From d47cd744ae1d022489f1584dca1717882bb444ff Mon Sep 17 00:00:00 2001 From: Thomas Vincent Date: Fri, 20 Mar 2026 01:55:22 -0700 Subject: [PATCH] hardening: improve output escaping and secure data exports - Apply html_escape to filter input values across 11 view pages - Use sanitize_unserialize_selected_items for form data deserialization - Remove sensitive SNMP credential fields from guest-accessible CSV export Signed-off-by: Thomas Vincent --- lib/mactrack_functions.php | 2 +- mactrack_device_types.php | 2 +- mactrack_devices.php | 2 +- mactrack_macauth.php | 2 +- mactrack_macwatch.php | 2 +- mactrack_snmp.php | 2 +- mactrack_vendormacs.php | 2 +- mactrack_view_arp.php | 2 +- mactrack_view_devices.php | 11 +++-------- mactrack_view_interfaces.php | 2 +- mactrack_view_macs.php | 7 +++++-- 11 files changed, 17 insertions(+), 19 deletions(-) diff --git a/lib/mactrack_functions.php b/lib/mactrack_functions.php index 9c47f6d..c603308 100644 --- a/lib/mactrack_functions.php +++ b/lib/mactrack_functions.php @@ -3582,7 +3582,7 @@ function mactrack_site_filter($page = 'mactrack_sites.php') { - '> + '> diff --git a/mactrack_device_types.php b/mactrack_device_types.php index 0ee23f6..bb63556 100644 --- a/mactrack_device_types.php +++ b/mactrack_device_types.php @@ -1053,7 +1053,7 @@ function mactrack_device_type_filter() { - '> + '> diff --git a/mactrack_devices.php b/mactrack_devices.php index 1435db5..3a3997c 100644 --- a/mactrack_devices.php +++ b/mactrack_devices.php @@ -1160,7 +1160,7 @@ function mactrack_device_filter() { - '> + '> diff --git a/mactrack_macauth.php b/mactrack_macauth.php index b559f07..19e29ac 100644 --- a/mactrack_macauth.php +++ b/mactrack_macauth.php @@ -384,7 +384,7 @@ function mactrack_maca_filter() { - '> + '> diff --git a/mactrack_macwatch.php b/mactrack_macwatch.php index 4013854..e64fdf6 100644 --- a/mactrack_macwatch.php +++ b/mactrack_macwatch.php @@ -392,7 +392,7 @@ function mactrack_macw_filter() { - '> + '> diff --git a/mactrack_snmp.php b/mactrack_snmp.php index 98ade52..ec4a2b7 100644 --- a/mactrack_snmp.php +++ b/mactrack_snmp.php @@ -607,7 +607,7 @@ function snmp_options_filter() { - '> + '> diff --git a/mactrack_vendormacs.php b/mactrack_vendormacs.php index 6962de2..c6b846e 100644 --- a/mactrack_vendormacs.php +++ b/mactrack_vendormacs.php @@ -201,7 +201,7 @@ function mactrack_vmac_filter() { - '> + '> diff --git a/mactrack_view_arp.php b/mactrack_view_arp.php index 631e652..d711236 100644 --- a/mactrack_view_arp.php +++ b/mactrack_view_arp.php @@ -453,7 +453,7 @@ function mactrack_ip_address_filter() { - '> + '> diff --git a/mactrack_view_devices.php b/mactrack_view_devices.php index 548260a..fe5275d 100644 --- a/mactrack_view_devices.php +++ b/mactrack_view_devices.php @@ -105,9 +105,7 @@ function mactrack_view_export_devices() { $xport_array = []; array_push($xport_array, 'site_id, site_name, device_id, device_name, notes, ' . - 'hostname, snmp_readstring, snmp_readstrings, snmp_version, ' . - 'snmp_username, snmp_password, snmp_auth_protocol, snmp_priv_passphrase, ' . - 'snmp_priv_protocol, snmp_context, snmp_engine_id, ' . + 'hostname, snmp_version, snmp_context, snmp_engine_id, ' . 'snmp_port, snmp_timeout, snmp_retries, max_oids, snmp_sysName, snmp_sysLocation, ' . 'snmp_sysContact, snmp_sysObjectID, snmp_sysDescr, snmp_sysUptime, ' . 'ignorePorts, scan_type, disabled, ports_total, ports_active, ' . @@ -119,10 +117,7 @@ function mactrack_view_export_devices() { $device['site_id'] . '","' . $device['site_name'] . '","' . $device['device_id'] . '","' . $device['device_name'] . '","' . $device['notes'] . '","' . $device['hostname'] . '","' . - $device['snmp_readstring'] . '","' . $device['snmp_readstrings'] . '","' . - $device['snmp_version'] . '","' . $device['snmp_username'] . '","' . - $device['snmp_password'] . '","' . $device['snmp_auth_protocol'] . '","' . - $device['snmp_priv_passphrase'] . '","' . $device['snmp_priv_protocol'] . '","' . + $device['snmp_version'] . '","' . $device['snmp_context'] . '","' . $device['snmp_engine_id'] . '","' . $device['snmp_port'] . '","' . $device['snmp_timeout'] . '","' . $device['snmp_retries'] . '","' . $device['max_oids'] . '","' . @@ -427,7 +422,7 @@ function mactrack_device_filter2() { - '> + '> diff --git a/mactrack_view_interfaces.php b/mactrack_view_interfaces.php index 66e4ad5..ef09167 100644 --- a/mactrack_view_interfaces.php +++ b/mactrack_view_interfaces.php @@ -648,7 +648,7 @@ function mactrack_filter_table() { - '> + '> > diff --git a/mactrack_view_macs.php b/mactrack_view_macs.php index f19f3c0..edbc76f 100644 --- a/mactrack_view_macs.php +++ b/mactrack_view_macs.php @@ -88,7 +88,10 @@ function form_actions() { // if we are to save this form, instead of display it if (isset_request_var('selected_items')) { - $selected_items = unserialize(get_nfilter_request_var('selected_items')); + $selected_items = sanitize_unserialize_selected_items(get_nfilter_request_var('selected_items')); + if (!is_array($selected_items)) { + $selected_items = []; + } foreach ($selected_items as $mac=>$ip) { if (!filter_var($mac, FILTER_VALIDATE_MAC)) { @@ -1106,7 +1109,7 @@ function mactrack_mac_filter() { - '> + '>