fix(security): comprehensive bug and security cleanup

functions.php

@@ -306,8 +306,8 @@ function syslog_partition_create($table) {
 	try {
 		/* determine the format of the table name */
 		$time    = time();
-		$cformat = 'd' . date('Ymd', $time);
-		$lnow    = date('Y-m-d', $time+86400);
+		$cformat = 'd' . gmdate('Ymd', $time);
+		$lnow    = gmdate('Y-m-d', strtotime('+1 day', $time));
 
 		$exists = syslog_db_fetch_row_prepared("SELECT *
 			FROM `information_schema`.`partitions`
@@ -788,12 +788,12 @@ function syslog_export($tab) {
 
 				print
 					'"' .
-					$host                                          . '","' .
-					ucfirst($facility)                             . '","' .
-					ucfirst($priority)                             . '","' .
-					ucfirst($program)                              . '","' .
-					$message['logtime']                            . '","' .
-					$message[$syslog_incoming_config['textField']] . '"'   . "\r\n";
+					syslog_csv_safe($host)                                          . '","' .
+					syslog_csv_safe(ucfirst($facility))                             . '","' .
+					syslog_csv_safe(ucfirst($priority))                             . '","' .
+					syslog_csv_safe(ucfirst($program))                              . '","' .
+					syslog_csv_safe($message['logtime'])                            . '","' .
+					syslog_csv_safe($message[$syslog_incoming_config['textField']]) . '"'   . "\r\n";
 			}
 		}
 	} else {
@@ -815,14 +815,14 @@ function syslog_export($tab) {
 
 				print
 					'"' .
-					$message['name']                  . '","' .
-					$severity                         . '","' .
-					$message['logtime']               . '","' .
-					$message['logmsg']                . '","' .
-					$message['host']                  . '","' .
-					ucfirst($message['facility'])     . '","' .
-					ucfirst($message['priority'])     . '","' .
-					$message['count']                 . '"'   . "\r\n";
+					syslog_csv_safe($message['name'])                  . '","' .
+					syslog_csv_safe($severity)                         . '","' .
+					syslog_csv_safe($message['logtime'])               . '","' .
+					syslog_csv_safe($message['logmsg'])                . '","' .
+					syslog_csv_safe($message['host'])                  . '","' .
+					syslog_csv_safe(ucfirst($message['facility']))     . '","' .
+					syslog_csv_safe(ucfirst($message['priority']))     . '","' .
+					syslog_csv_safe($message['count'])                 . '"'   . "\r\n";
 			}
 		}
 	}
@@ -2050,6 +2050,32 @@ function syslog_postprocess_tables() {
 	}
 }
 
+/**
+ * syslog_csv_safe - Escapes a value for safe inclusion in a CSV field.
+ *
+ * Prevents formula injection by prefixing cells that start with a trigger
+ * character (=, +, -, @, /, tab, CR, LF), and escapes embedded
+ * double-quotes per RFC 4180.
+ *
+ * @param  (mixed) $value  The value to sanitize
+ *
+ * @return (string) The sanitized string
+ */
+function syslog_csv_safe($value) {
+	if ($value === null || $value === '') {
+		return '';
+	}
+
+	$value = (string) $value;
+	$value = str_replace('"', '""', $value);
+
+	if (preg_match('/^[=+\-@\/\t\r\n]/', $value)) {
+		$value = "'" . $value;
+	}
+
+	return $value;
+}
+
 /**
  * syslog_process_reports - Processes all syslog reports scheduled to run
  *

js/functions.js

@@ -227,7 +227,7 @@ function initSyslogMain(config) {
 
 							$.each(data, function(index, hostData) {
 								if ($('#host option[value="'+index+'"]').length == 0) {
-									$('#host').append('<option class="'+hostData.class+'" value="'+index+'">'+hostData.host+'</option>');
+									$('#host').append('<option class="'+DOMPurify.sanitize(hostData.class)+'" value="'+DOMPurify.sanitize(index)+'">'+DOMPurify.sanitize(hostData.host)+'</option>');
 								}
 							});
 

setup.php

@@ -626,8 +626,8 @@ function syslog_setup_table_new($options) {
 		$newreport = true;
 	}
 
