* along with this package; if not, write to the Free Software * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, * MA 02110-1301 USA * * * On Debian GNU/Linux systems, the complete text of the GNU General * Public License can be found in `/usr/share/common-licenses/GPL-2'. * * Otherwise you can read it here: http://www.gnu.org/licenses/gpl-2.0.txt * */ require_once 'av_init.php'; include_once 'riskmaps_functions.php'; Session::logcheck('dashboard-menu', 'BusinessProcesses'); $infolog = array('Indicator Risk Maps'); Log_action::log(49, $infolog); if (!Session::menu_perms('dashboard-menu', 'BusinessProcessesEdit')) { echo ossim_error(_("You don't have permissions to edit risk indicators")); exit; } $data = array('status' => 'success', 'data' => ''); $db = new ossim_db(); $conn = $db->connect(); $map = GET('map'); $ri_positions = GET('data'); $name = GET('alarm_name'); $icon = GET('icon'); $url = GET('url'); $ri_id = GET('id'); $type = GET('type'); $type_name = GET('elem');
$runorder++; } if ($_DEBUG) { echo $htmlPdfReport->get(); } else { // Generate pdf report $pdfReport->setHtml($htmlPdfReport->get()); $pdfReport->getPdf('server'); } //Send email $email = $_POST['email']; if (isset($email) && !empty($email)) { ossim_valid($_POST['email'], OSS_MAIL_ADDR, 'illegal:' . _('Email address')); if (ossim_error()) { echo 'error###' . ossim_get_error_clean(); exit; } $status = $pdfReport->sendPdfEmail($report_data['report_name'], $email); $file = $pdfReport->getpath() . $pdfReport->getNamePdf(); @unlink($file); if ($status != TRUE) { $message = _('Please check email configuration in Deployment -> AlienVault Center -> General Configuration and try again'); echo 'error###' . _('Unable to send PDF report.') . '<br/><br/>' . $message; } else { echo 'OK###' . _('PDF Report has been sent successfully'); } } else { echo $pdfReport->getNamePdf(); } Log_action::log(19); }
function delete_sched($schedid) { global $viewall, $sortby, $sortdir, $uroles, $username, $dbconn; $dbconn->SetFetchMode(ADODB_FETCH_BOTH); $sql_require = ""; if (!$uroles['admin']) { $sql_require = "AND username='******'"; } $query = "SELECT id, name FROM vuln_job_schedule WHERE id = '{$schedid}' {$sql_require}"; //echo "query=$query<br>"; $result = $dbconn->Execute($query); list($jid, $nname) = $result->fields; if ($jid > 0) { $query = "DELETE FROM vuln_job_schedule WHERE id = '{$schedid}' {$sql_require}"; $result = $dbconn->Execute($query); $infolog = array($nname); Log_action::log(68, $infolog); } else { //echo "Not Authorized to Delete Reoccuring Schedule <i>\"$nname\"</i>"; //logAccess( "UNAUTHORIZED ATTEMPT TO DELETED Reoccuring Schedule $nname" ); } main_page($viewall, $sortby, $sortdir); }
$log_dst = $order_dst . " (" . $policy_dst->get_id() . ")"; } if ($group_src == $group_dst) { // same group => swap Policy::swap_simple_orders($conn, $policy_src, $policy_dst); } else { // different group => especial swap if ($order_src < $order_dst) { // Only change group (do not change order value) if ($order_src == $order_dst - 1) { Policy::change_group($conn, $policy_src->get_id(), $group_dst); } else { for ($i = $order_src; $i < $order_dst - 1; $i++) { Policy::swap_orders($conn, $i, $i + 1, $group_dst, $ctx, "src"); } } } else { if ($order_src == $order_dst) { Policy::change_group($conn, $policy_src->get_id(), $group_dst); } for ($i = $order_src; $i > $order_dst; $i--) { Policy::swap_orders($conn, $i - 1, $i, $group_dst, $ctx, "dst"); } } } $infolog = array($order_src . " (" . $policy_src->get_id() . ")", $log_dst); Log_action::log(98, $infolog); Web_indicator::set_on("Reload_policies"); // ReloadPolicy key deprecated, now using Reload_policies always //Web_indicator::set_on("ReloadPolicy"); $db->close();
