name','$trusted_ip', '$trusted_port','$ifconfig_pool_remote_ip', '$remote_port_1', now(),'0000-00-00 00:00:00', '$bytes_received', '$bytes_sent')"

View File

@ -1,5 +1,12 @@
#!/bin/bash #!/bin/bash
. /etc/openvpn/scripts/config.sh . /etc/openvpn/scripts/config.sh
. /etc/openvpn/scripts/functions.sh
common_name=$(echap "$common_name")
bytes_received=$(echap "$bytes_received")
bytes_sent=$(echap "$bytes_sent")
trusted_ip=$(echap "$trusted_ip")
trusted_port=$(echap "$trusted_port")
# We specify the user is offline # We specify the user is offline
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online=0 WHERE user_id='$common_name'" mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online=0 WHERE user_id='$common_name'"

View File

@ -0,0 +1,6 @@
#!/bin/bash
function echap() {
# echap ' and \
echo "$1" | sed s/\\\\/\\\\\\\\/g | sed s/\'/\\\\\'/g
}

View File

@ -1,5 +1,9 @@
#!/bin/bash #!/bin/bash
. /etc/openvpn/scripts/config.sh . /etc/openvpn/scripts/config.sh
. /etc/openvpn/scripts/functions.sh
username=$(echap "$username")
password=$(echap "$password")
# Authentication # Authentication
user_pass=$(mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -sN -e "SELECT user_pass FROM user WHERE user_id = '$username' AND user_enable=1 AND (TO_DAYS(now()) >= TO_DAYS(user_start_date) OR user_start_date='0000-00-00') AND (TO_DAYS(now()) <= TO_DAYS(user_end_date) OR user_end_date='0000-00-00')") user_pass=$(mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -sN -e "SELECT user_pass FROM user WHERE user_id = '$username' AND user_enable=1 AND (TO_DAYS(now()) >= TO_DAYS(user_start_date) OR user_start_date='0000-00-00') AND (TO_DAYS(now()) <= TO_DAYS(user_end_date) OR user_end_date='0000-00-00')")

View File

@ -39,3 +39,9 @@ cd "$www"
bower --allow-root install bower --allow-root install
chown -R "$user:$group" "$www" chown -R "$user:$group" "$www"
rm "/etc/openvpn/scripts/"{connect.sh,disconnect.sh,login.sh,functions.sh}
cp "$base_path/installation/scripts/"{connect.sh,disconnect.sh,login.sh,functions.sh} "/etc/openvpn/scripts"
chmod +x "/etc/openvpn/scripts/"{connect.sh,disconnect.sh,login.sh,functions.sh}
echo "OpenVPN-admin upgraded."