Skip to content
This repository has been archived by the owner on Jan 3, 2023. It is now read-only.

Commit

Permalink
SECURITY: Avoid simple sql injection when login in openvpn
Browse files Browse the repository at this point in the history
  • Loading branch information
Chocobozzz committed Jan 20, 2016
1 parent 76a7939 commit be29274
Show file tree
Hide file tree
Showing 5 changed files with 33 additions and 0 deletions.
10 changes: 10 additions & 0 deletions installation/scripts/connect.sh
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,15 @@
#!/bin/bash
. /etc/openvpn/scripts/config.sh
. /etc/openvpn/scripts/functions.sh

common_name=$(echap "$common_name")
trusted_ip=$(echap "$trusted_ip")
trusted_port=$(echap "$trusted_port")
ifconfig_pool_remote_ip=$(echap "$ifconfig_pool_remote_ip")
remote_port_1=$(echap "$remote_port_1")
bytes_received=$(echap "$bytes_received")
bytes_sent=$(echap "$bytes_sent")


# We insert data in the log table
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "INSERT INTO log (log_id, user_id, log_trusted_ip, log_trusted_port, log_remote_ip, log_remote_port, log_start_time, log_end_time, log_received, log_send) VALUES(NULL, '$common_name','$trusted_ip', '$trusted_port','$ifconfig_pool_remote_ip', '$remote_port_1', now(),'0000-00-00 00:00:00', '$bytes_received', '$bytes_sent')"
Expand Down
7 changes: 7 additions & 0 deletions installation/scripts/disconnect.sh
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
#!/bin/bash
. /etc/openvpn/scripts/config.sh
. /etc/openvpn/scripts/functions.sh

common_name=$(echap "$common_name")
bytes_received=$(echap "$bytes_received")
bytes_sent=$(echap "$bytes_sent")
trusted_ip=$(echap "$trusted_ip")
trusted_port=$(echap "$trusted_port")

# We specify the user is offline
mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -e "UPDATE user SET user_online=0 WHERE user_id='$common_name'"
Expand Down
6 changes: 6 additions & 0 deletions installation/scripts/functions.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/bin/bash

function echap() {
# echap ' and \
echo "$1" | sed s/\\\\/\\\\\\\\/g | sed s/\'/\\\\\'/g
}
4 changes: 4 additions & 0 deletions installation/scripts/login.sh
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
#!/bin/bash
. /etc/openvpn/scripts/config.sh
. /etc/openvpn/scripts/functions.sh

username=$(echap "$username")
password=$(echap "$password")

# Authentication
user_pass=$(mysql -h$HOST -P$PORT -u$USER -p$PASS $DB -sN -e "SELECT user_pass FROM user WHERE user_id = '$username' AND user_enable=1 AND (TO_DAYS(now()) >= TO_DAYS(user_start_date) OR user_start_date='0000-00-00') AND (TO_DAYS(now()) <= TO_DAYS(user_end_date) OR user_end_date='0000-00-00')")
Expand Down
6 changes: 6 additions & 0 deletions update.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,3 +39,9 @@ cd "$www"

bower --allow-root install
chown -R "$user:$group" "$www"

rm "/etc/openvpn/scripts/"{connect.sh,disconnect.sh,login.sh,functions.sh}
cp "$base_path/installation/scripts/"{connect.sh,disconnect.sh,login.sh,functions.sh} "/etc/openvpn/scripts"
chmod +x "/etc/openvpn/scripts/"{connect.sh,disconnect.sh,login.sh,functions.sh}

echo "OpenVPN-admin upgraded."

0 comments on commit be29274

Please sign in to comment.