//Getting password length $conf = $GLOBALS['CONF']; $pass_length_min = $conf->get_conf('pass_length_min') ? $conf->get_conf('pass_length_min') : 7; $pass_length_max = $conf->get_conf('pass_length_max') ? $conf->get_conf('pass_length_max') : 255; $pass_length_max = $pass_length_max < $pass_length_min || $pass_length_max < 1 ? 255 : $pass_length_max; $pass_expire_min = $conf->get_conf('pass_expire_min') ? $conf->get_conf('pass_expire_min') : 0; if (0 != strcmp($pass1, $pass2)) { $validation_errors['pass'] = _('Authentication failure') . '. ' . _('Passwords mismatch'); } elseif (strlen($pass1) < $pass_length_min) { $validation_errors['pass'] = _('Password is not long enough') . ' [' . _('Minimum password size is') . ' ' . $pass_length_min . ']'; } elseif (strlen($pass1) > $pass_length_max) { $validation_errors['pass'] = _('Password is long enough') . ' [' . _('Maximum password size is') . ' ' . $pass_length_max . ']'; } elseif (!Session::pass_check_complexity($pass1)) { $validation_errors['pass'] = _('Password is not strong enough. Check the password policy configuration for more details'); } elseif ($mode == 'update') { $recent_pass = Log_action::get_last_pass($conn, $login); if ($pass_expire_min > 0 && dateDiff_min($last_pass_change, date('Y-m-d H:i:s')) < $pass_expire_min && !Session::am_i_admin()) { $validation_errors['pass'] = _('Password lifetime is too short to allow change. Wait a few minutes...'); } elseif (count($recent_pass) > 0 && (in_array(md5($pass1), $recent_pass) || in_array(hash('sha256', $pass1), $recent_pass))) { $validation_errors['pass'] = _('This password is recently used. Try another'); } } } } } //Checking entities field requirements if (empty($validation_errors['entities[]'])) { //Check allowed entities if ($pro && !$is_my_profile) { foreach ($entities as $ent_id) { if (!Acl::entityAllowed($ent_id)) {
$pass_length_min = $conf->get_conf('pass_length_min') ? $conf->get_conf('pass_length_min') : 7; if ($first_login == '' || $first_login == 0 || $first_login == 'no') { $accepted = 'yes'; } $failed = FALSE; if ($accepted == 'yes') { $first_login = '******'; $client = new Alienvault_client($user); $client->auth()->login($user, $pass); $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB); //get vector size on ECB mode $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); //Creating the vector $_SESSION['mdspw'] = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $conf->get_conf('md5_salt'), $pass, MCRYPT_MODE_ECB, $iv); $infolog = array($user); Log_action::log(1, $infolog); if ($first_user_login) { header("Location: first_login.php"); } elseif ($pass_expire_max > 0 && dateDiff($last_pass_change, date('Y-m-d H:i:s')) >= $pass_expire_max) { header("Location: first_login.php?expired=1"); } elseif ($user == AV_DEFAULT_ADMIN && $pass == 'admin') { header("Location: first_login.php?changeadmin=1"); } else { if ($mobile != '') { header("Location: ../statusbar/mobile.php?login="******"&screen={$mobile}"); } else { if (Session::am_i_admin()) { if (Welcome_wizard::show_wizard_status_bar()) { $_SESSION['_welcome_wizard_bar'] = TRUE; } else { unset($_SESSION['_welcome_wizard_bar']);