-	if ($truncate || !$newreport) {
-		syslog_db_execute("DROP TABLE IF EXISTS `" . $syslogdb_default . "`.`syslog_reports`");
+	if ($truncate) {
+		syslog_db_execute_prepared("DROP TABLE IF EXISTS `" . $syslogdb_default . "`.`syslog_reports`", array());
 	}
 
 	syslog_db_execute("CREATE TABLE IF NOT EXISTS `" . $syslogdb_default . "`.`syslog_reports` (

syslog.php

@@ -289,6 +289,7 @@ function syslog_statistics() {
 
 	$sql_where   = '';
 	$sql_groupby = '';
+	$sql_params  = array();
 
 	if (get_request_var('rows') == -1) {
 		$rows = read_config_option('num_rows_table');
@@ -298,14 +299,14 @@ function syslog_statistics() {
 		$rows = get_request_var('rows');
 	}
 
-	$records = get_stats_records($sql_where, $sql_groupby, $rows);
+	$records = get_stats_records($sql_where, $sql_groupby, $rows, $sql_params);
 
 	$rows_query_string = "SELECT COUNT(*)
 		FROM `" . $syslogdb_default . "`.`syslog_statistics` AS ss
 		$sql_where
 		$sql_groupby";
 
-	$total_rows = syslog_db_fetch_cell('SELECT COUNT(*) FROM ('. $rows_query_string  . ') as temp');
+	$total_rows = syslog_db_fetch_cell_prepared('SELECT COUNT(*) FROM ('. $rows_query_string  . ') as temp', $sql_params);
 
 	$nav = html_nav_bar('syslog.php?tab=stats', MAX_DISPLAY_PAGES, get_request_var_request('page'), $rows, $total_rows, 4, __('Messages', 'syslog'), 'page', 'main');
 
@@ -387,14 +388,16 @@ function syslog_statistics() {
 	}
 }
 
-function get_stats_records(&$sql_where, &$sql_groupby, $rows) {
+function get_stats_records(&$sql_where, &$sql_groupby, $rows, &$sql_params) {
 	global $syslogdb_default;
 
 	/* form the 'where' clause for our main sql query */
-	if (!isempty_request_var('rfilter')) {
+	if (!isempty_request_var('rfilter') && strlen(get_request_var('rfilter')) <= 255) {
 		$sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') .
-			"sh.host RLIKE '"       . get_request_var('rfilter') . "'
-			OR spr.program RLIKE '" . get_request_var('rfilter') . "'";
+			"(sh.host RLIKE ?
+			OR spr.program RLIKE ?)";
+		$sql_params[] = get_request_var('rfilter');
+		$sql_params[] = get_request_var('rfilter');
 	}
 
 	if (get_request_var('host') == '-2') {
@@ -470,7 +473,7 @@ function get_stats_records(&$sql_where, &$sql_groupby, $rows) {
 
 	//cacti_log(str_replace("\n", "", $query_sql));
 
-	return syslog_db_fetch_assoc($query_sql);
+	return syslog_db_fetch_assoc_prepared($query_sql, $sql_params);
 }
 
 function syslog_stats_filter() {
@@ -848,11 +851,12 @@ function set_shift_span($shift_span, $session_prefix) {
 	}
 }
 
-function get_syslog_messages(&$sql_where, $rows, $tab) {
+function get_syslog_messages(&$sql_where, $rows, $tab, &$sql_params = array()) {
 	global $sql_where, $hostfilter, $hostfilter_log, $current_tab, $syslog_incoming_config;
 	global $syslogdb_default;
 
-	$sql_where = '';
+	$sql_where  = '';
+	$sql_params = array();
 
 	if ($tab == 'alerts') {
 		if (get_request_var('host') == 0) {
@@ -908,20 +912,23 @@ function get_syslog_messages(&$sql_where, $rows, $tab) {
 			'sa.id=' . get_request_var('id');
 	}
 
-	if (!isempty_request_var('rfilter')) {
+	if (!isempty_request_var('rfilter') && strlen(get_request_var('rfilter')) <= 255) {
 		if ($tab == 'syslog') {
-			$sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') . "message RLIKE '" . get_request_var('rfilter') . "'";
+			$sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') . "message RLIKE ?";
 		} else {
-			$sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') . "logmsg RLIKE '" . get_request_var('rfilter') . "'";
+			$sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') . "logmsg RLIKE ?";
 		}
+		$sql_params[] = get_request_var('rfilter');
 	}
 
 	if (get_request_var('eprogram') != '-1') {
-		$sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') . 'syslog.program_id = ' . db_qstr(get_request_var('eprogram'));
+		$sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') . 'syslog.program_id = ?';
+		$sql_params[] = get_request_var('eprogram');
 	}
 