die(ossim_error(_("User Contributed file not found in") . " " . $directive_editor->engine_path . ". " . _("Please, create it first"))); } // SAVE CURRENT if ($directive_id != "") { $directive_editor = new Directive_editor($engine_id); $filepath = $directive_editor->engine_path . "/" . $file; $dom = $directive_editor->get_xml($filepath, "DOMXML"); $directive = $directive_editor->getDirectiveFromXML($dom, $directive_id); $node = $directive->directive; $node->setAttribute('name', $name); $node->setAttribute('priority', $prio); $directive_editor->save_xml($filepath, $dom, "DOMXML"); $directive_editor->update_directive_pluginsid($directive_id, 2, $prio, $name); $directive_editor->update_directive_taxonomy($directive_id, $intent, $strategy, $method); $infolog = array($directive_id, 'updated'); Log_action::log(86, $infolog); } else { if ($directive_editor->directive_exists($name, $filepath)) { die(ossim_error(_("This directive name already exists"))); } // Get new ID $id = $directive_editor->new_directive_id($file); if ($id < 1) { echo ossim_error(_("Unable to create a new directive in ") . "<b>{$file}</b>"); } // Create a Node (Do not create yet, at rule finish) // ... } // Back to MAIN if (POST('mode') == "saveclose") { Util::memcacheFlush();
$error_string .= $s_error; $flag_status = 2; } } } if ($flag_status != 2) { $api_client = new Alienvault_client(); for ($i = 0; $i < POST('nconfs'); $i++) { if (isset($_POST["conf_{$i}"]) && isset($_POST["value_{$i}"])) { if ($pass_fields[POST("conf_{$i}")] == 1 && Util::is_fake_pass(POST("value_{$i}")) || POST("value_{$i}") == 'skip_this_config_value') { continue; } else { $before_value = $ossim_conf->get_conf(POST("conf_{$i}")); $config->update(POST("conf_{$i}"), POST("value_{$i}")); if (POST("value_{$i}") != $before_value) { Log_action::log(7, array("variable: " . POST("conf_{$i}"))); // Special cases custom_actions($api_client, POST("conf_{$i}"), POST("value_{$i}")); if (in_array(POST("conf_{$i}"), $cert_options)) { $certs = TRUE; } } } } } } // check valid pass length max if (intval($pass_length_max) < intval($pass_length_min) || intval($pass_length_max) < 1 || intval($pass_length_max) > 255) { $config->update('pass_length_max', 255); } else { $config->update('pass_length_max', intval($pass_length_max));
} if ($can_i_delete) { $query = 'DELETE FROM vuln_jobs WHERE id=?'; $params = array($kill_id); $result = $conn->execute($query, $params); $query = 'DELETE FROM vuln_nessus_reports WHERE report_id=?'; $params = array($report_id); $result = $conn->execute($query, $params); $query = 'DELETE FROM vuln_nessus_report_stats WHERE report_id=?'; $params = array($report_id); $result = $conn->execute($query, $params); $query = 'DELETE FROM vuln_nessus_results WHERE report_id=?'; $params = array($report_id); $result = $conn->execute($query, $params); $infolog = array($job_name); Log_action::log(65, $infolog); } } } } } $db->close($conn); if ($action == 'save_scan' && empty($validation_errors) || $action == 'delete_scan') { $url = Menu::get_menu_url(AV_MAIN_PATH . '/vulnmeter/manage_jobs.php', 'environment', 'vulnerabilities', 'scan_jobs'); header("Location: {$url}"); die; } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head>
*/ require_once 'av_init.php'; /* connect to db */ $db = new ossim_db(); $conn = $db->connect(); if ($_SESSION['_user']) { $user = $_SESSION['_user']; unset($_SESSION); // destroy session to force password change session_destroy(); session_start(); $_SESSION['_backup_user'] = $user; } else { $user = $_SESSION['_backup_user']; } $recent_pass = Log_action::get_last_pass($conn, $user); $conf = $GLOBALS['CONF']; if (!isset($_SESSION['_user']) && !isset($_SESSION['_backup_user'])) { $ossim_link = $conf->get_conf('ossim_link'); $login_location = $ossim_link . '/session/login.php'; header("Location: {$login_location}"); exit; } $version = $conf->get_conf('ossim_server_version'); $opensource = !preg_match("/.*pro.*/i", $version) && !preg_match("/.*demo.*/i", $version) ? TRUE : FALSE; $pass1 = base64_decode(POST('pass1')); $pass2 = base64_decode(POST('pass2')); $current_pass = base64_decode(POST('current_pass')); $flag = POST('flag'); $changeadmin = POST('changeadmin'); $expired = POST('expired');
echo $user != "" ? "&user={$user}" : ""; echo $code != "" ? "&code={$code}" : ""; ?> "> <?php echo gettext("Action"); ?> </a> </th> </tr> </thead> <tbody> <?php $time_start = time(); if ($log_list = Log_action::get_list($conn, $filter, "ORDER by {$order}", $inf, $sup)) { foreach ($log_list as $log) { ?> <tr> <?php if ($_SESSION['_user'] == "admin") { $tmp = str_replace(" ", "#", $log->get_date()); //echo "<td><input type='checkbox' name='$tmp|".$log->get_info()."' value='yes'></td>"; } ?> <td><?php echo $log->get_date(); ?> </td> <td><?php
ossim_valid($ctx, OSS_HEX, 'illegal:' . _("order")); if (ossim_error()) { die(ossim_error()); } //db connection $db = new ossim_db(); $conn = $db->connect(); $group1 = Policy_group::get_list($conn, $ctx, " AND id=UNHEX('{$group}')"); if ($group1[0]) { $ctx = $group1[0]->get_ctx(); if ($order == "up") { $pg_ord = Policy::get_pg_order($conn, $ctx, $group1[0]->get_order(), 'up'); $group2 = Policy_group::get_list($conn, $ctx, " AND policy_group.order={$pg_ord}"); $pg_src = $group2[0]; $pg_dst = $group1[0]; } elseif ($order == "down") { $pg_ord = Policy::get_pg_order($conn, $ctx, $group1[0]->get_order(), 'down'); $group2 = Policy_group::get_list($conn, $ctx, " AND policy_group.order={$pg_ord}"); $pg_src = $group1[0]; $pg_dst = $group2[0]; } if (is_object($pg_src) && is_object($pg_dst)) { echo "Swapping: id1=" . $pg_dst->get_group_id() . ",order1=" . $pg_src->get_order() . ",id2=" . $pg_dst->get_group_id() . ",order2=" . $pg_dst->get_order() . "<br>\n"; Policy_group::swap_orders($conn, $pg_src->get_ctx(), $pg_src->get_group_id(), $pg_src->get_order(), $pg_dst->get_group_id(), $pg_dst->get_order()); $infolog = array($pg_dst->get_name() . "(" . $pg_dst->get_group_id() . ")", $pg_dst->get_name() . "(" . $pg_dst->get_group_id() . ")"); Log_action::log(99, $infolog); Web_indicator::set_on("Reload_policies"); Web_indicator::set_on("ReloadPolicy"); } } $db->close();
function delete_scan($job_id) { global $uroles, $username, $useremail, $mailfrom, $dbconn; if ($uroles['admin']) { $term_status = "Allowed"; //echo "Scan Terminated"; //echo "<br>"; $query = "SELECT name, id, scan_SERVER, report_id, status FROM vuln_jobs WHERE id='{$job_id}' LIMIT 1"; $result = $dbconn->execute($query); list($job_name, $kill_id, $nserver_id, $report_id, $status) = $result->fields; if ($status == "R") { $query = "UPDATE vuln_nessus_servers SET current_scans=current_scans-1 WHERE id='{$nserver_id}' and current_scans>0 LIMIT 1"; $result = $dbconn->execute($query); } //$query = "UPDATE vuln_jobs SET status='C' WHERE id='$kill_id' LIMIT 1"; //$result = $dbconn->execute($query); $query = "DELETE FROM vuln_jobs WHERE id='{$kill_id}'"; $result = $dbconn->execute($query); $query = "DELETE FROM vuln_nessus_reports WHERE report_id='{$report_id}'"; $result = $dbconn->execute($query); $query = "DELETE FROM vuln_nessus_report_stats WHERE report_id='{$report_id}'"; $result = $dbconn->execute($query); $query = "DELETE FROM vuln_nessus_results WHERE report_id='{$report_id}'"; $result = $dbconn->execute($query); $infolog = array($job_name); Log_action::log(65, $infolog); ?> <script type="text/javascript"> //<![CDATA[ document.location.href='manage_jobs.php?hmenu=Vulnerabilities&smenu=Jobs'; //]]> </script><?php } else { $term_status = "Denied"; } //logAccess( "TERMINATE SCAN: [ $term_status by $username ]" ); //include("monitor.php"); }