 	if (get_request_var('efacility') != '-1') {
-		$sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') . 'syslog.facility_id = ' . db_qstr(get_request_var('efacility'));
+		$sql_where .= ($sql_where == '' ? 'WHERE ' : ' AND ') . 'syslog.facility_id = ?';
+		$sql_params[] = get_request_var('efacility');
 	}
 
 	if (isset_request_var('epriority') && get_request_var('epriority') != '-1') {

syslog_alerts.php

@@ -321,17 +321,17 @@ function api_syslog_alert_save($id, $name, $method, $level, $num, $type, $messag
 
 function api_syslog_alert_remove($id) {
 	global $syslogdb_default;
-	syslog_db_execute("DELETE FROM `" . $syslogdb_default . "`.`syslog_alert` WHERE id='" . $id . "'");
+	syslog_db_execute_prepared("DELETE FROM `" . $syslogdb_default . "`.`syslog_alert` WHERE id = ?", array(intval($id)));
 }
 
 function api_syslog_alert_disable($id) {
 	global $syslogdb_default;
-	syslog_db_execute("UPDATE `" . $syslogdb_default . "`.`syslog_alert` SET enabled='' WHERE id='" . $id . "'");
+	syslog_db_execute_prepared("UPDATE `" . $syslogdb_default . "`.`syslog_alert` SET enabled='' WHERE id = ?", array(intval($id)));
 }
 
 function api_syslog_alert_enable($id) {
 	global $syslogdb_default;
-	syslog_db_execute("UPDATE `" . $syslogdb_default . "`.`syslog_alert` SET enabled='on' WHERE id='" . $id . "'");
+	syslog_db_execute_prepared("UPDATE `" . $syslogdb_default . "`.`syslog_alert` SET enabled='on' WHERE id = ?", array(intval($id)));
 }
 
 /* ---------------------

syslog_removal.php

@@ -306,17 +306,17 @@ function api_syslog_removal_save($id, $name, $type, $message, $rmethod, $notes,
 
 function api_syslog_removal_remove($id) {
 	global $syslogdb_default;
-	syslog_db_execute("DELETE FROM `" . $syslogdb_default . "`.`syslog_remove` WHERE id='" . $id . "'");
+	syslog_db_execute_prepared("DELETE FROM `" . $syslogdb_default . "`.`syslog_remove` WHERE id = ?", array(intval($id)));
 }
 
 function api_syslog_removal_disable($id) {
 	global $syslogdb_default;
-	syslog_db_execute("UPDATE `" . $syslogdb_default . "`.`syslog_remove` SET enabled='' WHERE id='" . $id . "'");
+	syslog_db_execute_prepared("UPDATE `" . $syslogdb_default . "`.`syslog_remove` SET enabled='' WHERE id = ?", array(intval($id)));
 }
 
 function api_syslog_removal_enable($id) {
 	global $syslogdb_default;
-	syslog_db_execute("UPDATE `" . $syslogdb_default . "`.`syslog_remove` SET enabled='on' WHERE id='" . $id . "'");
+	syslog_db_execute_prepared("UPDATE `" . $syslogdb_default . "`.`syslog_remove` SET enabled='on' WHERE id = ?", array(intval($id)));
 }
 
 function api_syslog_removal_reprocess($id) {

syslog_reports.php

@@ -315,17 +315,17 @@ function api_syslog_report_save($id, $name, $type, $message, $timespan, $timepar
 
 function api_syslog_report_remove($id) {
 	global $syslogdb_default;
-	syslog_db_execute('DELETE FROM `' . $syslogdb_default . '`.`syslog_reports` WHERE id=' . $id);
+	syslog_db_execute_prepared('DELETE FROM `' . $syslogdb_default . '`.`syslog_reports` WHERE id = ?', array(intval($id)));
 }
 
 function api_syslog_report_disable($id) {
 	global $syslogdb_default;
-	syslog_db_execute('UPDATE `' . $syslogdb_default . "`.`syslog_reports` SET enabled='' WHERE id=" . $id);
+	syslog_db_execute_prepared('UPDATE `' . $syslogdb_default . "`.`syslog_reports` SET enabled='' WHERE id = ?", array(intval($id)));
 }
 
 function api_syslog_report_enable($id) {
 	global $syslogdb_default;
-	syslog_db_execute('UPDATE `' . $syslogdb_default . "`.`syslog_reports` SET enabled='on' WHERE id=" . $id);
+	syslog_db_execute_prepared('UPDATE `' . $syslogdb_default . "`.`syslog_reports` SET enabled='on' WHERE id = ?", array(intval($id)));
 }
 
 /* ---------------------