} $dom = $directive_editor->get_xml($file, "DOMXML"); $node = $dom->createElement('directive'); $node->setAttribute('id', POST('directive_id')); $node->setAttribute('name', POST('directive_name')); $node->setAttribute('priority', POST('directive_prio')); $dom->appendChild($node); if (!$directive_editor->save_xml($file, $dom, "DOMXML", false)) { // DTD Validation = false $directive_error = true; } else { $directive_editor->update_directive_pluginsid(POST('directive_id'), 2, POST('directive_prio'), POST('directive_name')); $directive_editor->update_directive_taxonomy(POST('directive_id'), POST('directive_intent'), POST('directive_strategy'), POST('directive_method')); } $infolog = array(POST('directive_id')); Log_action::log(85, $infolog); } if (!$directive_error) { $directive_editor->insert($rule, POST("directive_id"), $file); ?> <script type="text/javascript"> var params = new Array(); params['xml'] = "<?php echo $xml_file; ?> "; params['directive'] = "<?php echo POST('directive_id'); ?> ";
function delete_scan($job_id) { global $uroles, $username, $useremail, $mailfrom, $dbconn; $dbconn->SetFetchMode(ADODB_FETCH_BOTH); if ($uroles['admin']) { $term_status = "Allowed"; //echo "Scan Terminated"; //echo "<br>"; $query = "SELECT name, id, scan_SERVER, report_id, status FROM vuln_jobs WHERE id='{$job_id}' LIMIT 1"; $result = $dbconn->execute($query); list($job_name, $kill_id, $nserver_id, $report_id, $status) = $result->fields; if ($status == "R") { $query = "UPDATE vuln_nessus_servers SET current_scans=current_scans-1 WHERE id='{$nserver_id}' and current_scans>0 LIMIT 1"; $result = $dbconn->execute($query); } //$query = "UPDATE vuln_jobs SET status='C' WHERE id='$kill_id' LIMIT 1"; //$result = $dbconn->execute($query); $query = "DELETE FROM vuln_jobs WHERE id='{$kill_id}'"; $result = $dbconn->execute($query); $query = "DELETE FROM vuln_nessus_reports WHERE report_id='{$report_id}'"; $result = $dbconn->execute($query); $query = "DELETE FROM vuln_nessus_report_stats WHERE report_id='{$report_id}'"; $result = $dbconn->execute($query); $query = "DELETE FROM vuln_nessus_results WHERE report_id='{$report_id}'"; $result = $dbconn->execute($query); $infolog = array($job_name); Log_action::log(65, $infolog); ?> <script type="text/javascript"> //<![CDATA[ document.location.href='<?php echo Menu::get_menu_url(AV_MAIN_PATH . '/vulnmeter/manage_jobs.php', 'environment', 'vulnerabilities', 'scan_jobs'); ?> '; //]]> </script><?php } else { $term_status = "Denied"; } }
$dom = open_file($file); $tab_directive = $dom->get_elements_by_tagname('directive'); foreach ($tab_directive as $lign) { if ($lign->get_attribute('id') == $dir_id) { $directive = $lign; } } $dname = $directive->get_attribute('name'); $parent = $directive->parent_node(); $parent->remove_child($directive); $dom->dump_file($file); release_file($file); delete_dir_from_groups($dir_id); echo "<html><body onload=\"top.frames['main'].document.location.href='../index.php'\"></body></html>"; $infolog = array($dname); Log_action::log(87, $infolog); } elseif ($query == "add_directive") { $cat_id = $_GET['id']; $onlydir = $_GET['onlydir'] == "1" ? "1" : "0"; $category = get_category_by_id($cat_id); $XML_FILE = "/etc/ossim/server/" . $category->xml_file; $dom = open_file($XML_FILE); $id = new_directive_id($category->id); $null = NULL; $node = $dom->create_element('directive'); $node->set_attribute('id', $id); $node->set_attribute('name', "New directive"); $node->set_attribute('priority', "0"); $directive = new Directive($id, "New directive", "0", $null, $node); $_SESSION['directive'] = serialize($directive); release_file($XML_FILE);